Windows 2012R2 file share permissions issue
Hello,
I have the following file structure:
D:\shares\staff\department
share path is \\server\staff - D:\shares\staff
I want a group of users to be able to mount the share, and create folders under "departments" folder, but not be able to delete or rename the "departments" folder itself. I have given share permissions everyone full control, and NTFS permissions on the D:\departments\staff folder read and execute folder subfolder and files.
What is the correct way to do this? I have tried modify sub-folders and files only, but then they cannot access the folder at all. I f I add "read and execute this folder only" + "modify sub-folders and files only", they cannot create folders/files.
The odd part is that if I give them modify this folder subfolders and files, they cannot rename the departments folder, but they can delete it.
Thanks!
I have the following file structure:
D:\shares\staff\department
share path is \\server\staff - D:\shares\staff
I want a group of users to be able to mount the share, and create folders under "departments" folder, but not be able to delete or rename the "departments" folder itself. I have given share permissions everyone full control, and NTFS permissions on the D:\departments\staff folder read and execute folder subfolder and files.
What is the correct way to do this? I have tried modify sub-folders and files only, but then they cannot access the folder at all. I f I add "read and execute this folder only" + "modify sub-folders and files only", they cannot create folders/files.
The odd part is that if I give them modify this folder subfolders and files, they cannot rename the departments folder, but they can delete it.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1+ to dipersp's comment on "On the NTFS permissions".
Keep in mind, an existing group, OU, or user on the folder (before you make changes) affect the outcome. If these groups show, or any other group the user(s) should not be in, you may have to remove the group, OU, or user from the Advanced dialog:
- Authenticated Users
- Users
Example:
- All users are by default, in the Authenticated Users domain group.
- You create a group named Allowed Group
- Danny is not in Allowed Group
- You add the Allowed Group to the list, thinking that Danny will not have the right. In reality, Danny will be allowed.
- To disallow Danny, you have to remove Authenticated Users and or Users.
Keep in mind, an existing group, OU, or user on the folder (before you make changes) affect the outcome. If these groups show, or any other group the user(s) should not be in, you may have to remove the group, OU, or user from the Advanced dialog:
- Authenticated Users
- Users
Example:
- All users are by default, in the Authenticated Users domain group.
- You create a group named Allowed Group
- Danny is not in Allowed Group
- You add the Allowed Group to the list, thinking that Danny will not have the right. In reality, Danny will be allowed.
- To disallow Danny, you have to remove Authenticated Users and or Users.
Usually this should work if you give the share access for everyone full and set the security level for the specific group.
I.e - Open the Shares folder>>Properties>>Sharin
Now, go to Security tab>>Edit>>Add>>search the desired group and make them "Read & Execute, List folder contents, Read".
Hope this set the permission correctly.