Solved

Folder permissions - Traversing folders to only access subfolders, multiple users

Posted on 2015-02-19
6
477 Views
Last Modified: 2015-02-20
I need to setup folder permissions to an existing directory structure in a domain.

I have 4 groups of users that need access to certain subfolders on a shared drive, but should not have access to any files in any folders above those subfolders

ie: \\Server\Shares\ENG\ENG-Draw\ENG-Part

all users have a drive mapping s: to \\Server \Shares

How can I set up permissions to allow group1 access to s:\ENG\ENG-Draw\ENG-Part dir only?

I've read about the Traverse directory permission, but have never implemented it.

Any direction here is appreciated.
0
Comment
Question by:JNMarks
  • 2
  • 2
  • 2
6 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619184
You need to remove the Inheritable permissions on the folder

Do the following...
- nav to that folder (s:\ENG\ENG-Draw\ENG-Part)
- Right click, Properties
- Click Security Tab
- Click Advance button
- Click Change permissions button
- remove the check mark for "include inheritable permissions from this objects parent"
- Click the Add button ( this will allow you to add to this current list of users that have already been populated)
- Click Add button and add Group1
- Set the permissions for Group1

Will.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
ID: 40619478
In your case 1st thing to do:

Ensure that share root has "authenticated users" have full control share permissions
disable permissions inheritance on root share folder advanced NTFS permissions with convert explicit option
Then grant "authenticated users" List folder contents permissions on root share
Remove any explicit groups if defined here on ACL

Now go to "Eng-Part" folder and disable inheritance and change authenticated users permissions scope (Applied to) to this Folder Only
Then add required group required access here

This process to followed for all other groups

This will ensure that group members will able to access only folders for which they have access
Also you may enable access based enumeration on share folder so that folders get hide from explorer for which user do not have permissions
http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/
0
 

Author Comment

by:JNMarks
ID: 40619813
Thanks for the responses.

There are about 10 other dirs under Shares, (Sales, Prod, Quality, etc.) and then several under each one of them.

If I give full share permissions, and disable inheritance, I will have to assign/remove NTFS permissions manually to every subfolder, and then manually to every subfolder's subfolder.

ie Managers need full access to all folders, and the same groups may need access to other specific directories within the structure.

Assigning permissions manually will be a headache especially if a new folder is created.

Is there any other way?

Are you familiar with implementing the Traversal permission?

Thanks again,
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 200 total points
ID: 40619850
You leave Share permissions for Everyone to Full. You then only modify Security Permissions for Security only. depending on how granular you want to have this you will need to do this manually. The other option would be to create new Shares and apply permissions accordingly for each  security groups.

Will.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40620599
Its not required, by disabling inheritance, you don't have to set permissions manually on sub folders
Sub folders still will get inherited permissions from root share

If manager group require full permissions, you can grant them Modify \ full NTFS permissions on folder root once, it will get propagated to all sub folders

I have asked you to disable inheritance on share root because it is best practice and only way to stop flowing drive level permissions on root share
Whatever explicit permissions you will apply on root share will not affected by disabling inheritance.

Check below article for best practices to setup share folders
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_17526-NTFS-File-System-Folder-ownership-problems-and-resolution.html
0
 

Author Closing Comment

by:JNMarks
ID: 40621164
Thanks both of you for your quick responses.

I was able to get the permissions functioning the way I needed by blocking inheritance, converting and editing NTFS permissions on the folders and sub folders accordingly.

Thanks again for pointing me in the right direction.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now