Link to home
Start Free TrialLog in
Avatar of ruhkus
ruhkus

asked on

Preventing some local user access to folder on C: drive

I have a terminal services server that remote staff in our Florida office use to connect and run an application. However, this same server also has a folder on the C:\ drive that is network shared with our other offices. I want to prevent the Florida staff from accessing this folder.


What would be the best way to accomplish this? Currently the security permissions to this folder are set to Everyone, System and Administrators. I have a domain group that does not include Florida staff. Should I just add this domain group to the Security permissions for that folder, apply it, then after that's done, remove the Everyone permission?


Will I need to edit the Shared folderpermissions as well, or does that not necessarily apply, since they're "local" to the server?


It's a somewhat large folder (1.8T), so I want to make sure I get this right the first time, as it'll probably take awhile to apply the permissions.


Thanks.

Avatar of NVIT
NVIT
Flag of United States of America image

What do the Shared perms look like? When changed there, users/groups usually don't need to re-login for it to effect. But, not so for NTFS Security perms, which require may re-logins.

If Share perms are same as Security, try replacing Everyone w/ that Domain group you mentioned. For now, don't change anything in ntfs Security.
Well, yes it may take a while but 1.8GB local shouldn't be *too* bad.

First, I would create a security group to access the folder.
Then, I'd give the group the necessary permissions for sharing (why not really?) and for security.
This would be for the normal access - minus Florida.

Once this is done then you can add and remove names of users or groups without having to propagate permissions again.
Avatar of ruhkus
ruhkus

ASKER

Shared permissions is Everyone Full Access (and Administrators Full). Would changing Shared Permissions be enough if they can just locally browse to that folder on the C: drive? I would've thought I'd needed to change NTFS Security for that, especially since it's currently set to Everyone.

hypercube,it's 1.8TB not GB, but yeah, it'll take time but not overly horrible if done off-hours. I have a Security Group that I can assign the permissions in place of Everyone that will exclude the Florida guys, so I should be ok using that.

NVIT, to your point, this is a highly used shared folder/mapped drive, will those that continue to have permission, even after removing the Everyone access and adding the domain group (assuming I add it to NTFS) still require a logout and login to work?


I think the simplest way to do this is create a group for the Florida users, and then DENY read/write/execute in the NTFS security settings.

Therefore anyone (inc new users) has access to the folder and contents, and you only have to maintain the Florida users group (which I’m surprised doesn’t already exist).
I have a domain group that does not include Florida staff.

then use that and remove everyone
no reason to use an implicit deny unless it is necessary - usually when a group of users has access to a folder and there is something specific that needs to be denied for a certain user - otherwise only define who does need access
use that existing group and be done with it
ASKER CERTIFIED SOLUTION
Avatar of NVIT
NVIT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I clarified my last post
There are share permissions AND NTFS permissions the most restrictive will apply if accessing via the share .  
Local Access requires NTFS permissions only and not shared permissions.
Its not the size of the folder but the number of files that would determine the propagation speed
Avatar of ruhkus

ASKER

So I created a new folder on the C: drive of this server, shared it, and tested the permissions as described, removing Everyone and adding just the nonFlorida group to the share permissions. That actually seemed to work to prevent the remote desktop Florida person from accessing this folder. I'm still not sure why this would work though, since he was locally going to that folder on the C: drive and not via \\server\folder, which is why I assumed I needed to change NTFS permissions?

I then was thisclose to removing the everyone permission on the actual shared folder in question (after adding the noFlorida group to the share), but then I stopped. I realized that doing this MIGHT cause any services I run, such as two separate backup software to possibly fail, since they are probably not set to run under a domain user in that nonFlorida security group. Would this be a fair assumption? I think they might use SYSTEM or whatever typically is default, but I will need to check.
Avatar of ruhkus

ASKER

To add to the above, I know adding a DENY permission is usually not best practice, but I do wonder if it does make sense in this scenario, to create a Florida only group and deny them access at the share level?
> ... then was thisclose to removing the everyone permission on the actual shared folder in question (after adding the noFlorida group to the share), but then I stopped. I realized that doing this MIGHT cause any services I run, such as two separate backup software to possibly fail

Check each of those services. The Log On tab. If it says "Local System account", adding SYSTEM to the share perms should work.
ruhkus: I don't see where you say that you have created a Security Group to give the Sharing and Security permissions for this folder that's of interest to you.  I recommended it and others have recommended it.  So, once more, I'd highly recommend doing that.
It's not clear to me whether the computer with the folder is domain-joined or not.
It's not clear to me whether the Florida group (and others) are domain-joined or not.
So, I will assume that they *are* and caution that if they aren't then there may be variations on this theme:
Doing this really makes removing "Everyone" just a bit of housekeeping.

Depending on how you've created the various Groups, you might simply create a security group named: ALLBUTFLA or NOFLA or.... whatever.  Then you can put usernames AND groupnames into NOFLA - and put all of them in there to the exclusion of FLA.  That you can add groupnames means you can have ALLATHOME, ALLINLA, ALLINSFO, etc. groups with usernames in them .... whatever fits your group structure and is convenient for the objective here.
Then you share the folder with NOFLA.  And you give security permissions to NOFLA.
If the "server" isn't domain joined then you can create a Local Security Group on it and then put other groups in it... as I recall.

The big answer to "why bother?" is that you can add names to NOFLA and not have to propagate permissions each time a name is added or deleted.  That is a very big deal!!