2003 file sharing problems

[gstar1703]

Hi,
Windows 2003 server C Drive has only admin share (C$) but directory underneath called "Company Files" has Domain Users full control assigned to it. Underneath that there is a directory named "HR Directory" which I need to give access to 4 people in our company but block out everyone else. If I choose to add these users then deny everyone else it tells me that the block will take precendence if the user is in both groups....
Confused!
Thanx

 

[adcfaq]

Windows 200x is "denying first", say, if you deny everyone, then no one can access that particular folder. 'Coz on the folder DACL, there is a Deny entry on top for everyone denied, therefore, it denies all users(inclu admin).

 

[gstar1703]

Hi,

I fully understand why the "deny access" happens but there must be a simple way of acheiving this without using everyone deny? Its simple file sharing (or it was in 2000!)

Cheers
G

 

[adcfaq]

you don't need to deny everyone, just remove the eveyone retry for that folder. and explicitly assign the users.

 

[gstar1703]

Hi again benlu,

Thanx for your time - Thats exactly what I did first time round. The top level directory has "full control" for all "domain users". The directory underneath has only users who I need to allow access to "Full control". No other users appear here so I presumed that would disable them access but it doesnt!

I'm confused!
G

 

[adcfaq]

really? you did the correct configuration.
hmmmm, maybe use some utility like showacl.exe or xcacls.vbs to pull the ACL out to check.

also, the subfolder, did u block inheritance?

 

[gstar1703]

Things get stranger,
If I go through the network neighborhood it blocks access as required but if user goes thru mapped drive they get full access!!
Is this normal!
G

 

[gstar1703]

Hmmm - Update if anyones interested. It seems that if I add everyone from AD and select "deny" but allow required users "Full control" it works. Seems a strange way to operate especially if you have 1000's of users, so I am sure its not the right way to do it.

Anyone got nay ideas.

 

[AnimusTek]

I would try to manage access like that via groups rather than individually, but that was not your question. If at all possible I would recomend avoiding 'deny' as it is harder to manage.

My advice would be to just set up seperate shares. Make a general purpose share for domain users, and restricted share for HR. That way you can have granualar control over the HR share and it in no way depends on the permissions of the general purpose share.

 

[gstar1703]

Thanx for the suggestion - My users are indeed in groups which makes it slighly easier but its still a pain. Unfortunately the MD wants a single mapped drive for everyone, they then browse to their folder:
i.e - G is the mapped drive to the parent folder called "company files"
G:\HR\
G:\IT\
G:\etc etc etc

The odd things is on our other 2003 NAS device this works by simply selecting allowed users, all other are denied by default!!

G

 

[AnimusTek]

Are you working with both ACLs and sharing permissions? It is a silly question, but it has not been asked yet. Sharing permissions can be left at Everyone:Full Control, and only ACLs used for restricting/allowing access.

The behavior of your other server is correct, and that is how it should work by default.

The scenario you describe is normal/typical, and should not cause any trouble.

Can you campare directory ACLs and Share perms on the two different servers and see where there are differences? I also would check the parent folder of the shares (one level above the shared folder) and see if changes at that level are trickling down.