Help Setting Up Shares with Proper Permission

Our corporate fax machine is set to not print out the faxes but create a PDF of the incoming fax and place it into a directory on our file server.  Our receptionist is responsible for monitoring this folder and distributing the faxes to the appropriate people.

I am in the process of setting up a new file server running Server 2012 R2.  My folder structure is as follows:

- Departments
     - Reception
          - Faxes
               - HQ Incoming
                    - Distributed
     - IT
     - Etc.

I currently have a "Receptionist" group.  This group is a used as a role group and contains the user Emily as the member of the group.  I then have another group titled "ACL_Reception_Edit" that is used as a rule group.  The member of this group is the "Receptionist" role group.  The "ACL_Reception_Edit" group is then given modify permissions on the "Reception" share.  This then allows Emily to read and write to the "Reception" share as she should be able to .  This follows the Role-Based Management philosophy and is working as intended.  

As a recap...incoming faxes are automatically saved as PDFs in the "HQ Incoming" directory.  When Emily sees a new fax in this folder, she emails the PDF to the appropriate person and then moves the file into the "Distributed" folder.

The problem lies in the fact that when Emily is not at work then Mary is responsible for monitoring the incoming fax folder and distributing the files appropriately.  However, Mary is not a receptionist and should not have access to any of the other folders and files within the "Reception" directory besides the "Faxes" folder and any subfolders under that directory.

Is it possible to have Mary go into the "Reception" folder and see no files or folders besides the "Faxes" directory?  If so then what permissions need to be set for this to happen?
csimmons1324IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
Two options:

1) Give Mary specific access to Reception and its sub-folders.
2) Create a new group in which the backups reside and give that group the necessary permissions.

Which ever way you go, the chosen solution will need list, read, and change rights at minimum.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
The SHARE permissions I would set to EVERYONE:FULL CONTROL - or DOMAIN USERS:FULL CONTROL.  Because share permissions only apply to the share entry point.  NTFS Permissions can be granularly applied.

But in your example, I would NOT put Faxes under reception.  Create a separate shared location for them and a group - Fax Administrators - and put both users in that group and give the group necessary control.  Create a shortcut to that shared location in the reception folder if you want, but IN GENERAL, you DO NOT want to modify permissions within a share - when you do, things start getting messy.  In most cases another shared point for that makes sense.

If you INSISTED on keeping that file structure, then share out Faxes separately.

- Departments
     - Reception [Shared]
          - Faxes [Shared]
               - HQ Incoming
                    - Distributed
     - IT [Shared]
     - Etc. [Shared]
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
csimmons1324IT ManagerAuthor Commented:
Lee,

Just to clarify, your advice is to not have nested shares (a share inside a share), correct?  If so, then this opens up another can of worms for me.  Here is another example of my current file structure:

- Departments
     - Production
          - Plant 1
          - Plant 2
          - Plant 3
          - Plant 4
          - Plant 5
     - Quality Control
          - Plant 1
          - Plant 2
          - Plant 3
          - Plant 4
          - Plant 5
     - Marketing
     - Engineering

We are a fairly small business (about 50 employees) but have multiple buildings that manufacture different products in each.  Some of the building have their own manufacturing manager but we do have one head manager that oversees multiple plants.  Obviously, being a small business most of our people where multiple hats and perform tasks within different departments.  

I setup the structure as noted above so that it would be easy for users to navigate.  My goal was to simply map the Departments folder to a drive letter for all users.  The user could then go into that mapped drive and then view / navigate the departmental folders that they have access to.  IMO, from a hierarchy standpoint this was easier for the user rather than having a lot of mapped shares.  

Another scenario that I am facing is similar to the Incoming Fax situation.  Our Marketing Department creates all of our literature.  This literature is saved as PDFs in a subdirectory the Marketing folder.  A lot of different people need access to this literature (sales team, receptionist, marketing, etc.).  If I do not do nested shares then this folder would need to be pulled out of the marketing folder and be its own root share.  The same goes for our Engineering Drawings and many other file directories.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tim EdwardsIT Team Lead - Unified Communications & CollaborationCommented:
Yes it is possible for Mary only to see the Reception Folder  and only the fax share, you will want to enable  Access based Enumeration, this hides everything except for what you have rights to. From here you will want to use NTFS permission. I would create a new group for Mary, give it List Only permissions on the top level of the Receptionist folder, then on the Fax folder give that group modify permissions...
0
csimmons1324IT ManagerAuthor Commented:
I may not be able to achieve that I was hoping for.  Tim, I did enable access based enumeration when setting up the Reception share.  I already had Mary in her own group, Fax Admins, as well.  On the Reception share, I gave the Fax Admins group List Folder Contents permissions.  This allowed Mary to go into the Reception share and see the Fax folder and drill down into it where she then had additional permissions to modify.  

The "problem" is that our receptionist, Emily, will be creating folders and files within the Reception folder.  As soon as Emily creates a folder or File in the Reception folder then Mary has access to opening those folders and reading the files created by Emily.
0
Tim EdwardsIT Team Lead - Unified Communications & CollaborationCommented:
If Mary only needs modify rights  - HQ Incoming and - Distributed why not give her group list rights to the fax folder and then modify rights only on those two folders.. this will allow emily to continue to create folders under the fax folder without Mary having access to them.
0
csimmons1324IT ManagerAuthor Commented:
Tim, maybe I am missing something here.  

The Reception share has the following two groups:

- ACL_Reception_Edit (which has the basic modify permissions)
- ACL_Fax Admins (which has the basic Read & Execute, List Folder Contents and Read permissions)

Emily is a member of ACL_Reception_Edit and Mary is a member of ACL_Fax Admins.  If I go into the advanced permissions for the ACL_Fax_Admins group and only select Traverse folder and List folder then Mary is unable to see the Reception folder.

If I leave the permissions as originally stated then Mary can see the Reception folder and navigate through it.  She can also see any folders that Emily created and open any files.  While she is unable to save or create any files / folders in the Reception folder, I would prefer her to not see anything other than the Faxes folder.
0
Tim EdwardsIT Team Lead - Unified Communications & CollaborationCommented:
Sorry, what I was stating is create a new group following your standard ACL_ReceptionCover_Edit add Mary to that group, then give that group list permission on the Reception folder, and then modify permissions on the Faxes share,

When the user logs off and back on, they now should be able to see the Reception folder, when traversing the folder she  should not see the Faxes folder and be able to edit anything inside there.. so if I understand your workflow,, she will not be able to be view the HQ-Incoming folder, email the pdf fax copy to the correct recipient then move the file over to the distributed folder.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.