File/folder permission nightmare!

[gstar1703]

Hi, this is killing me now!
we have a Windows 2003 directory (MyFiles) on drive D which is mapped as X:\MyFiles for all XP workstations on LAN. Drive D itself only has D$ share but "MyFiles" directory is shared everyone - full control.
Inside "MyFiles" we have all dept directories with sub directories under those. None of these are shared but users can brwose the LAN or mapped drive and view all directories & files. The only way I can stop this is to basically deny all AD users then allow individual users required access, but this takes ages to do & will be a never ending task for me. Isnt there a way I can allow permissions to required users without having to deny everyone else?

Thanx
G

 

[tuliphead]

I don´t know if I exactly understand your problem, but I will try answering it:

You have one fileshare that contains the user/home folder for all your users. Right?

Your share permission should be everyone - full control (or in fact authenticated users - full control will be even better).

Your NTFS permisson should be:
Authenticated users - Full control (this folder only)
You will probably have system and administrators accessing those folders as well (This folder, subfolders and files)

Then map your users to the fileshare with something like \\servername\sharename\%username%. Now each user will create a new share that only that users would be allowed to access.

 

[gstar1703]

Thanx for your prompt reply -
The problem is that we have company folders where certain people need to have full access to but no other users should:
EG -
D:\COMPANY DIR - (Everyone full control)
D:\COMPANY DIR\Finance\ - (Everyone full control)
D:\COMPANY DIR\Finance\Board\ - (Group1 & User 7 full control - Everyone else no access, not even read)

My problem is that if I choose "deny" on the D:\COMPANY DIR\Finance\Board\ directory I have to add all domain users and select deny individually. What I really want is to add Group1 & User 7 & offer them full control...

Surely this is possible as some companies would have 1000s of AD users to deny priveldges to!!

Thanx again for your time
G

 

[WANguy2k]

If I understand your problem correctly, what you want to do is create more access groups:

Create a groupd called FinanceBoard (or something) and assign all the authorized users to the group. Give that group access to the folder and remove Everyone's access from the folder. Then you don't have to deny any specific user access.

It may seem like a large task to create groups for each folder's access, but it will save you time in the long run: as you hire or fire employees you can simply add them to the groups instead of reassigning all directory access. Also, by assigning less access as you go down the directory tree you can use the same groups for access to multiple folders and subfolders.

 

[gstar1703]

Hi & thanx..

I had setup security groups already but that didnt work either. This will only work if I specifically deny access to users which is doing my head in!

G

 

[WANguy2k]

This doesn't sound logical. Just to make sure I wasn't missing anything, I just used the "Manage your server" wizard to create a new share on my 2003 server. I chose to give admins full access and users read access to the share. Then I created sub folders under the new share. I can grant user groups access to the sub-folder and remove "Everyone" from the sub-folders. Remember to grant access to the share using share permissions, but grant/deny access the the subfolders using the security tab on the folder properties. What doesn't work?

 

[gstar1703]

Hi again,
I am going to do what you have just done to see the effects but I am sure I have already done this 10 times today!!!
As a reminder the below is exact repluca of my setup -
D:\COMPANY DIR - (Everyone full control)
D:\COMPANY DIR\Finance\ - (Everyone full control)
D:\COMPANY DIR\Finance\Board\ - (Group1 & User 7 full control - Everyone else no access, not even read)

If you see the last directory to be shared "Board" has by default got everyone full control access, which is why I think its not working...does that make sense?

OK - Have done as you suggested exactly, apart from I had to remove inheritance on the subfolders in order for me to remove "Everyone" from security tab. It still doesnt work!! All users have access!

Bizarre or what?

G

 

[WANguy2k]

OK, I think I know what's going on. You only have to create a share for the top-level folder. Do NOT share the sub-folders. Simply change the permissions on them by right-clicking, going into properties, and clicking the Security tab. You will see Everyone and Domain Admins have access rights. Remove Everyone and add whatever groups you want to be able to access.

When your users go to Servername\CompanyDir they will see the finance folder. However, unless they are in a group you have allowed access, they will get an "Access Denied" error when they click on it. Users in the Finance security group will be able to access Finance, but will get Access Denied if they double-click on the Board folder unless they are also in the FinanceBoard security group. You can create one share with many subfolders, all with their own security settings for different groups. Just remember the subfolder inherits the parent's folder permissions by default. It's always easier to assign group access as opposed to individual user access.

Try this link for a better explanation of shares vs, folder permissions.

http://www.microsoft.com/technet/pr...Kit/e5026578-e891-4107-aa2e-9d180428055d.mspx

 

[tygressjanie]

I think you're talking about your NTFS permissions, if that's the case what you're looking for in the Board share is this:

Right click on the folder and go to the security tab and go to the advanced tab, then uncheck the box that says "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here." Then another box will pop up with three buttons, "Copy, Remove, or Cancel." Click Copy. Then you will have the ability to remove everyone from the permissions and add or remove anyone else you want ass well.

What happens is that when you have that INHERIT box check, it transfers the permissions that you have set on the folders above it, so if you have everyone added on the permissions list for the folder above it, it transfers down to the next folder below.

Also, here's some other good tips to remember.

Share permissions add to Share permissions.
NTFS permissions add to NTFS Permissions.

For shared folders you add the NTFS permissions to the Share permissions.

The highest permission takes over the lower permission, however, ANY DENY always overrules ANY allow.



So if you have Bob who has Full Control NTFS permissions to a folder but is DENIED Full Control in SHARE permissions, he will not have access to the folder.

If in another scenario Bob has Read NTFS permissions and he has Change Share permissions, the two combine and then he would have Read and Change permissions.

If you have any person in a group, even if you have them with Full Control, as soon as you deny them a permission, even if it's one, they automatically will not be able to access that folder or file, whatever it may be.

Does that make sense? I hope so. Permissions are so tough.

 

[gstar1703]

Hi & thanx again for your time... Something very odd is happening here. I have run your suggestions several times yet nothing seems to work on the drive/directory.
If I break it down its like this:
Drive D: - Not shared but in security tab everyone has full control & nothing inherited.
D:\COMPANY DIR - Sharing, everyone full control & nothing inherited.
D:\COMPANY DIR\Finance\ - Sharing, everyone full control & nothing inherited.
D:\COMPANY DIR\Finance\Board\ - Finance Group & User 7 full control & nothing inherited.

However everyone can still gte full access to this folder & create delete files...

I cant see where its going wrong can you?

Thanx again
G

 

[gstar1703]

A quick update!
I have tried this on another 2003 server & it works a treat. Both are NTFS an setup identically!!!

Odd

 

[tygressjanie]

Did you make sure that everything is set up identically in each folder on the servers? Perhaps something is different that you're not seeing and that's why it works on one and not the other?? I'm not sure, I guess that the only other thing I would suggest is that since you've tried it on another server and it works, perhaps if you still can't get it to work on the existing server, you could move the folder to the one you got it to work on and you can just set it up there.

 

[gstar1703]

Hi,
Everything is identical even the patches. I have run thru all sharing & security settings and its a mirror almost! I even tries to copy the directory over but that didnt work either. I may need to simply add all AD users and deny/allow as required because this doesnt look as though it s going to work.

Many thanx to those who tried to help.

G

 

[Tightpants]

It's a long shot but might help. Make sure you don't have "creator owner" on anything because this might distort permissions.

Also when you assign new permissions make sure you propagate all the permissions to the child folders.

I had a similar situation to you so I started at the top of the folder tree and worked my way down, adding permissions as necessary. When you get to a folder where access is restricted you effectively prevent inherited permissions, and remove the groups which must not have access.