Setting up file system like netware. 1

[Maxdall]

I am looking to switch file server from netware 5.1 to MS Windows 2k3.
In Netware, my folder structure is such \\main\sys\clients\Altoids\
\\main\sys\clients\FHM\

Within each client folder we have additional subfolders such as
\\main\sys\clients\Playboy\04_accounting
\\main\sys\clients\Playboy\04_ADS
\\main\sys\clients\Playboy\04_Media
\\main\sys\clients\Playboy\04_Marketing

From netware I have an FHM group, a Playboy group and an Altoids group. If someone starts and I put them in the playboy group, they will be able to access \\main\sys\clients\Playboy\ and all subfolders.

If I try to duplicate the netware file structure in windows 2003, I have noticed that if I share a folder, such as Playboy, what shows up is \\FS1\Playboy instead of \\FS1\clients\playboy I’d like it so that \\FS1\Clients\”Whatever client we have” shows up instead of \\FS1\”Whatever client we have” I’d also like to give accounting access to just the \\FS1\\clients\Playboy\04_accounting folder and nothing else, but when I share the 04 accounting folder, it shows up as \\FS1\04_accounting , I’d like it to show up as \\FS1\clients\Playboy\04_accounting Is this possible?



One additional thing I have noticed is that if I have a security group called playboy and playboy has NTFS rights to the playboy folder and I add a user to the playboy group, it takes a long time before the user is able to see the playboy folder, with netware it’s instant. Am I doing something wrong or is that just how it is?

 

[markdmac]

You need to work on locking down the combination of your share and NTFS permissions. The two add together whith the most restrictive setting taking affect.

For example if you were to share a folder and give a user Full Permissions on the share, but only gave the user read only rights on the NTFS, the user would only have NTFS.

It sounds to me like you have gone share happy. For what you are looking to accomplish, give your users a mapped drive to the clients folder by sharing it. When your users open that drive they would see each of the clients. If you really want them to have to navigate through the extra level and see the folder called clients, then put the clients folder in another folder and share the parent folder, but this seems like it would just be creating an extra step for your users needlessly.

Regarding the access time: So long as you are adding a user to a group that already has access then the access should be immediate. Note however that the user will need to log off and back on in order to get their SID with the new group membership. I should also throw out there that depending ont he size of yur network there could be a slight delay of up to 15 minutes due to AD replication. You could force replication in AD Sites and Services if you were in a rush to test. How many domain controllers do you have? Do you typically make changes on a DC that is not a Global Catalog?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[Maxdall]

Mark,

Thanks for your response. I have two DC's, I typically make the changes on the GC. What I wasn't doing is logging off/back on. I have worked so long in a Netware environment where it doesn't require logging off in order to see changes, so that is why I didn't know.

With your help I think I have it figured out. I want to share Clients, map a drive to clients and then concentrate on the NTFS rights within each client folder. In our company, account reps work on a few, but not all clients, so I only want the reps to see the client they work on, if I give everyone access rights to the clients level, these all clients beneath the clients folder unless I take away the inheritance rights to a folder and the assign group rights to the client folder.

Example.

\\fs1\clients Accessible to everyone, map a drive, call it T:

Create a folder called playboy in the clients folder, \\fs1\clients\playboy , Take away inherited rights of parent folder on the playboy folder.

Create a group called playboy, assign appropriate reps to the playboy group.

So when someone logs in they will see t:\playboy even though there maybe 20 more clients under the clients folder.

Is there a better way of going about this or is this the way?

Thanks

 

[markdmac]

There is unfortunatley not a way to "hide" a folder. You can have hidden shares (just add a $ at the end of the name). So the way you are doing it is correct. The users will see the client names but unless they have rights within it they can't open the older.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[Pugman]

Hi Maxdall,

I'm in the process of doing the same switch from NetWare to W2K3. I also want to hide folders that a group/user doesn't have access to. I have finally found a solution at

http://www.scriptlogic.com/eng/products/cloak/.

Yes, it is an add-on, but I haven't found any other way. The cost is $249.00 for 75 users and $499.00 for unlimited. I will probably go this route if I can't find a better (free) way to go.

Good luck.

 

[Houserocker]

we did the same switch last fall (netware to 2k3). We installed cloak a month ago and it seems to work pretty good. it's the only true solution we found so we're happy with it. Easy to install but there's also a patch that needs applied after the intial install. Without the patch, permissions for certian users got weird but after it was applied everything seemed to level out. I recommend it!

I hope that someday we will be able to put away our fears and prejudices and just laugh at people ~ Jack Handy