Solved

We don't want folders on server to be accessed by everyone

Posted on 2016-09-06
8
62 Views
Last Modified: 2016-09-29
Goal:  I want to only give access to the individual themselves, the administrator and on some of them one or two other people.  

We have a server that is running Windows Server 2012.    The files that people save into their individual folders on the were originally set up so that everyone can access them.   When I right click on he parent folder and the individual folders inside and go to Properties and Security there is  "Administrators",  Administrator", "System", and "Users".    
On the individual folders, I can add the individual but the "users" group is still present and can access the folder.  I tried to remove Users but it says if a person has rights in two groups and you remove one group, then that is the over riding rule (No access).   How do I begin to change this so I can accomplish the goal above?
0
Comment
Question by:syssolut
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 125 total points (awarded by participants)
ID: 41787076
You can remove the group. The user just need to be listed once in the permissions (without groups), or... anyone of his/her groups is enough to allow the permission. (You do not need the combination of both).
0
 
LVL 64

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41787084
User has to be given ownership to their folder and also disable inheritance ro futher customise who can be allowed. See the step through

http://www.online-tech-tips.com/computer-tips/set-file-folder-permissions-windows/
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 125 total points (awarded by participants)
ID: 41787155
Instead of starting from what you do not want, start with what you do want and to whom you wish to grant access and the type of access.
From the Share permission tab, you can grant sharing rights which are superseded by security permissions.

The more restrictive rule will apply, so long as you do not have a deny rule on users, a user that is a member of two groups may have rights to ....

You can use icacls as well as advanced under the security tab, to check a user's effective permissions to confirm that the user will have rights to the folder/contents ......

The structure of the folders could also impact, i.e. if you have hierarchical
top administrators have full rights, system has full rights and domain users have listing rights on this level only......
subfolder1, add user1
subfolder2 add user2
subfolder3 add user3

The sharing permissions will be less restrictive as you can grant the full rights to domain users
The effect while user1, user2 will see subfolder3 they will not be permitted to access each others nor user3's folder.

What types of folders are these? One option could be to use redirected folders documents, desktop, etc.
another option could be to use mapped drives using GPP to deploy specific "drives" to users.......whose top level will have the rights you want, etc......system, administrators, but each user will have drive M: for example locked into their folder without being able to see the contents from the others.......
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:syssolut
ID: 41792954
So lets say I have Folder "A" and everyone has full control because in this folder are individual folders for Bob, Mary, Alice, Ken and Karen.   On each of these individual folders everyone has full rights at this time (along with SYSTEM, Administrators, and Administrator).   Can I go to the individual folder, say Mary's and add Mary in the Security,  then delete the "USERS" from Mary's folder?   This way Everyone has rights to the Folder "A" but then only Mary has rights to Mary's folder and no one else (except SYSTEM, Administrators and administrator)?
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 125 total points (awarded by participants)
ID: 41792982
On the Share folder you have two tabs, sharing and security. This is where you set what the user that accesses this share sees.
The security settings on this and subsequent folders will dictate how far each user who accesses the share can go.

Note on the security settings, if you have inheritance enabled. the TOP folder will dictate what subfolders have.


Yes, you can but for that you would first have to terminate inheritance, and copy the existing settings.
Then adjust the security parameters as you see fit.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41793040
Yes you can but as mentioned earlier you need to disable inheritance to customise the specific group or Users for the sub folder otherwise the access given in folder A takes precedence - meaning those users belonging to admin can still access all the sub folder (you notice they are included by default in the subfolder permission list of group).
0
 
LVL 64

Expert Comment

by:btan
ID: 41821335
As advised by experts.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question