Link to home
Start Free TrialLog in
Avatar of mkramer777
mkramer777Flag for United States of America

asked on

setup network folder so only 5 users can access

Seem to always have a tough time setting up folder permissions.  I have a folder on a windows server 2012 machine and I want 5 users to access it.  4 of the users I want to have full read write and 1 user I only want to have read access.  How would I set up the permissions and folder sharing for this?

Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Set shared permissions for everyone (read + write) then you can use windows security on the folder for each user (or you can utilize groups if you have them).
Avatar of mkramer777


Do I setup the shared permissions on the share or do I iuse advanced sharing?

User generated image
I always do advanced.
I did that 1st step, Now what?  Do I remove any of the users in here?  I only want the 5 users that I asked in the question.  Some of them
are administrators, FYI

User generated image
Am I in the right tab for this to be setup correctly?  See above comment

Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When I create the group do I need to do anything in the "member of" tab for the group?

User generated image
Still don't know what I am doing.  When I click on the security tab I see the users in there.  I added the read and read/write groups and set the permissions. I see other users in there of course.  You said remove all other users.  I can't remove everyone, created owner, or Users.  Says they are inheriting from parent

FYI.  Sorry, this is a subfolder I'm trying to do this on.

I dropped a folder on the desktop to see if that would work.  Can't get it.  Here are screenshots.  I added the user with the name Marc Kramer DELL within the group BIS ENG FULL.  That group is added in security tab with full read write.  When I try to get into the folder with the computer that has the name Marc Kramer DELL it will not let me in.  Says I don't have access. Must be doing something wrong.

User generated image

User generated image

User generated image
Do nothing with the Member of tab unless you want to make the group a member of another group.

For removal, go to Advanced button and then disable inheritance (you can either remove all permissions OR preserve them and then remove those who shouldn't have access).

Don't make changes to folders WITHIN existing shares.  Create new shares at a top level.  There are occasions when you might have to reset permissions on an entire folder - having customized, unique shares within existing shares can make that difficult and cause inadvertent changes to folders you didn't want to change.  Keeping things separate prevents that!

When I advise you not to do something (assign users directly or making changes to sub folders, it doesn't mean you can't, but just because you can doesn't mean you should!  There are best practices to prevent problems now or in the future!

If you're doing this, you should have a better understanding of permissions (disabling inheritance, for example).  You might want to setup a test system and learn this - these are basic configurations/recommendations that have been in place well over a decade.  (I think inheritance debuted in 2008).  Or partner with someone who knows this and can ensure it's done right.
Permissions behave differently locally vs. remotely.  I assume you've been setting things up on a server and the users are accessing the server remotely. 
I am just creating a folder on the root and sharing it out.  I have done all the steps above and disabled inheritance and it I still cannot access with the user added to the group.  

User generated image
Is this part correct on the advanced sharing? Should all be checked?

User generated image
Log the user out and then back in.

Group Memberships are set at login.  If you JUST added them to the group, they weren't there when the user logged in so the membership is unknown.  
Avatar of Pau Lo
Pau Lo

Another good practice is to have a description against the 2 user groups you need to create in this scenario, as to the group grants access too.
Far to often I see examples where the group descriptions are meaningless, and other administrators add members as they do not understand the data protection implications of adding additional members. An example of the description could be 'user security group that governs access to \\server\share'. if this will become part of your regular administration duties ensuring proper naming conventions will help in the long run. Other organizations also document who in the company can authorize additions to the group members, e.g. director of that department, line manager etc. No end user should be able to call or mail your service desk and request access to a folder without senior authorization (that should ideally be logged in your service desk application).
Never granting full control is another good practice, to prevent end users adding users/groups to the ACL themselves. I have read Microsoft used to recommend setting Everyone Full at the share level, whereas change/modify is more than sufficient. The share full and directory modify combination is sufficient to allow users to amend permissions on new folders they create, which should really be discouraged if the users could be storing important or sensitive files in the directory.
Couple of other NTFS security points:
1. I said before NEVER assign users direct permissions... TECHNICALLY, you CAN for their home directories.  Other than that, businesses change, roles change, and assigning permissions to groups instead of users will make the evolution go a lot smoother.
2. NEVER DENY permissions to anyone.  If a user is not a member of a group with access (or otherwise given access directly), deny is implicit.  There can be circumstances where deny is necessary, but odds are strong, you won't ever encounter them and unless explicitly told to do it by someone who fully understands NTFS, you shouldn't ever set deny.  (Deny takes priority over allow.  For example, if you assign BIS ENG FULL Full access then deny domain users, since all users are in domain users by default (and should be, for the most part), denying them will take priority over the allow you give BIS ENG FULL).