windows server 2008

share permission

we have 2 shares folder  share1  share 2which are writeable by the Everyone group.(windows server 2008 r2)
 
Also the Everyone group has access to the users folder in some areas.
Everyone group has write access, there are some unsecured ‘My Documents’ folders containing files from various users, the Everyone group can access some user folders.
 
the main thing is to lockdown access to individual users so personal home drives aren’t open to everyone.
can I remove everyone group?

the individual users only have access to their specific user folder and no-one else.



but how do I do for 50 users in that share 1 folder , do I need to do manually
pramod1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William MillerInventory/IT ConsultantCommented:
If you're worried about access to the C drive, that should be disabled by default for anyone that doesn't have admin access on the machine that drive resides on.
0
Lasse BodilsenSystem AdministratorCommented:
The way i handle this in our system:

Have a shared folder on "Server1" with subfolders for each user.  and then with GPO assign that subfolder to the user under "User Configuration / Preferences / Windows Settings / Drive Maps"

and set the location to:   \\Server1\users$\%username%

that will only let the user see their own drive.  on the server i have restricted access to each users subfolder, to only this user, and no one else.  so that part will have to be done manually.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pramod1Author Commented:
can I do this:Make the Everyone FULL CONTROL on the share.
 REMOVE Evenyone from the list on the security tab
 ADD the groups (or users if you must) to the security tab and assign them the permissions you want them to have
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Lasse BodilsenSystem AdministratorCommented:
Yes that is possible.

right click main folder, then Go to Advanced in the Security tab.  Disable inheritance, and set the Everyone group up for "this folder only"

then add the users to the sub folders one by one.
0
pramod1Author Commented:
but we did for 1 user in share folder 1 , there are 50 of them is there any script or something we can do
0
NVITEnd-user supportCommented:
> but we did for 1 user in share folder 1 , there are 50 of them is there any script

You need a script using icacls.

I'm on the road now. If someone doesn't give you a solution before i arrive, I'll give you one.
0
pramod1Author Commented:
need to back up share1  folder before making changes, should I use wbadmin command?
0
NVITEnd-user supportCommented:
> should I use wbadmin command?
That's fine. Whatever you usually use.

Regarding your needs: For each user's folder, including subfolders, do you want just that user to access it? No other user can read or write anywhere in that user's folder?

Please clarify.
0
pramod1Author Commented:
yes that is correct but I have kept Everyone FULL CONTROL on the share.
  and removed Everyone from the list on the security tab
0
NVITEnd-user supportCommented:
> kept Everyone FULL CONTROL on the share.
That can cause access issues, giving users more rights than needed. In your case, giving Change/Modify on the share is sufficient. Then, give Modify rights via NTFS security permissions. Even Microsoft says Another approach is to set share permissions to Full Control for the Everyone group and to rely entirely on NTFS permissions to restrict access, but that's wrong. See https://www.experts-exchange.com/questions/28955946/customize-Windows-explorer-such-that-Everyone-can't-get-selected-when-users-do-folder-sharing.html#a41695298
0
NVITEnd-user supportCommented:
What permissions do you want to give each users folder? I presume the modify right for the user. Also, other users can't view that users folder. This would apply for each user. Correct?
0
pramod1Author Commented:
yes
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.