Solved

granting Active Directory permissions

Posted on 2016-11-11
18
60 Views
Last Modified: 2016-11-15
granting Active Directory permissions

I would like to grant users permissions to specific folders, I need some guidance as best practice.

- I need to create a Share on the Server (what permissions should I give here ?)
- I need to create "Department Folder" (what permissions should I give here ?)
- under "Department Folder", there are folders that I want to grant access just to specific AD groups.


What is the best way to accomplish this ?

Thank you
0
Comment
Question by:jskfan
  • 8
  • 7
  • 3
18 Comments
 
LVL 23

Assisted Solution

by:NVIT
NVIT earned 100 total points
ID: 41884440
> I need to create a Share on the Server (what permissions should I give here ?)

Give Everyone Read/Write or change/modify permissions. NOT full permissions.

 > I need to create "Department Folder" (what permissions should I give here ?)

Make sure Domain Users is added and has Security tab Read permissions

> under "Department Folder", there are folders that I want to grant access just to specific AD groups.

In  Security tab of each folder...

- Advanced > Change Permissions > Uncheck "Include inheritable permissions..." > Pick Add button. OK. OK. Returns to Security tab.
- Edit
- Remove Domain Users and other undesired groups/user. Just make sure System, and any Administrators, Domain Admins is not removed.
- Add desired groups and give  Modify permissions.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 41884512
On "Department" root folder grant share permissions to everyone for Full control, then
I believe "Department" is the root folder, disable inheritance on this folder from security tab\advanced tab, also remove "creator owners" from there
After that add "domain users" AD group and grant it "Read" and "list folder contents" permissions
Click apply and close folder properties, now again go to folder properties \ security \ advanced tab and change "domain users" permissions scope to "This folder only"
Click apply and close all properties, now create other departmental folders underneath "Department" folder
This will allow domain users to go inside "Department" folder but they can't browse underneath departmental folders unless you grant them explicit permissions
Now create AD groups with respect to each department and grant each group "Modify" NTFS permissions on respective departmental folders
Add users to respective departmental groups
This approach will ensure that users will be able to access only folders for which they have access permissions

If you need best practices for managing share folders, check last paragraph of below article:
https://www.experts-exchange.com/articles/17526/Windows-File-Server-Folder-ownership-problems-and-resolution.html

Mahesh
0
 

Author Comment

by:jskfan
ID: 41884698
Company is the Share Name
Department folder is the root folder it is inside the Company share
I do not want users to see folders under Department unless if they have specific permissions on the folder
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 41884800
In that case follow below route:

On "Company" root folder grant share permissions to everyone for Full control,
Then from security tab\advanced page, disable inheritance on this root folder, while disabling it will ask if you want to remove all permissions, select yes
This will remove all permissions, then add administrators group and system group with full control with applies to "this folder and sub folders and files" and click OK
Then again add "Domain users" group "Read" and "List folder contents" permissions with applies to "this folder and sub folders and files" and click OK and apply and close the folder properties
Now create "Departments" folder underneath "company" folder, this time go to this folder properties\security\advanced tab and disable inheritance, when it will prompt for action, click to copy or convert existing permissions to explicit permissions (do not remove the permissions) and then select "domain users" and change "applies to" scope "this folder only" and click OK and apply
Now Underneath "company" folder create departmental folders like sales, marketing and so on
Then create groups for every departments as required and grant modify permissions to these groups on respective departmental folders
Add users to respective groups
This will ensure that all users can browse Company and Departments folder but after that they only can access respective department folder for which they have access
Also if you wanted to hide folders for which users do not have permissions, enable access based enumeration on share folder properties from share and storage management console

Mahesh.
0
 
LVL 23

Expert Comment

by:NVIT
ID: 41884846
Which is basically what I first posted.
0
 

Author Comment

by:jskfan
ID: 41885290
In Our Enivirenment, they have:

\\FileServer\Company\Department
Company is Share and Department if the root folder, under Department there are many subfolders

-on Company Shares Security, I see:
Authenticated Users granted special permissions (traverse folder/execute file,read attribute, read extended attributes, list folder/read data) and Read permission.

Apply to: This Folder only
" Include Inheritance permissions........" not checked
"Replace all child objects permissions................." not checked





Domain Admins have Full control
Apply to : This folder and subfolders and files
" Include Inheritance permissions........" not checked
"Replace all child objects permissions................." not checked


On the Department Folder which is inside the Company Share
Has exactly the same groups and permissions and Apply to for  " Authenticated Users and Domain admins", same as configured on the Company Share.
" Include Inheritance permissions........" not checked
"Replace all child objects permissions................." not checked


on the Subfolders under Department folder
specific Security group is added and given Modify permissions
Apply to : this folder and subfolders and files
" Include Inheritance permissions........"  checked
"Replace all child objects permissions................." not checked
0
 

Author Comment

by:jskfan
ID: 41885296
Based on the configuration I posted above, what makes users able to browse \\Fileserver\company\Department and see only the folders they have permissions on. ?

Can someone explain it clearly how are they able to browse \\Fileserver\company\Department and see only the folders they have permissions on ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 41885314
@NVIT
You stated:
In  Security tab of each folder...
 - Advanced > Change Permissions > Uncheck "Include inheritable permissions..." > Pick Add button. OK. OK. Returns to Security tab.

This is not my approach
On every departmental folder you don't need to disable inheritance
You just need to disable inheritance on top level folder (Department) in this case.

Also I suggested Full control share permissions to everyone and you have suggested modify share permissions
Share permissions are like gate and you should not restrict on share level but need to restrict on NTFS level

@ Jskfan:
They already have configured folder permissions exactly what I said in my last comment

On "Department" folder they have limit the scope for authenticated users to "this folder only" with "list folder contents" and read permissions, hence they can browse until "department" folder and they don't have direct permissions to underneath departmental folders (because of This folder Only permissions taken effect up to department folder only)
Hence they can access specific departmental folders for which they have granted access permissions via groups
They can't see folders for which they don't have permissions because access based enumeration is enabled on share folder which means user only can see folders for which he have access
Please check link I posted in my last comment

Mahesh.
0
 

Author Comment

by:jskfan
ID: 41885485
Thank you for the explanation


On "Company"  Share , security tab\advanced page. When you give Full Control  permissions. Are they still considered Share Permissions and not NTFS permissions ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 41885491
any permissions given on security tab will not be applicable to share permissions, however they will influence share permissions and vice versa
The most restrictive permissions will apply
For example:
If share permissions are read only, and NTFS permissions are full control, still read only permissions will take precedence
If share have full control, but NTFS have read only effective permissions will be Read only

Mahesh.
0
 

Author Comment

by:jskfan
ID: 41885544
Let me put it this way:
On "Company"  Share , security tab\advanced page. When you give Full Control  permissions to Authenticated users "This Folder only"

any folder under the Company Share will depend on the "Restrictive Rule"
if you give Read then read will apply , if you give Write then Write will apply..

I was used to working on Share /NTFS permissions on Windows 2000. At that time on the Share there was no Security Tab, you just share the folder and becomes a share and give Full Control to AUthenticated users, then restrict the permissions accordingly at the folders level that are under the Share.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 41885571
Do not mix share and security tab
On company folder you should give authenticated users read and list folder contents with scope "This folder, sub folders and files so that users can traverse until department folder

This folder only permissions to authenticated users (Read and list folder contents) should be given on Department folder and not on company folder, so users will get restricted to that specific folder with read permissions and they cannot access sub folders by default, if you give full control here, users can create folders under department and become owner of those folders and then its meaningless to grant this folder only option

Re read my 2nd comment.........................

Mahesh.
0
 

Author Comment

by:jskfan
ID: 41887165
talking about Authenticated users Why not :
At the Company Share , permissions will apply to This folder only. So that users can read what is inside the company Share
At the Department folder , permissions will apply to This folder only. So that users can read what is inside the Department Folder


Then on each Subfolder , for instance Marketing, you put there only MarketingGroup and apply to : This folder ,subfolders and Files. No Authenticated users at the Subfolders level



let's ignore Domain Admins now.
0
 
LVL 23

Assisted Solution

by:NVIT
NVIT earned 100 total points
ID: 41887304
To see why you should give Read/Write or change/modify permissions and NOT full permissions for Shares (not NTFS), see https://www.experts-exchange.com/questions/28955946/customize-Windows-explorer-such-that-Everyone-can't-get-selected-when-users-do-folder-sharing.html
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41887339
@Jskfan:
talking about Authenticated users Why not :
 At the Company Share , permissions will apply to This folder only. So that users can read what is inside the company Share
 At the Department folder , permissions will apply to This folder only. So that users can read what is inside the Department Folder

"This folder only" restrict users ability to browse further sub folders unless they have granted permissions to do so
The ultimate object is to restrict users from browsing all folders under department folder and not under company folder,  you unnecessarily restricting users on company folder which is simply not required because underneath company folder there is only one folder called department

The straight rule is "keep permissions model simple as far as possible unless you have very specific requirements"

Then on each Subfolder , for instance Marketing, you put there only MarketingGroup and apply to : This folder ,subfolders and Files. No Authenticated users at the Subfolders level
This is what we are achieving by restricting authenticated users on department folder by selecting "This folder only"

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

@NVIT:
It seems that you have not read my 2nd comment:
On "Company" root folder grant share permissions to everyone for Full control,
 Then from security tab\advanced page, disable inheritance on this root folder, while disabling it will ask if you want to remove all permissions, select yes
 This will remove all permissions, then add administrators group and system group with full control with applies to "this folder and sub folders and files" and click OK

By default users cannot share folders under existing share folder even if they have full control share permissions unless they are administrators and logged on to server directly / interactively
Another thing, I m granting everyone full control share permissions, however from security tab I am also disabling inheritance and removing all existing inherited permissions which would also remove "creator owner" group from ACL and hence users cannot become owner of folders they create unless I grant them full control NTFS permissions on security tab (Full control NTFS includes, taking ownership and changing permissions)
I am granting users (groups in this case) only modify ntfs permissions on sub folders underneath department folder with "this folder, sub folder and files" as scope so that they can create / delete files and folders underneath respective departmental folders for which they have access but can't take ownership


Mahesh.
0
 

Author Comment

by:jskfan
ID: 41888279
I agree with you 100%
Just want to mention at the Company Share level, either you give  Authenticated users full control or Read , while Apply to: this folder only.
They still should be able to see what is inside the Company Share. Correct?



Then on Department folder, Authneticated users have Traverse Folder/Execute file, Read attributes, read Extended attributes, Read permissions. Apply to this folder only

But they don 't see all the subfolders inside Department folder, they can see just the subfolder they specifically have Modify permissions on.

So what makes Authenticated users unable to see all the subfolders inside the Department folder , though they have Read permissions ?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 400 total points
ID: 41888485
Just want to mention at the Company Share level, either you give  Authenticated users full control or Read , while Apply to: this folder only.
 They still should be able to see what is inside the Company Share. Correct?

Giving full control and read only is two different permissions
If you give full control permissions here, users will be able to create sub folder under company folder which is undesired, hence you need to grant just "list folder content" permissions so they can traverse "Company" folder and reach up to department folder - again do not restrict here them to "This folder only" . its not required, they cannot do here anything apart from browse and go up to department folder

Then on Department folder, Authenticated users have Traverse Folder/Execute file, Read attributes, read Extended attributes, Read permissions. Apply to this folder only
Now on department folder you need to grant "list folder contents" with this folder only
No need to provide other permissions you mentioned, now subfolders underneath departmental folder don't have authenticated users on ACL, meaning they don't have even read permissions.

Here you will put your groups on sub folders with modify permissions
If you still see authenticated users read permissions on subfolders underneath department folder, it means permissions structure is not correct.

rest of taken care by access based enumeration

I think you test this scenario from scratch to understand because may be I am not able to explain in words which you can understand

Mahesh.
0
 

Author Closing Comment

by:jskfan
ID: 41888499
Thank you Guys!
0

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now