Folder permissions to over-ride Share permissions 1

[thedaver]

Goal: Use NTFS folder permissions set by Active Directory groups to over-ride (restrict) access for a shared folder sub-tree.

Share Approach: Create share at top of folder tree, group "Everyone" gets "read" Share permission

Folder Security: Inheritance of NTFS permissions is turned off at all levels of the tree.

Sub-Folder control: A specific subfolder has Active Directory resource groups that control Read or Read/Write to the folder with a "Deny" mode for all others.

Concern: We don't know how to implement a group control that creates a "Deny all" default position that is then superceded by the resource group that allows certain members to Read/write.

QUESTION: How do you typically constrain a specific NTFS sub-folder to NOT have the same open Read permissions as the file share specifies AND also identify groups that have RW or R permissions in that folder?





D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[karlisi]

If there are RW folder permissions for one group and share permissions R for Everyone, more restrictive will be applied, if accessing this folder from network. So members of this group will have R access for all folders in this share.

There is no need to use Deny permissions, if you give R permissions to one group only. Other users cannot access this folder anyway.

===
Karlis
ECDL; MCSA

 

[acl03]

I can try and explan how we manage shared folders/permissions in our environment.

First off, "share permissions" have no useful application (at least to me) in an AD environment, so I (and most others I think) do not use them. You cannot disable share permissions, but you can make them inactive by giving Everyone full access (meaning, read/write).

You should rely solely on NTFS permissions to control access. Share permissions only prevent a user from accessing that share. If another share existed, say on the folder above, the user could potentiall have rights to the stuff below.

Anyway, you said you wanted to use NTFS permissions. I try not to use the "Deny" column, as it tends to confuse things.

Basically, what we do is this. The parent folder at the top of the tree, turn inheritance off to that folder (so it gets nothing from above) and Remove permissions when it asks. You can choost top Copy if you want, and just remove what is not needed (maybe just leave Domain Admins and System?). Since we did not turn off inheritance below (yet) these changes will cascade down, leaving only System and Domain Admins with any rights.

So as of now, no users can get in. You would then add, at the root folder, the rights that you want all users to have (maybe list rights?). You could then turn off inheritance at any folder that you want restricted to a certain group, and add in the group that you do want access to.

I have to run, but I will try and post some more tomorrow - just let me know if anything I've said makes sense, I'm kind of typing in a rush...



Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[thedaver]

Thanks for the help. You gave us the ammo to finally track down our problem. Many folders had previously inherited the "special" property for the host's Users group - and we believed that this had been undone.

It wasn't evident until we went into the folders' Security|Advanced option that we began to see where our well-thought-out security model was being compromised by previously inherited "Special" permission. We had to remove and re-add the group with the proper permissions and then everything came into line.

HTH someone else.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/