When is full control not full control? 2

[iainwatt]

I have a problem with a user being able to only view the security of a shared folder on a server.

The user has full control of the folder and all it's files and subdirectories. The only other group in there are domain admins so she isn't in another group with a deny permission.

I don't understand it at all, I've tried to take the user out and readd etc but still not working. Please help before I hit my head against a wall!!!

 

[Palagast]

Iainwatt,

Is the user connecting to the share on the machine the folder is on itself or through the share?
If he's connecting to it from another pc, you might want to check out his permissions on the share instead of the folder.
HTH.

 

[iainwatt]

Thanks Palagast,

The user is connecting to folder via share. The share is \\data\users the permissions set on the share for that is everyone change and read. The folder is located under that share so no share permissions to look at. No denys set up anywhere that I can see so allows should be fine. I could try changing the share permissions on the user share to everyone full control but I'm sure that's not the answer as the permissions are cumulative.

 

[Davetoo]

The subfolder must be set to inherit permissions from it's parent, and the parent and/or root share point has to have the rights that you desire the user of the subfolder to have.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[iainwatt]

Hi lander215, is there any chance you could break down what you just said?

The share "Users" has the share permissions of everyone change and read + domain admins full control.

The permissions of the folder is set to everyone modify.

The folder "eastern region" is set to domain admins full control, smithro(the user) full control.

All the subdirectories and files are set to inherit the permissions from the eastern region folder. I have checked this and the permissions are there.

Does this sound right?

 

[Davetoo]

You have to give the user smithro full control at the "Users" share, because Windows uses the most restrictive (between share permissions and security permissions). So if smithro is restricted at the share point to not be able to make changes, then even if you grant smithro full secuirty rights on the subfolder, they're still restricted via the share.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[Palagast]

What Lander215 said.
The permissions are not cumulative, but use the most restrictive.

 

[iainwatt]

My head hurts!!

I selected full control for the everyone group at the share level on the user folder and now user can make the changes. So yes both Palagast and Lander are right.

I really should have paid more attention in class with permissions, it's just that they get so bloody confusing sometimes!

To be honest I think it's down to the bad way our permissions are set up on the whole of our network. Not really following MS standards, oh well!

Thanks for the help.

Cheers

Iain