?
Solved

Help Setting Up Shares with Proper Permission

Posted on 2014-08-05
8
Medium Priority
?
216 Views
Last Modified: 2014-08-27
Our corporate fax machine is set to not print out the faxes but create a PDF of the incoming fax and place it into a directory on our file server.  Our receptionist is responsible for monitoring this folder and distributing the faxes to the appropriate people.

I am in the process of setting up a new file server running Server 2012 R2.  My folder structure is as follows:

- Departments
     - Reception
          - Faxes
               - HQ Incoming
                    - Distributed
     - IT
     - Etc.

I currently have a "Receptionist" group.  This group is a used as a role group and contains the user Emily as the member of the group.  I then have another group titled "ACL_Reception_Edit" that is used as a rule group.  The member of this group is the "Receptionist" role group.  The "ACL_Reception_Edit" group is then given modify permissions on the "Reception" share.  This then allows Emily to read and write to the "Reception" share as she should be able to .  This follows the Role-Based Management philosophy and is working as intended.  

As a recap...incoming faxes are automatically saved as PDFs in the "HQ Incoming" directory.  When Emily sees a new fax in this folder, she emails the PDF to the appropriate person and then moves the file into the "Distributed" folder.

The problem lies in the fact that when Emily is not at work then Mary is responsible for monitoring the incoming fax folder and distributing the files appropriately.  However, Mary is not a receptionist and should not have access to any of the other folders and files within the "Reception" directory besides the "Faxes" folder and any subfolders under that directory.

Is it possible to have Mary go into the "Reception" folder and see no files or folders besides the "Faxes" directory?  If so then what permissions need to be set for this to happen?
0
Comment
Question by:csimmons1324
8 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 40241951
Two options:

1) Give Mary specific access to Reception and its sub-folders.
2) Create a new group in which the backups reside and give that group the necessary permissions.

Which ever way you go, the chosen solution will need list, read, and change rights at minimum.
0
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 1000 total points
ID: 40241963
The SHARE permissions I would set to EVERYONE:FULL CONTROL - or DOMAIN USERS:FULL CONTROL.  Because share permissions only apply to the share entry point.  NTFS Permissions can be granularly applied.

But in your example, I would NOT put Faxes under reception.  Create a separate shared location for them and a group - Fax Administrators - and put both users in that group and give the group necessary control.  Create a shortcut to that shared location in the reception folder if you want, but IN GENERAL, you DO NOT want to modify permissions within a share - when you do, things start getting messy.  In most cases another shared point for that makes sense.

If you INSISTED on keeping that file structure, then share out Faxes separately.

- Departments
     - Reception [Shared]
          - Faxes [Shared]
               - HQ Incoming
                    - Distributed
     - IT [Shared]
     - Etc. [Shared]
0
 

Author Comment

by:csimmons1324
ID: 40242065
Lee,

Just to clarify, your advice is to not have nested shares (a share inside a share), correct?  If so, then this opens up another can of worms for me.  Here is another example of my current file structure:

- Departments
     - Production
          - Plant 1
          - Plant 2
          - Plant 3
          - Plant 4
          - Plant 5
     - Quality Control
          - Plant 1
          - Plant 2
          - Plant 3
          - Plant 4
          - Plant 5
     - Marketing
     - Engineering

We are a fairly small business (about 50 employees) but have multiple buildings that manufacture different products in each.  Some of the building have their own manufacturing manager but we do have one head manager that oversees multiple plants.  Obviously, being a small business most of our people where multiple hats and perform tasks within different departments.  

I setup the structure as noted above so that it would be easy for users to navigate.  My goal was to simply map the Departments folder to a drive letter for all users.  The user could then go into that mapped drive and then view / navigate the departmental folders that they have access to.  IMO, from a hierarchy standpoint this was easier for the user rather than having a lot of mapped shares.  

Another scenario that I am facing is similar to the Incoming Fax situation.  Our Marketing Department creates all of our literature.  This literature is saved as PDFs in a subdirectory the Marketing folder.  A lot of different people need access to this literature (sales team, receptionist, marketing, etc.).  If I do not do nested shares then this folder would need to be pulled out of the marketing folder and be its own root share.  The same goes for our Engineering Drawings and many other file directories.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 11

Assisted Solution

by:Tim Edwards
Tim Edwards earned 1000 total points
ID: 40242102
Yes it is possible for Mary only to see the Reception Folder  and only the fax share, you will want to enable  Access based Enumeration, this hides everything except for what you have rights to. From here you will want to use NTFS permission. I would create a new group for Mary, give it List Only permissions on the top level of the Receptionist folder, then on the Fax folder give that group modify permissions...
0
 

Author Comment

by:csimmons1324
ID: 40242134
I may not be able to achieve that I was hoping for.  Tim, I did enable access based enumeration when setting up the Reception share.  I already had Mary in her own group, Fax Admins, as well.  On the Reception share, I gave the Fax Admins group List Folder Contents permissions.  This allowed Mary to go into the Reception share and see the Fax folder and drill down into it where she then had additional permissions to modify.  

The "problem" is that our receptionist, Emily, will be creating folders and files within the Reception folder.  As soon as Emily creates a folder or File in the Reception folder then Mary has access to opening those folders and reading the files created by Emily.
0
 
LVL 11

Expert Comment

by:Tim Edwards
ID: 40242149
If Mary only needs modify rights  - HQ Incoming and - Distributed why not give her group list rights to the fax folder and then modify rights only on those two folders.. this will allow emily to continue to create folders under the fax folder without Mary having access to them.
0
 

Author Comment

by:csimmons1324
ID: 40242193
Tim, maybe I am missing something here.  

The Reception share has the following two groups:

- ACL_Reception_Edit (which has the basic modify permissions)
- ACL_Fax Admins (which has the basic Read & Execute, List Folder Contents and Read permissions)

Emily is a member of ACL_Reception_Edit and Mary is a member of ACL_Fax Admins.  If I go into the advanced permissions for the ACL_Fax_Admins group and only select Traverse folder and List folder then Mary is unable to see the Reception folder.

If I leave the permissions as originally stated then Mary can see the Reception folder and navigate through it.  She can also see any folders that Emily created and open any files.  While she is unable to save or create any files / folders in the Reception folder, I would prefer her to not see anything other than the Faxes folder.
0
 
LVL 11

Expert Comment

by:Tim Edwards
ID: 40242341
Sorry, what I was stating is create a new group following your standard ACL_ReceptionCover_Edit add Mary to that group, then give that group list permission on the Reception folder, and then modify permissions on the Faxes share,

When the user logs off and back on, they now should be able to see the Reception folder, when traversing the folder she  should not see the Faxes folder and be able to edit anything inside there.. so if I understand your workflow,, she will not be able to be view the HQ-Incoming folder, email the pdf fax copy to the correct recipient then move the file over to the distributed folder.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question