Folder Access Permissions

Giganews Newsgroups
Subject: Folder Access Permissions
Posted by:  Phillip Armitage (armitag…@wzmh.com)
Date: Thu, 23 Apr 2009

I'm going to admit that I'm new to setting up a Windows 2003 server as a
file server, and in particular assigning permissions so that users can
access one set of folders but not another. I've been working with Novell for
years and have not been running into the issues I'm seeing with Windows.

First this server is part of a domain. On the server, in it's G drive, I
create a folder namded Projects. Under that folder I create a series of
project folders. eg. 12345, 23456, 34567

In a Novell world I would create a group named PROJECT_PEOPLE, assign in to
the Projects folder with rights just to read and list all files and folders
under the Projects folder. Then for each project sub-folder I would create a
group with a name identical to the Project sub-folder. eg. I would create
group 12345, and assign it to folder 12345 with full control rights to the
folder and it's sub folders.

The idea is that, users who are working on project 12345 would be added to
that group, and would therefore have rights to see all files and folders
under the Projects folder, but would only be able to work in the 12345
folder.

I tried doing the same in my Windows AD environment and it didn't work. I
created AD security groups, added users to them as appropriate, and assigned
the groups to the folders with the same types of permissions as in my Novell
system. However, it appears that if user, say, Bob, assigned to both groups
Project_People and 12345, goes to the 12345 folder, he is unable to do
anything in said folder but list files. The AD members of the groups don't
appear to be having their group based permissions accepted.

To get Bob to be able to work in folder 12345, I have to go into the
Properties - Security tab for said folder, and specifically assign full
rights to DOMAIN\BOB. This assumes that permissions assigned at the Projects
folder level don't interfere.

Before anyone asks, when I add users to the groups, I'm specifying AD user
names, not local user names.

My questions are:
1) Is the above normal for Windows in an AD file server environment? The
groups I create are Global Scope:Global, and Group Type: security
2) If not, should I be using something other than AD security groups for
controlling access rights. eg. should I be using a Distribution Group Type
instead?
3) Anything else I should look into?

I look forward to your response.

Replies