HPE Community
Windows Server 2003
1822199 Members
3725 Online
109640 Solutions
New Discussion юеВ

permissions

 
SOLVED
Go to solution
Fred Martin_1
Valued Contributor

тАО05-07-2007 08:56 AM

тАО05-07-2007 08:56 AM

permissions

I'm a bit confused about the proper way to lock down permissions on folders in Win 2003.

This is pretty basic stuff I'm sure, but I need a push in the right direction.

The goal is to create a folder which is shared. Users access this folder from the network via the share.

Inside this shared folder are other folders. I would like specific groups to have full access to their own folders but to no other. Nor do I want them creating any folders at the "root" level.

Shared\Accounting
Shared\Operations
Shared\Staff

Everyone uses a drive letter that's mapped to "Shared". They all see the various folders inside of Shared.

The "accounting" user group should have full access inside the "accounting" folder. Same for other folders and respective groups.

But no one should be able to add/remove new folders or files in "Shared" except admins.

Everything I have tried gives too much access to users at "Shared", if I give them full access to their folder below.

What would a proper config look like?

Fred
fmartin@applicatorssales.com
0 Kudos
11 REPLIES 11
Fred Martin_1
Valued Contributor

тАО05-07-2007 09:04 AM

тАО05-07-2007 09:04 AM

Re: permissions

While I'm here, is there some reason why all of my users and groups don't show in the "select users and groups" window? I click on "find" and it displays most - but not all - of the users and groups in the domain. And if I manually type in the name of a group, i.e. DOMAIN\ACCOUNTING, that also fails.
fmartin@applicatorssales.com
0 Kudos
Jonathan Axford
Trusted Contributor

тАО05-07-2007 08:42 PM

тАО05-07-2007 08:42 PM

Re: permissions

Hi Fred,

In my opinion, the best way to do it would be to create 3 seperate Shares, one for each department, rather than have them all access it throgh the same folder. That way each department will go straight into the necessary folder and not even see the others.

As soon as you give SHARED folder change permissions, users are going to be able to create folders in the root of it.

As for the select users and groups part, make sure you are searching in the correct location, i.e entire directory. That way you should see all of the users in the domain.

Where there is a will there is a way...
0 Kudos
Fred Martin_1
Valued Contributor

тАО05-08-2007 12:34 AM

тАО05-08-2007 12:34 AM

Re: permissions

Seperate shares require seperate drive letters, so that won't work for me.

Basically, the permissions on the folders are simple enough: full for group, full for admins, no permissions for anyone else.

It's the permission on the share (or, the folder) that seems to be the issue.

Read-only on the share doesn't work. Even though they have full access to lower folders, they can't write in there. Too much access at the share and it allows them to create new folders directly below the share. Don't want that.

Help :)
fmartin@applicatorssales.com
0 Kudos
Edgar Zapata
Esteemed Contributor

тАО05-08-2007 01:23 AM

тАО05-08-2007 01:23 AM

Re: permissions

Set NTFS permissions on the Share as you like in that particular root share.
When setting NTFS permissions in each folder:
i.e. Accounting, Operations and Staff, set the permissions you want in each particular folder.

The key here is you need to cut permissions inheritance.
You do that by right-click on the folder you want, i.e.: Accounting,
Properties
Security Tab
Click on Advanced
Uncheck "Allow inheritable permissions from the parent to propagate..."
When prompted, click on Copy.
From then on, you will be able to remove the groups or users you don't want access to the folder you're in.
You will also be able to restrict user access without removing the user or group from the DACL.


Keep in mind that SHARE permissions together with NTFS permissions work by granting the user the most restrictive effective permissions.


See this link if you need more information:
http://support.microsoft.com/kb/304040/en-us

Tnks.

Hope it helps.
0 Kudos
Fred Martin_1
Valued Contributor

тАО05-09-2007 01:16 AM

тАО05-09-2007 01:16 AM

Re: permissions

I'm afraid inheritance doesn't seem to be the issue. Cut those. Seems to be more an issue of the security being choked at the share above the three folders.

Right now, on the folder called "Shared" if I click on the the share properties and go to security, I click on the "domain users" object and I have three choices: full, change, read.

So I set it to read. I don't want them to be able to add folders -directly- below "Shared".

On each of the three folders below Shared, I cut inheritance from above, and gave Full access to the specific user groups that should have access to specific folders.

The specific groups can only get into the folders that they should, that works.

Still, they can not create files or folders below "Accounting", "Operations" or "Staff".

I suspect it's the read-only on the share that's choking them. But if I open it, then they can add folders at the same level as "Accounting" etc. and I do not want that.

fmartin@applicatorssales.com
0 Kudos
Fred Martin_1
Valued Contributor

тАО05-09-2007 01:19 AM

тАО05-09-2007 01:19 AM

Re: permissions

Regarding the sidebar 'is there some reason why all of my users and groups don't show in the "select users and groups" window?' ... that's been solved. A mixup with local and global groups, that's all. Was trying to pull a local group, can't do that.
fmartin@applicatorssales.com
0 Kudos
Edgar Zapata
Esteemed Contributor

тАО05-09-2007 02:14 AM

тАО05-09-2007 02:14 AM

Re: permissions

Hi Fred,

Run cacls and compare your output with the output below.

cacls %FullSharedFolderPath% /t >> file1.txt

This is what the proper config should look like; cacls will not display SHARE permissions though.


NTFS permissions:
---------------------------------------------------

C:\Shared BUILTIN\Administrator:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
DOMAIN-1\accounting_Group:R
DOMAIN-1\operations_Group:R
DOMAIN-1\staff_Group:R

C:\Shared\Accounting BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DOMAIN-1\accounting_Group:F
BUILTIN\Users:R

C:\Shared\Operations BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DOMAIN-1\operations_Group:F
BUILTIN\Users:R

C:\Shared\Staff BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DOMAIN-1\staff_Group:F
BUILTIN\Users:R


SHARE permissions
---------------------------------------------------

C:\Shared BUILTIN\Administrators:F
DOMAIN-1\accounting_Group:R
DOMAIN-1\operations_Group:R
DOMAIN-1\staff_Group:R

C:\Shared\Accounting BUILTIN\Administrator:F
DOMAIN-1\accounting_Group:F

C:\Shared\Operations BUILTIN\Administrator:F
DOMAIN-1\operations_Group:F

C:\Shared\Staff BUILTIN\Administrator:F
DOMAIN-1\staff_Group:F



Please, note that with above described NTFS & SHARE permissions settings, there will be no way users from accounting, staff or operation can add/remove folders in the "shared" but admins.

Hope it helps.
0 Kudos
Fred Martin_1
Valued Contributor

тАО05-09-2007 03:08 AM

тАО05-09-2007 03:08 AM

Re: permissions

Thanks, cacls goes a long way in helping me see the effects of changes I make.

I can say now, the NTFS permissions on the folder itself have no effect. I can remove any reference to Accounting Group at that level and it doesn't change anything.

The share permissions control it. And alas, there is not the same rich list of choices for permissions there. Full, Change, and Read is all you get.

Read on the share prevents them from creating new folders just under the share, that's good. But as before, even though they have full NTFS access on the Accounting folder, they can get in, but can't create anything in there.

Change and Read on the share fixes the issue inside the Accounting folder, and still does not allow them into folders such as Operations, but now they can create new folders directly under the share.

The suggestion above about creating a share on each folder for each group, certainly solves it. But that won't work for my situation.
fmartin@applicatorssales.com
0 Kudos
Edgar Zapata
Esteemed Contributor

тАО05-09-2007 03:26 AM

тАО05-09-2007 03:26 AM

Solution

Re: permissions

Fred,

There must be something that allows accounting, operations or staff members to create files under the Share folder.

See this:
Share Permissions and NTFS Permissions are independent in the sense that neither changes the other. The final access permissions on a shared folder are determined by taking into consideration both the Share permission and the NTFS permission entries. The more restrictive permissions are then applied.

http://technet2.microsoft.com/windowsserver/en/library/86987829-3f74-412f-abb8-c8b22b07257d1033.mspx?mfr=true

Look up Accounting group membership.
Look up what groups are members of either, the LOCAL administrators group or DOMAIN adminitrators group.

If you remove NTFS permissions for accounting group in the Share, that must have an effect on whether or not Accounting group members have any type of access.

This is not totally related to your problem, but it may be of help.
(See if Everyone group is set on the Share.
Remove it if it's there.
By default, READ permissions will be set for the Everyone group whenever a SHARE is created.)

Regards.
Edgar.
0 Kudos
Fred Martin_1
Valued Contributor

тАО05-09-2007 04:14 AM

тАО05-09-2007 04:14 AM

Re: permissions

Well, I did just discover something but I'm not sure of the implications. You are exactly right.

On the local machine there is a group: Users

That group contains: DOMAIN\Domain Users

This was added automatically when the server was placed on the domain, as far as I know.

Well, sure enough if I check security on the drive itself, the -local- 'Users' had these default 'special permissions':

Create Files / Write Data
Create Folders / Append Data

Since the local Users contained DOMAIN\Domain Users, they are also given this access.

When that was removed, it all worked as I had wanted. Full access to their own folder, no ability to modify the 'root' folders directly below the share.

Now, I have to decide how best to carry this out. I probably do -not- want to remove DOMAIN\Domain Users from the local Users group.

Will post here again after some experimentation. Any advice is welcome.
fmartin@applicatorssales.com
0 Kudos
Fred Martin_1
Valued Contributor

тАО05-09-2007 08:57 AM

тАО05-09-2007 08:57 AM

Re: permissions

Ok, I have seen the light :)

The share needed to have 'change' and not 'read'.

The NTFS permissions though, on the shared folder, needed to be (essentially) 'read'.

The folder below it, 'Accounting' for example, is set for 'full' for the appropriate group.

I was screwed up on the share permissions. Thinking that I didn't want anyone writing in the Share folder itself, I set the share permissions too low, and it choked the users coming in through the share. They couldn't write in the Accounting folder even though they had permission to, in there.

Setting the permissions on the share to 'Change' fixed that.

And, the main folder is still protected because the NTFS permissions on it are more restrictive than the share.

Thanks folks, you did help.

Fred
fmartin@applicatorssales.com
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.