Avatar of mkramer777
mkramer777Flag for United States of America asked on

setup network folder so only 5 users can access

Seem to always have a tough time setting up folder permissions.  I have a folder on a windows server 2012 machine and I want 5 users to access it.  4 of the users I want to have full read write and 1 user I only want to have read access.  How would I set up the permissions and folder sharing for this?


NetworkingWindows OSWindows Server 2012

Avatar of undefined
Last Comment
Lee W, MVP

8/22/2022 - Mon
Kyle Abrahams

Set shared permissions for everyone (read + write) then you can use windows security on the folder for each user (or you can utilize groups if you have them).
ASKER
mkramer777

Do I setup the shared permissions on the share or do I iuse advanced sharing?

Kyle Abrahams

I always do advanced.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
mkramer777

I did that 1st step, Now what?  Do I remove any of the users in here?  I only want the 5 users that I asked in the question.  Some of them
are administrators, FYI

ASKER
mkramer777

Am I in the right tab for this to be setup correctly?  See above comment

ASKER CERTIFIED SOLUTION
Lee W, MVP

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
mkramer777

When I create the group do I need to do anything in the "member of" tab for the group?

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mkramer777

Still don't know what I am doing.  When I click on the security tab I see the users in there.  I added the read and read/write groups and set the permissions. I see other users in there of course.  You said remove all other users.  I can't remove everyone, created owner, or Users.  Says they are inheriting from parent

ASKER
mkramer777

FYI.  Sorry, this is a subfolder I'm trying to do this on.

ASKER
mkramer777

I dropped a folder on the desktop to see if that would work.  Can't get it.  Here are screenshots.  I added the user with the name Marc Kramer DELL within the group BIS ENG FULL.  That group is added in security tab with full read write.  When I try to get into the folder with the computer that has the name Marc Kramer DELL it will not let me in.  Says I don't have access. Must be doing something wrong.






Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Lee W, MVP

Do nothing with the Member of tab unless you want to make the group a member of another group.

For removal, go to Advanced button and then disable inheritance (you can either remove all permissions OR preserve them and then remove those who shouldn't have access).

Don't make changes to folders WITHIN existing shares.  Create new shares at a top level.  There are occasions when you might have to reset permissions on an entire folder - having customized, unique shares within existing shares can make that difficult and cause inadvertent changes to folders you didn't want to change.  Keeping things separate prevents that!

When I advise you not to do something (assign users directly or making changes to sub folders, it doesn't mean you can't, but just because you can doesn't mean you should!  There are best practices to prevent problems now or in the future!

If you're doing this, you should have a better understanding of permissions (disabling inheritance, for example).  You might want to setup a test system and learn this - these are basic configurations/recommendations that have been in place well over a decade.  (I think inheritance debuted in 2008).  Or partner with someone who knows this and can ensure it's done right.
Lee W, MVP

Permissions behave differently locally vs. remotely.  I assume you've been setting things up on a server and the users are accessing the server remotely. 
ASKER
mkramer777

I am just creating a folder on the root and sharing it out.  I have done all the steps above and disabled inheritance and it I still cannot access with the user added to the group.  

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mkramer777

Is this part correct on the advanced sharing? Should all be checked?


Lee W, MVP

Log the user out and then back in.

Group Memberships are set at login.  If you JUST added them to the group, they weren't there when the user logged in so the membership is unknown.  
Pau Lo

Another good practice is to have a description against the 2 user groups you need to create in this scenario, as to the group grants access too.
Far to often I see examples where the group descriptions are meaningless, and other administrators add members as they do not understand the data protection implications of adding additional members. An example of the description could be 'user security group that governs access to \\server\share'. if this will become part of your regular administration duties ensuring proper naming conventions will help in the long run. Other organizations also document who in the company can authorize additions to the group members, e.g. director of that department, line manager etc. No end user should be able to call or mail your service desk and request access to a folder without senior authorization (that should ideally be logged in your service desk application).
Never granting full control is another good practice, to prevent end users adding users/groups to the ACL themselves. I have read Microsoft used to recommend setting Everyone Full at the share level, whereas change/modify is more than sufficient. The share full and directory modify combination is sufficient to allow users to amend permissions on new folders they create, which should really be discouraged if the users could be storing important or sensitive files in the directory.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Lee W, MVP

Couple of other NTFS security points:
1. I said before NEVER assign users direct permissions... TECHNICALLY, you CAN for their home directories.  Other than that, businesses change, roles change, and assigning permissions to groups instead of users will make the evolution go a lot smoother.
2. NEVER DENY permissions to anyone.  If a user is not a member of a group with access (or otherwise given access directly), deny is implicit.  There can be circumstances where deny is necessary, but odds are strong, you won't ever encounter them and unless explicitly told to do it by someone who fully understands NTFS, you shouldn't ever set deny.  (Deny takes priority over allow.  For example, if you assign BIS ENG FULL Full access then deny domain users, since all users are in domain users by default (and should be, for the most part), denying them will take priority over the allow you give BIS ENG FULL).