Shares - stuck with Read Only? 1

[madman070578]

I have shared a folder on a drive - the folder is called STAFF - and the share is called STAFF aswell. In this folder I have created folders for all our staff members to use as home directories. I have set up in Active Directory for the user to look to the relevant folder.

I have also set the permissions on each folder - BUT THEY ARE READ ONLY - and I cannot find any way of removing it.

Any ideas?

d.philpin@dewisant.pembroke.sch.uk

 

[ElClap]

I am having similar trouble with this. It has to do with the share permissions as opposed to the folder permissions. If you give the users read only access to the top share then that is the only permission they will ever have to the share. I don't think you can give a person read access to the root share folder and then add more underneath. I'm not sure though.

 

[LaforcE]

1-Right click on then folder
2-Under "Security" click the "Advanced" tab
3-Uncheck to "Allow inheritable permission blablabla"
4-Click on "copy"
5-Check your NTFS permission if they are all ok
6-Now click on the "Sharing" settings and click on the "Permission" tab
7-By defautl everyone is at "Read Only" right.

Maybe thats your problem ...

Hope it help.

Later.


- Security is a never ending job.

 

[ElClap]

Right, but since I have a top folder shared and I don't want a particular user to be able to get into anybodies folder but their own, I give them read access to the share, and full access to their own folder under the share. Since they only have read access to the share, then they only get read access to their folder under the share no matter what I do. If I give them full control, they can get into anybody elses folders as well. I think I'm going to have to make individual shares for everybody that gets their own folder.

 

[ashpp]

Windows 2000/3 works by giving the most restrictive permissions. Share the folder out as Full control, and then remote Everybody from the Security. Create the folders within this and give full control security permissions to each user on their own folder.

 

[LaforcE]

That's right.

The "Good" Ms way is to creat a folder "company" with all the sub folder like technician, manganer, secretary etc ... With permission apliied on foler with the group.

Another Folder called "Users" with all the folder in it with %username% as personal folders.

And a little tricks, never, never give a FULL control to any users. Give them all the right if they nned it, but NOt full controle. Because theyll be able to set permission on other folder, and even remove the admin account and or the backup account.

And youll see a lot of error in the backup process etc ...

Doing so will bring you to anarchy ;P

Good luck!

- Security is a never ending job.

 

[DaWorm]

What I did was the same way mentioned above but the "company" folder did not inherit any attributes from the root (Drive X). From "company", I made my own settings and giving Users "Modify" properties. That solved the read-only issue for "department" sub-folders being read-only for users.

But I'm not optimistic if this is the right thing to do. It was a work around, but may not be the best practice in terms of security.

 

[globalstrata]

Usually, You create a Share with the less restrictive rights that anyone would have within the File tree beneath that folder and then use directory permissions to control the rest of the permissions. The easier way, instead of creating the folders manually, is to:

Go to each user account and under the home directory path type the following: \\server-name\share\%USERNAME%

When you type %USERNAME% as exactly I have it in here, Windows replace this with the real user name, creates a folder named as the User Name and give permissions required for that user. Then you could go and edit the permissions to add any new ones you want.

TIP: Be careful about the Users Local Group.
See thread931-630626


Gladys Rodriguez
GlobalStrata Solutions

http://www.globalstrata.com

 

[ajtmcse]

Important item to add here:

With ANY version of Windows giving a user or group the FULL CONTROL access to a share is a bad idea.

Why? FULL CONTROL to a share allows that user to modify the share itself. (i.e. add users/groups to the share ACL, or even delete the share.)

I would strongly recommend changing non-administrator share ACL entries to CHANGE.

 

[NickFerrar]

As others have said, when there is a combination of Share and NTFS permissions then the most restrictive permissions applies. NTFS permissions in isolation however are different in that the least restrictive applies when you combine NTFS permissions (except for the No Access permission which overrides).

If a user needs change permission on a network folder then they need change permission on the share they access that folder through. Apart from not giving full control on the share you focus you permissions set up at the NTFS level not the share level.

We generally have domain admins full control and Users change on shares and then use AGLP to apply NTFS permissions as restrictively as possible.