We help IT Professionals succeed at work.

File Server: Permission

tjie
tjie asked
Hi,
There are File Servers:
FS#1 is bad.
FS#2 is the replacement.

Here is the hierarchy of the folder:
FS#2> Marketing > Proposal > many folders here
The permitted users to Read, write or modify every folders under the “proposal” folder are
User#1
User#2

I want to give permission to User#1 to be able to modify any folders under the “proposal” folder.
The things that I do:
I go to the Proposal folder > right-click, select properties > go to the Security tab > click Edit > then, I add the “user#1” and give him “Full Control” permission > then, click OK or Apply

My question: Is there anything else that I have to do?

tjie
Comment
Watch Question

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
DO NOT assign users to permissions.  Create groups, EVEN GROUPS OF ONE!, and then assign users to groups.  Then assign permissions to the group.
Distinguished Expert 2017
Adding to Lee's suggestion.
There are two:
1) share permissions
2) filesystem level permission

The one more stringent enforces the rule.
1) share deals with whether read or read/write rights are granted
2) icacls on the system folder will show you the rights.

Author

Commented:
Hi Lee,

Ok, i would follow your suggestion, and need your confirmation please.

User#1, User#2,… User#5 are in the same group in Active Directory; the Group name is FINANCING
So I go to the folder in the file server  \\fs#2\Marketing\Proposal

At the Proposal folder > right-click, select properties > click the Security tab> Click Edit> then, find the FINANCING group, and I would give the FULL CONTROL permission.

Question:
1) Is it that you mean?
2) Is there any other thing that i have to do?

Thanks,
tjie
Distinguished Expert 2017
the issue would be if you have control on share rights. i.e. you can grant a group read only rights on the sharing tab thet will limit/restrict a group and a member of it ...

Author

Commented:
Hi,

I am still confused with Lee's suggestion; what is the advantage?

tjie
Technology and Business Process Advisor
Most Valuable Expert 2013

It's best practice.  


Think about it.  (Except for user home directories), if you assign permissions to individuals, every time you add or remove someone from access to the files, changing the permissions must touch EVERY SINGLE FILE.  If it's a small file set, that's not a real problem.  If it's hundreds or thousands or millions of files, this can take time - the more files, the longer it takes - to make the changes.  


By assigning permissions to groups - for example, HR Full Access Group, if a user needs access to the HR files, you add them to the group and then tell them to log off and on again (to refresh their group membership list on their PC).  Now they have access to all the HR Full Access Group Files.  Want to revoke that access?  Just remove them from the group and force them to log off.


This has been the case since NT 3.1 was released some 25+ years ago.  

Distinguished Expert 2017
The short answer. Add user or remove user from a security, the effect is immediate without reprocessing.
The other, you have to maintain every file, folder, share where a user was granted access that you now need to revoke.

With security groups, open the user AD object look at member of, add. Remove groups ....as needed.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Also, in somewhat larger environments where non-admins are delegated AD administration rights for select OUs, using groups allows those "non-admins" the ability to grant or remove access to files without having administrator rights on the server!

Distinguished Expert 2017
Nice, delegated rights as an illustration.