Secure specific folders on server...?

[CadMaster]

i have folders on the server that have subdirectories under them... each folder has a different name, but all directories below the different named folders are the same (Folder 1, subdirectory A,B,C Folder 2, Subdirectory A,B,C Folder 3, Subdirectory A,B,C... etc...) ... 3 poeple log into this server... Chris, Tom, Mary.... I only want Mary to access Subdirectory C of all folders.... is it possible to do that? i obviously used simple names/examples above, but the actual folder i am trying to keep people out of is my "INVOICES" subdirectory... but new folders are added several times a week...

i am trying to make it so only windows lets MARY access any subdirectory called INVOICES automatically... w/out doing the custom settings each time a folder is added to keep everyone else out....

Thanks
Cadmaster

 

[krenkey]

So basically what you want to do is have share level access to a folder. in the parent folder check off the box that says inherit permissions from parent folder. then go into each of the folders and change the permissions of each of the folders to allow the user or users to access and what they are allowed to do in that folder. IE : Read or read write or nothing. all thesee options are in the securities tab of each folder.

 

[smah]

http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

will explain how to set NTFS access permissions for each user, but this could possibly need to be set each time a folder is added. How are the folders added? Setting the permissions correctly on a 'master' set of folders & copying to the 'new' set, should keep the same permission settings.

 

[CadMaster]

your saying i can make a folder "invoices" and set its security to where i am the only person that can access it.... then i can copy it to a new folder (which "Invoices" would now be a subdirectory) and it would retain its security user rights?? that would work....
in my office i have 4 total computers... 3 are stations being used and the 4th is the server.. no one uses it, it just stores the files....
can i make this foler on my station, then copy it each time i make a new folder on the server?

thanks
tony

 

[krenkey]

yes that would work. You can even limit it down to a single file within a folder.

 

[smah]

Assuming this is a workgroup environment, I'm not sure that the permissions would be retained when copying to a different machine (even with the same usernames, each machine will have a differen SUID for each username). I suggest keeping the 'master' folders on the server where the 'operating' folders will reside. Using the naming scheme from your first post, I envision something like this:

Server
|
|-Master folder
| |
| |-Sub A
| |-Sub B
| |-Sub C
|
|
|-Folder 1
| |
| |-Sub A
| |-Sub B
| |-Sub C
|
|-Folder 2
| |
| |-Sub A
| |-Sub B
| |-Sub C

The NTFS permsisions should be set something like this (adjust as neccessary):
Master folder
Do not inheret permissions, all users read access
Sub A
all users write access (my assumption, you haven't stated requirements)
Sub B
all users write access (my assumption, you haven't stated requirements)
Sub C
Mary write access (my assumption, might be read-only)
Remove 'everyone' and/or 'user' group permissions
you write access (my assumption)
Here you also set specific 'deny' permissions which will override any other 'allow' permissions.

Each time that you need a new set of folders, just copy the Master set & give it the next folder name.

 

[smah]

A little bit more clarification about the permissions: the Master folder should have your username set with full control, but everyone else read only to prevent any inadverant changes. You may need to more specifically define some of the other permissions based on your requiements & remember to be careful about group permissions, especially if all your users are members of the administrator group. The link I posted above covers permission explanation quite well.

 

[CadMaster]

excellent.... i will try this when i get into work monday morning... i appreciate the knowledge..

thank you
tony

 

[CadMaster]

ok... i made a new folder/tree.

1- master
2-sub directory
3-sub directory
4- CORRESPONDENCE
-INVOICES

under invoices security, i added 3 names, each w/ all deny.. i added mine, full control.. unselected the INHERIT PROPERTIES OF PARENT FOLDER..

when i copy master to new directory in same hard drive.. the INVOICES loses all security permissions.. goes back to just EVERYONE.. all names are gone...

am i doing anything wrong?

thanks
tony

 

[smah]

I assume that you're trying to do this from Windows Explorer. Although I think there must be a way, my experimenting has resulted in exactly what you're describing when trying to copy within Explorer. However, it can be done using the /O option of xcopy (for more options type xcopy /? at the command prompt).

So then, I created a very simple batch file which I named newfolder

echo off
REM ***************************
REM batch file newname.bat
REM used to create new working folder structure
REM with same ACL permissions as folder set MASTER
REM using input parameter as new folder name
REM ***************************
if (%1) == () goto noname
xcopy master %1 /O /E /I /Q
if  errorlevel  1  goto  error
echo Successful creation of folder set named %1
goto end
:noname
echo New foldername is required
echo Folder creation failed
goto end
:error
echo Folder creation failed for some unknown reason
:end
pause

So then just open a command prompt wherever you put the batch file & type newname newfolder where newfolder is the new foldername that you want. You can add directory paths as needed & you might want to add some checking to see if newfolder already exists (the error portion doesn't seem to catch that condition for some reason), etc, etc. I'm sure someone else could make this much more elaborate.

 

[Freestone]

Just to elaborate on smah's post:

How permissions are handled when you copy and move files and folders

http://support.microsoft.com/default.aspx?scid=kb;en-us;310316

 

[CadMaster]

i tried the batch file and it worked... it seems i am able to be at my computer (rather than the server) and execute the batch file...
a couple of questions..
- how do i set the user permissions to be able to rename folders above the subdirectory of invoices.. for example; after i copy the main parent folder i rename the new parent folder to the specific job name.. or sometimes it changes later... do i have to be the one to rename the file? or can i set the other users to be able to rename the directory, or directories above that but not b able to view the contents of the invoices folder... i dont even care that they see whats in the folder, but not open any actual invoice files..

i really appreciate what u've all done.. thanks for the help..
tony

 

[smah]

You'll have to check, but I believe that the ability to rename will require 'full control'. Try it & find out. Just be careful of inherited permissions & test thoroghly.

 

[smah]

One more thing - don't forget about Group permissions. These could be helpful to you by defining groups of users & setting permissions that way (ease of management). Group permissions can also be harmful if you forget who the members are and accidentally give someone the wrong permissions because they are a member of a group.