File Server NTFS Permissions question
- From: ham.john@xxxxxxxxx
- Date: Fri, 23 Jan 2009 13:09:55 -0800 (PST)
I am in the process of reconfiguring a file server for my company. It
is a Windows Server 2003 / Enterprise x64 Edition SP2
I have created a share called 'Shares' (\\servername\shares) that will
have 3 subfolders that are not shares, just subfolders.
One these subfolders is named 'Departments' and it represents a
logical division of departments in my company. (i.e. Accounting,
Finance, etc..)
Share permissions to the 'Shares' share are:
Domain Admins = Full Control
Domain Users = Change | Read
I have a network drive mapped for users to '\\servername\shares
\departments' = K:\
Users will see a list of department folders when browsing to the K:\.
For K:\ the permissions are as follows:
The NTFS permissions on the 'Departments' directory are as follows:
Domain Admins = Full Control (This Folder, Subfolders and
Files)
Domain Users = DENY -> ('This Folder Only') Create
Files / Write Data | Create Folders / Append Data
| Delete | Change Permissions |
Take Ownership
Domain Users = ALLOW -> ('This Folder Only') Traverse
Folder / Execute File | List Folder / Read Data
Each of the department will have their own subfolder of K:\ that will
have explicit permissions enforced by global security groups in Active
Directory. For example, I have
'\\servername\shares\departments\accounting' or K:\accounting and the
Accounting group members have access to this directory. NTFS
permissions to K:\accounting would be:
Domain Admins = Full Control (This Folder, Subfolders
and Files)
Accounting = DENY -> (This Folder Only) Delete
Subfolders and Files | Delete | Change Permissions | Take Ownership
Accounting = ALLOW -> (This Folder Only) Traverse
Folder | List Folder | Read Attributes | Create Files | Create Folders
| Write Attributes | Read Permissions
Accounting = ALLOW -> (Subfolders and Files only)
Allow is checked for everything except for Full Control and Take
Ownership
User John Doe (who is a member of the accounting group) is able to
browse/traverse K:\accounting and create subfolders and files. John
Doe is not able to delete the parent folder
'Accounting' or other department folders that he doesn't have
permissions to (which is what i want). He also is unable to create
new folders within K:\ (this is what i want as well).
However, when John Doe attempts to delete the 'Accounting' parent
folder, it displays this error - "Error Deleting File or Folder -
Cannot remove folder Accounting: Access is denied.
Make sure the disk in not full or write-protected and that the file
is not currently in use." - This is as I would expect, but then it
still deletes subfolders and files within the Accounting
folder!! Why???
Shouldn't the subfolders and files remain intact? Is there a way to
prevent this behavior, but still allow users to traverse the K:\?
I would like users to be able to create subfolders and files within
their department folders but they should NOT be able to delete the
parent department folder or create new
subfolders in K:\ only within the department folders.
The reason I have these department folders within the Shared Folder is
that we have many users that need access to multiple department
folders. I don't want to have to map a
network drive for each department folder that a user would require.
Many thanks for your help and insight
.
- Follow-Ups:
- Re: File Server NTFS Permissions question
- From: Jorge Silva
- Re: File Server NTFS Permissions question
- From: Phillip Windell
- Re: File Server NTFS Permissions question
- Prev by Date: remote user name change
- Next by Date: Re: Netap san 2008 DC-pdc
- Previous by thread: remote user name change
- Next by thread: Re: File Server NTFS Permissions question
- Index(es):
Relevant Pages
|
Loading
