Link to home
Start Free TrialLog in
Avatar of jim3725
jim3725

asked on

file permissions validation

Someone changes folder names which caused users to not be able to find their folders/files
the change was made at the root of T:\\deptfiles location.
I tried trying change permissions on group everyone to read only, but then users couldn't make any changes to any of their files.
I'm thinking that Authenicated users group, needs to have modify attribute removed, but I wanted someone to verify that it won't restrict users access to modify their files.  At the same time I can't have users change file names on root folders under Deptfiles either.
C--download-expertsexchange-filepermssio
Avatar of Mark Bill
Mark Bill
Flag of Ireland image

set the permissions in right click -> properties -> security -> advanced

in here there are more options and it will be easier for you to remove write.

if authenticated users has this permission assigned to it and you have for example a group with some users in it assigned different permissions, the least restrictive will apply here.

just play around with it and test it out.
Avatar of jim3725
jim3725

ASKER

I am unsure on whether or not to replace all inheritable permissons on this check box or not,
C--download-expertsexchange-advancedopti
it depends, this tickbox means do you want to remove the permissions from above folder, always use advanced permissions manager gives you more control, you will get used to it.

for example if i had share 1 and 5 folders inside share 1 and 5 sub folders inside 5 folders, from top level share i have a group assigned full control, this is fine for me, but in folder 5 i want the sub folders to have a completely different set of permisssions so i would go to folder 5 right click properties advanced and use this tickbox in this instance, it locks this folder and below folders off from the permissions above.
Avatar of jim3725

ASKER

Presently the authenticated users at the deptfiles is at the top of the tree. Since authenticated users have these permissions, then they pass down to the inheritable folders. Whatever change I make on authenticated users, will affect the entire file structure. If I don't use the check box to replace all inheritable permissions, then will it still change the permissions on the subfolders.  I want to minimize impact.
ASKER CERTIFIED SOLUTION
Avatar of Mark Bill
Mark Bill
Flag of Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jim3725

ASKER

I wanted to only remove authenticated users on a subfolder that was inherited from parent.
That way I can test this with on separate subfolders.  I am attaching a printscreen on my question
C--download-expertsexchange-remove-inher
Avatar of jim3725

ASKER

I am not sure if I do a remove of all inheritable positions , on each folder, then only that groups defined
I don't open files on here as I'm usually on smart phone or work pc.

you can make this change no problems. it affects only this and below folders and files. just get stuck into it have to break eggs to make an omelette.
Avatar of jim3725

ASKER

I am removing the inherited permissions, and also checking on any shares that may have access within the folder structure, to give permissions.  Having inherited permissions is definitely a security risk.
Avatar of jim3725

ASKER

confirmation on removing inheritable permissions lessen my stress :-)
no its not, it depends on the share.

this is how i do it and i work for a PCI compliant company atm.

5 Drives(by drive i mean share) - All setup through group policy preferences with AD security groups.
Drive1 - contains operation data pretty much open access from top to bottom for the operations security group.
Drive2 - contains IT data pretty much open access bar several folders which are inherited unticked.
Drive3 - Finance and HR1 very tight security on this drive locked down to the security group for access and ntfs permissions.
Drive4 - Same as drive 3. Management drive.

What I did here is I segregate all the important data into one or two tightly locked down drives.
Just to give you an idea of how i did it, I have a group policy windows 2008 R2 that automatically maps drives at logon for users(no logon scripts) if they are a member of security groups.

How I set our few folders with custom access, untick inheritable permissions. I started at the very top in computer management permissions of the share advanced, set my permissions for the drive and did replace all child objects text box. so i have no restricted folders when i do this, one share same permissions top to bottom but then i go and select the folders to lock off and untick inheritable permissions and set the permissions again as i want them.

sorry for being terrible at explaining them things.
nice job buddy, tyy