NTFS permission question... 2

[33788]

I want to setup a network share folder where our Sales department maps to, using AD security groups. With in that folder is sub-folders for each client. You will only have access to manage that client folder if you work on that client.

FOR EXAMPLE:

SALES$
SALES$ > MOBILE HOME DEPOT
SALES$ > WALLYMART
SALES$ > HIGHES
SALES$ > WALBLUES

A user will get access denied if they are not part of the MOBILE HOME DEPOT AD security group, etc... But if you are part of that group you'll have access to modify anything in that MOBILE HOME DEPOT folder. Don't want them to be able to delete the MOBILE HOME DEPORT though but anything with in that they can delete, read, write, etc... Any advice will be greatly appreciated, thanks.

 

[monsterjta]

Security:

Give all groups FULL CONTROL on the hidden share (SALES$).

On each directory under that share, you will need to configure advanced security. Uncheck "allow inheretible permissions..." and choose COPY when dialogue box asks. Then REMOVE all groups that are to be DENIED access.

Share Permission:

Insure that all groups are added to the share permissions with full access.

Hope This Helps,

Good Luck!

 

[33788]

Thanks for the reply monster. I don't want them to have access to create folders and files in the SALES$. I also don't want them to be able to delete any of the client folders MOBILE HOME DEPOT, WALLYMART, etc... But within the client folders I'd like them to have full access. Sorry for not making it clear the first time. I'm still learning all this stuff. Thanks ahead.

 

[monsterjta]

Ok. You'll just have to get more advanced in your NTFS permissions.

At the top level (SALES$) in advanced security, just uncheck CREATE FILES and CREATE FOLDERS. Then you'll need to go into each subfolder and insure FULL CONTROL is given to the desired groups, and DENY is checked for delete operations. Remember to uncheck "allow inheretible permissions" and choose copy, then make your selections. Start at the top level.

There is another way you can go about it, which I'm sure you know. That is to create these shares individually and map drives and set permissions as desired. It will cut down on the complexity of NTFS permissions, especially if you are planning on continuing to create more subfolders with even further advanced permissions. It can get VERY messy!

Hope This Helps,

Good Luck!

 

[markdmac]

A star to you monserjta. Good advice.

I'll offer another alternative. Using XCACLS and vbscript you could automate the setup of the NTFS permissions so long as th efolder names match the group names.

Use XCACLS to set new permissions for Files and Subfolders of each of the folders to allow the creation of folders and files within the folder. restrict the access of the folder itself to the group members.

Depending on the number of folders you have, this could be the least amount of effort despite the time it would take you to develop the script, plus it will be easy to run again if/when you have new client folders to set permissions on.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[monsterjta]

Thanks Mark. Good call. I've included a link for 33788, referencing the XCACLS.VBS tool.

http://support.microsoft.com/kb/825751

This is a good tool if you need to make advanced NTFS mods often. It's also a nice addition to your unattended install scripts! You deserve a star for the input.

Hope This Helps,

Good Luck!

 

[DavisNT]

Better allow only Change access to share (otherwise users may be able to change some permissions of files inside share)!
About NTFS permissions:
1. Allow all groups Read and Execute access to root folder of that share (only to that folder, not to subfolders and files).
2. Allow groups Read, Write and Execute access to corresponding folders (subfolders and files also).