Re: Help With Security Issue on Windows Server 2003 Shared Drive
- From: "SBS 2003 User" <user@xxxxxxxxxxxxxx>
- Date: Fri, 26 Jan 2007 10:23:22 -0800
OK John. Here is what I would do and suggest you try it as it is industry
standards in apply share and folder permissions. First of why are you
sharing the DATA parent folder as well as the 6 sub folders? There is no
need to share the top level if you are going to share all sub folders.
1. Create your domain groups for the 6 sub folders under DATA. We call them
DOMAIN/DATASubFolder1 thru SubFolder6.
2. Add your domain users names that you want in these domain groups.
3. Create ocreesponding local groups on the file server where the DATA
folder exists. LOCAL/DATASubFolder1 thru SubFolder6.
4. Add the DOMAIN goups to the LOCAL groups. Best practices are to control
NTFS permissions on file servers with local groups that are populated with
domain groups.
NOTE: I personally create both local and domain groups. What is also a good
practices is create access rights groups both domain and local also such as
DATASubFolder1-M, DATASubFolder1-RW, DATASubFolder1-RO. You'll see why and
understand why furthur down.
Here's how your folder structure and security should look like.
\\DATA Share=None
NTFS=Administrators-FULL / System-FULL / EVERYONE-List and
inherit permissions to all child objects.
\\DATASubFolder1- Share=EVERYONE-FULL
NTFS= Administrators-FULL
System-FULL
LOCAL/DATASubFolder1-M (Modiy
access)
LOCAL/DATASubFolder1-RW
(Read/Write access)
LOCAL/DATASubFolder1-RO (Read Only
Access)
CREATOR OWNER
Do the same for the remaining sub folders. they should look identical. On
the sub folders you copy the inherit parent folder permissions then remove
EVERYONE-List and apply changes to all child objects below the sub folders.
So you can see why this is best practices? Now When Joe calls up and say he
needs Joe2 RO access to the DATA\SubFolder6 all you need to do is go into AD
and add him to DOMAIN\DATASubFolder6 group and your done. This keeps the
folder permissions clean and easy to manage. Can you see the picture?
"John N" <JohnN@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:44DA035E-2D4F-4DE5-9744-78EB16523BF0@xxxxxxxxxxxxxxxx
Thanks for your response. Unfortunately, I gave your suggestions a try
with
identical results.
Let's review for a moment There are five other folders configured exactly
the same way, and work as expected. Despite the fact that the QUICKBOOKS
folder is configured exactly as the other five, it blocks users. Either
it's
a five time fluke, or something else with the quickbooks folder.
"SBS 2003 User" wrote:
Wow you exemplified the term "over kill". you're doing way to much here.
As
far as the "shares" go all you need to do is grant the group EVERYONE
"FULL"
access. I mean why add more groups. Everyone is everyone. Administrators
have access to all and everything under the root$ so no need to add them.
Now here comes the part where a lot of people do not understand or know
about. SHARE permissions will superceed any NTFS file permissions with
the
least permissive access. Reread that statement. So because you listed
READ
in the share permissions this will superceed any and all NTFS folder
permissions regardless of whether you give them FULL control. you
following
me?
Also to have shares under shares is another overkill. Given what I said
start over with removing all from the share permissions tab and just
leave
EVERYONE "FULL" access. A lot of your issues are related to the groups
having "READ" in the share permissions.
"John N" <JohnN@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:214F6CDC-E3F2-4D97-B34B-CE1B86AD5B62@xxxxxxxxxxxxxxxx
Help With Security Issue on Windows Server 2003 Shared Drive
On a Windows 2003 server running the latest service packs, I have the
following configuration setup:
On the root of my E: drive, I have a directory called DATA. The DATA
drive
is being shared as DATA, with the following share permissions set:
Administrators: Full Control, Change, Read
Everyone: Same as above
GRP-ABR: Same as above
On the file system for the DATA folder, I have all rights granted to
Administrators, Everyone, and SYSTEM. CREATOR OWNER has special rights
granted.
Underneath the DATA folder, there are six other folders that also have
shares associated with them, including one for QuickBooks data called
QUICKBOOKS. I am having difficulties with this folder's security, even
though the other five folders are configured exactly the same way as
I'm
about to describe, and are having no difficulties.
As I said earlier, QuickBooks is shared as QUICKBOOKS, and the share
has
Administrators and Everyone granted Full Control, Change, and Read.
The
folder itself shows Administrators, with all rights, and SYSTEM,
CREATOR
OWNER, and a group called GRP-QUICKBOOKS all with all rights except
Full
control. Membership in the GRP-QUICKBOOKS has been checked and
confirmed.
Under advanced, the Allow inheritable permissions... and replace
permissions
are both unchecked, and the rights are not being inherited. If I
checked
under the effective permissions tab, user and groups appear to have all
the
permissions they need.
However, (you guessed it), even members of the GRP-QUICKBOOKS group do
not
have access to the folder.
Does anyone have a recommendation to explore further to see why this is
happening?
Thanks in advance,
John N.
.
- Follow-Ups:
- References:
- Re: Help With Security Issue on Windows Server 2003 Shared Drive
- From: SBS 2003 User
- Re: Help With Security Issue on Windows Server 2003 Shared Drive
- From: John N
- Re: Help With Security Issue on Windows Server 2003 Shared Drive
- Prev by Date: Re: Purge WSUS?
- Next by Date: Re: Spontanious reboots of 80 servers
- Previous by thread: Re: Help With Security Issue on Windows Server 2003 Shared Drive
- Next by thread: Re: Help With Security Issue on Windows Server 2003 Shared Drive
- Index(es):
Relevant Pages
|
