Solved

How to restrict access to folders below a folder shared with "Everyone"?

Posted on 2016-08-26
7
52 Views
Last Modified: 2016-08-26
Hi,

We have a folder called "Shared" on our SBS server which is shared at the top level with "Everyone".

We've been asked to create some remote users on the system and to only grant them access to a couple of folders within the Shared folder.  I may be missing the obvious and over complicating things but I can't think of an easy way to just grant access to certain folders below that shared folder without removing the "everyone" permission from the top level which I'm reluctant to do as it will open a can of worms.

Any advice gladly received!

Thanks

Adam
0
Comment
Question by:Adam Lydiate
  • 3
  • 3
7 Comments
 
LVL 16

Expert Comment

by:FOX
ID: 41771805
Right-click the shared file/ folder>Security>click the advanced tab>click change permissions>uncheck
Include inheritable permissions from this object's parent>click ADD
You can now highlight and remove EVERYONE from this folder and add who you need to access it.
0
 

Author Comment

by:Adam Lydiate
ID: 41771900
Hi Foxluv,

Thanks for that, problem is that they have 55 users and I'll have to add them all in manually if I don't use the everyone group.  The top level folder has say 50 subfolders and I want everyone except 1 person to have access to all 50 folders, the 1 person will only have access to 1 folder of the 50 but everyone else will also need access to that 1 folder.  If I remove Everyone from the top level surely I'll have to manually put each user except that one I want to restrict back in won't I?

Thanks
0
 
LVL 16

Expert Comment

by:FOX
ID: 41771908
Even easier.  Add the user with the same method as above(leave Include inheritable permissions from this object's parent checked) and click deny.  He will be denied access to the folder.
deny.JPG
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Adam Lydiate
ID: 41771916
Hi,

Surely that will deny access to the 1 folder I want that user to have access to.  I effectively want to deny access for 1 user to all except 1 folder under the Shared folder. If I remove inherited permissions on that 1 folder and add the user I want to give access to then everyone else will not be able to see the folder but they need to see it too.  You can see why I was confused enough to ask the question! :-)
0
 
LVL 16

Assisted Solution

by:FOX
FOX earned 250 total points
ID: 41771962
Go to the last comment in this link. Remove his rights to the folder and sub folders, then if anything add him manually to the one folder you want him to have access to.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/a7c4a7a7-6c53-4ec6-b92d-035dbff13d8e/powershell-scrip-to-remove-security-permission-from-filesfolders?forum=winserverpowershell
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 41771989
create a 2 new security groups: name one 'restricted users', name the other 'unrestricted users'
add the new user into restricted users group and the remainder into the unrestricted users group
share permissions can still be everyone with read/write
d:\topfolder shared as 'shared' ntfs permissions 'unrestricted users' (read/write/modify/delete/full control )  remove everyone group .. reapply permissions allowing it to propogate down.
create a new share d:\topfolder\restricted as 'restricted' give permissions to 'unrestricted users' and 'restricted users'
1
 

Author Closing Comment

by:Adam Lydiate
ID: 41772016
Thanks Foxluv and David, have split the points between you as I'm sure Foxluv's suggestion will work but I'm too chicken to run a script on this server and David's suggestion sounds like a good way around.  Thanks both
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now