Issue with Windows folder permissions

I'm having an issue with giving a user access to a particular folder on one of our servers.

Server is Windows 2008 R2 and has a folder off the root which is shared as 'Level1'

Under this folder are several levels of subfolder -  \\server\level1\level2\level3

The 'level1' share is only accessible to one group (accounts) - no-one else has access to 'level1' or anything under it

I now want to allow another user (not a member of accounts) access to only the 'level3' folder. I go into the Security properties of this folder, and add the user, giving them "full control" permissions.

When the user types '\\server\level1\level2\level3' into Windows Explorer, the contents of the folder is shown (as I would expect). However, the folder is Read Only - ie he cannot Add, Delete, Copy etc any files within this folder.

I've checked 'Effective Permissions' and it shows him as having full rights.

It's not a propagation issue - I've made various 'test' changes which are reflected pretty much straight away.

I've tried removing inheritance from this folder, copying the existing inheritance settings and adding the user again - same result

I've confirmed that the administrator account is the Owner of everything from 'Level1' down

If I go into the 'Sharing' properties of the 'Level3' folder, and click on 'Share' under 'Network File and Folder Sharing', it shows that the user has 'Read/Write' access.

Any idea as to why this isn't working?
Michael986Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KorbusCommented:
Hmm,  it sounds like you have not granted the user write access to the SHARE permission.  I think you will need to do this for the user to be able to have REMOTE write access.

You could also create a new SHARE, directly on the folder you want the user to have access to, and grant permission there.

Keep in mind, the share that you access the folder through, will "filter" permissions (granting no more than is authorized by BOTH the share and NTFS).
0
Michael986Author Commented:
Could you expand on that. The user has full rights on the 'level3' folder (and the 'share' on that folder). What do I need to do that I haven't done already?

And what do you mean by 'REMOTE write access'?
0
Mike SunSenior Systems Engineer (IBM - retired)Commented:
It is the combination of "Share" permissions" and "NTFS" permissions that gives you "effective" permissions which will be the more restrictive of the two.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

KorbusCommented:
REMOTE access: simply means accessing those files when NOT on the machine they are stored on.  (over the network)  I'm sure if you logon to windows on your file-server, with that user, there will be no problem read/writing to that folder.

Each server can have multiple SHARES, If you access you level 3 folder via:
\\server\level1\level2\level3
then you are NOT using the level 3 SHARE, but rather the level 1 share (and using THOSE permissions defined for the level 1 share)

I was suggestion you create a NEW share, on the level 3 folder called say.. LEV3
This share would be accessed by \\server\LEV3 (and using the defined permissions for the level 3 share)

granting no more than is authorized by BOTH the share and NTFS:
As an example, If only ONE of those grants read or write access, you WONT get read or write access-  you need BOTH share permission and NTFS to have read-write access for the user to be able to read-write to the folder remotely.

>>The user has full rights on the 'level3' folder (and the 'share' on that folder)
I'm not clear on what you mean by "the 'share' on that folder".  Are you accessing that folder VIA the "share on that folder"?  If not, then those share permission don't matter.  A single share cannot have different permissions for different sub-folders, THAT is up to NTFS (or additional shares).
0
Michael986Author Commented:
I understand that I could create a new share specifically for 'Level3', but I would like to understand why it doesn't work with the current setup.

>>I'm not clear on what you mean by "the 'share' on that folder".  

I'm on the server itself (may or may not be relevant), and use Windows Explorer to browse to the 'level3' folder, right click on it and select 'Properties', then select the 'Sharing' tab.

'Level3' has not been specifically shared (only 'Level1'), but under 'Network File and Folder Sharing' it is showing as 'Shared', and clicking on the 'Share' button it shows the user as having Read/Write access

If I do the same thing for 'Level1', there is not mention of the user (which is to be expected) - therefore this suggests that 'Level3' is not (or at least should not be) using the same share criteria as 'Level1'

And if I go into the security tab for 'level3' it shows that the user has "Full Control"

So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')
0
KorbusCommented:
>>So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')

Because you have not granted the user that permission on the share being USED (Level1) to write to the folder.

The share permissions that you see when you look at the properties of level3, shows the permissions you WOULD have if you DID create a share, but are otherwise meaningless.  Share permission don't get actually inherited by sub folders, like NTFS does.  Rather, it grants AND limits access to ANY files accessed through the share, as defined by the share permissions.

So, without creating a new share, you will need to the grant the user write-permission in the Level1 share.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.