Solved

We don't want folders on server to be accessed by everyone

Posted on 2016-09-06
8
54 Views
Last Modified: 2016-09-29
Goal:  I want to only give access to the individual themselves, the administrator and on some of them one or two other people.  

We have a server that is running Windows Server 2012.    The files that people save into their individual folders on the were originally set up so that everyone can access them.   When I right click on he parent folder and the individual folders inside and go to Properties and Security there is  "Administrators",  Administrator", "System", and "Users".    
On the individual folders, I can add the individual but the "users" group is still present and can access the folder.  I tried to remove Users but it says if a person has rights in two groups and you remove one group, then that is the over riding rule (No access).   How do I begin to change this so I can accomplish the goal above?
0
Comment
Question by:syssolut
8 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 125 total points (awarded by participants)
ID: 41787076
You can remove the group. The user just need to be listed once in the permissions (without groups), or... anyone of his/her groups is enough to allow the permission. (You do not need the combination of both).
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41787084
User has to be given ownership to their folder and also disable inheritance ro futher customise who can be allowed. See the step through

http://www.online-tech-tips.com/computer-tips/set-file-folder-permissions-windows/
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 125 total points (awarded by participants)
ID: 41787155
Instead of starting from what you do not want, start with what you do want and to whom you wish to grant access and the type of access.
From the Share permission tab, you can grant sharing rights which are superseded by security permissions.

The more restrictive rule will apply, so long as you do not have a deny rule on users, a user that is a member of two groups may have rights to ....

You can use icacls as well as advanced under the security tab, to check a user's effective permissions to confirm that the user will have rights to the folder/contents ......

The structure of the folders could also impact, i.e. if you have hierarchical
top administrators have full rights, system has full rights and domain users have listing rights on this level only......
subfolder1, add user1
subfolder2 add user2
subfolder3 add user3

The sharing permissions will be less restrictive as you can grant the full rights to domain users
The effect while user1, user2 will see subfolder3 they will not be permitted to access each others nor user3's folder.

What types of folders are these? One option could be to use redirected folders documents, desktop, etc.
another option could be to use mapped drives using GPP to deploy specific "drives" to users.......whose top level will have the rights you want, etc......system, administrators, but each user will have drive M: for example locked into their folder without being able to see the contents from the others.......
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:syssolut
ID: 41792954
So lets say I have Folder "A" and everyone has full control because in this folder are individual folders for Bob, Mary, Alice, Ken and Karen.   On each of these individual folders everyone has full rights at this time (along with SYSTEM, Administrators, and Administrator).   Can I go to the individual folder, say Mary's and add Mary in the Security,  then delete the "USERS" from Mary's folder?   This way Everyone has rights to the Folder "A" but then only Mary has rights to Mary's folder and no one else (except SYSTEM, Administrators and administrator)?
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 125 total points (awarded by participants)
ID: 41792982
On the Share folder you have two tabs, sharing and security. This is where you set what the user that accesses this share sees.
The security settings on this and subsequent folders will dictate how far each user who accesses the share can go.

Note on the security settings, if you have inheritance enabled. the TOP folder will dictate what subfolders have.


Yes, you can but for that you would first have to terminate inheritance, and copy the existing settings.
Then adjust the security parameters as you see fit.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41793040
Yes you can but as mentioned earlier you need to disable inheritance to customise the specific group or Users for the sub folder otherwise the access given in folder A takes precedence - meaning those users belonging to admin can still access all the sub folder (you notice they are included by default in the subfolder permission list of group).
0
 
LVL 63

Expert Comment

by:btan
ID: 41821335
As advised by experts.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question