Re: Folder Access Permissions

Giganews Newsgroups
Subject: Re: Folder Access Permissions
Posted by:  Isaac Oben [MCITP,MCSE] (isaac.oben@nospam.gmail.com)
Date: Thu, 23 Apr 2009

Hello Phillip,

The behavior you are experiencing is normal. This is because Folder Project
have the Project_People with permissions read and list all files and folders
and if you don't disable inherritance, then all subfolders will inherit
those permisions, which I am thinking is what is happening here. If Bob is
assigned to both groups, the Project_People will take precedence because of
inheritance. You can disable inheritance on the main share or G drive from
propagating to subfolders/files and see if this fix the issue. To do that,
go to folder properties, advanced tab and uncheck the inherritance box.

Normally, this is how I will configure permissions if I were in your
environment:

Main folder "Project"
          Share Permission: Auhtenticated Users (Full) and remove everyone
else.
          Security (NTFS) Permission: Administrator (Full) (Do this only if
you want Administrators to access share)
                                                        System (Full)
                                                        Owner (Full)
                                                          Authenticated
Users (Read & Execute, List Folder contents, Read)
                                                        Remove everything
else
                                                    Disable Inherritance
inherritance from propagating to subfolders/files

Sub Folder "12345" etc
                                    Security (NTFS) Permission:
Administrator (Full) (Do this only if you want Administrators to access
share)
                                                        System (Full)
                                                        Owner (Full)
                                                        SecurityGroup_12345:
(Assigned permissions as needed)
                                                        Remove everything
else
                                                        Do not disable
inherritance from propagating to subfolders/files

Isaac Oben [MCTIP:EA, MCSE]

"Phillip Armitage" <armitag…@wzmh.com> wrote in message
news:eiWE3tCxJHA.13…@TK2MSFTNGP05.phx.gbl...
> I'm going to admit that I'm new to setting up a Windows 2003 server as a
> file server, and in particular assigning permissions so that users can
> access one set of folders but not another. I've been working with Novell
> for years and have not been running into the issues I'm seeing with
> Windows.
>
> First this server is part of a domain. On the server, in it's G drive, I
> create a folder namded Projects. Under that folder I create a series of
> project folders. eg. 12345, 23456, 34567
>
> In a Novell world I would create a group named PROJECT_PEOPLE, assign in
> to the Projects folder with rights just to read and list all files and
> folders under the Projects folder. Then for each project sub-folder I
> would create a group with a name identical to the Project sub-folder. eg.
> I would create group 12345, and assign it to folder 12345 with full
> control rights to the folder and it's sub folders.
>
> The idea is that, users who are working on project 12345 would be added to
> that group, and would therefore have rights to see all files and folders
> under the Projects folder, but would only be able to work in the 12345
> folder.
>
> I tried doing the same in my Windows AD environment and it didn't work. I
> created AD security groups, added users to them as appropriate, and
> assigned the groups to the folders with the same types of permissions as
> in my Novell system. However, it appears that if user, say, Bob, assigned
> to both groups Project_People and 12345, goes to the 12345 folder, he is
> unable to do anything in said folder but list files. The AD members of the
> groups don't appear to be having their group based permissions accepted.
>
> To get Bob to be able to work in folder 12345, I have to go into the
> Properties - Security tab for said folder, and specifically assign full
> rights to DOMAIN\BOB. This assumes that permissions assigned at the
> Projects folder level don't interfere.
>
> Before anyone asks, when I add users to the groups, I'm specifying AD user
> names, not local user names.
>
> My questions are:
> 1) Is the above normal for Windows in an AD file server environment? The
> groups I create are Global Scope:Global, and Group Type: security
> 2) If not, should I be using something other than AD security groups for
> controlling access rights. eg. should I be using a Distribution Group Type
> instead?
> 3) Anything else I should look into?
>
> I look forward to your response.

Replies

None

In response to

Folder Access Permissions posted by Phillip Armitage on Thu, 23 Apr 2009