Re: Folder Permissions.
- From: "Ace Fekay [MCT]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Oct 2009 18:14:06 -0400
"Brent" <somebody@xxxxxxxxxxxxx> wrote in message
news:uSPsyVcUKHA.2836@xxxxxxxxxxxxxxxxxxxxxxx
I am trying to create a folder system where users can put there files on
the network to share with others. BUT! I want to restrict access. For
instance, I want Bob to be able to have full permission to his folder, then
I want Mary to be able to access the folder, but not delete anything.
Here's what I have done so far:
Created a folder for Bob, added the "Everyone Group" giving them "Special
Permissions," then I added Bob with "Full Permissions." I also removed the
option to "Inherit From Parent." The problem is that since Bob is part of
the Everyone Group, it's causing a conflict and he can't delete items.
I'm not heavy in AD, etc. Any ideas on how to fix it?
Brent
Remove Everyone. Use Authenticated Users with Read, Read & Execute, List,
then give Bob FC. No need to go into Advanced other than removing
inheritance. This will give all Authenticated Users (people logged on, but
not the Guest or IIS_USR accounts, etc). Everyone includes the guest, etc,
which is why I don't recommend using that security principle. If you want
just Mary to access the folder, and not all authenticated users, remove Auth
Users, and only give Mary those permissions.
Such as:
Parent folder: Data
Shared as Data
Share permissions:
Remove Inheritance
Remove Everyone.
Auth Users = C
Domain Admins = FC
NTFS (security tab) permissions:
Auth Users = M (not FC or they can change perms)
Domain Admin = FC
Bob = M (not FC or he can change perms)
System = FC (for the system)
The system evaluate the share perms and the NTFS perms resulting in the Most
Restrictive. Then the system evaluates the NTFS perms and results in the
Least restrictive. That's why if Bob is in there with Modify, and Auth Users
have R, R&E, L, he has all of them, unless you go into special and deny auth
users the ability to delete or deny something else.
So the only reason Bob can't delete files if the delete files was denied.
Deny overrides everything, otherwise if there is no Deny on anything,
permissions are accumulated under the ACL (Least Restrictive).
You can also go into Advanced, Effective Permissions, and run Bob and see
what he gets.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
.
- References:
- Folder Permissions.
- From: Brent
- Folder Permissions.
- Prev by Date: Re: Testing Replication ONLY between two DCs
- Next by Date: Re: HELPP!!!!!!!!
- Previous by thread: Folder Permissions.
- Next by thread: Re: Folder Permissions.
- Index(es):
Relevant Pages
|
