Re: Folder Permissions

Lanwench [MVP - Exchange] wrote:
mcp6453 <mcp6453@xxxxxxxxx> wrote:
Lanwench [MVP - Exchange] wrote:
mcp6453 <mcp6453@xxxxxxxxx> wrote:

<snipped for length>

Hope this helps.
It helps some, but parts of it I still don't get.
What exactly is confusing? I suggest you start by explaining what
problems you see, and what you want to do to correct them.
I want to understand what permissions to assign to a folder and how
to assign them.

The former depends entirely on your needs. I gave you examples of how I set up permissions. The latter is pretty straightforward - although I understand that inheritence can be a little tricky to grasp at first.

For example, at one point, while logged in as
administrator through a console session, I double clicked on a text
file located in a user's folder. Even as administrator, I was denied
access. I had to take ownership of the folder with the administrators
group rather than as the administrator.


That's because the group Administrators (or the user Administrator) didn't have any inherited or explicitly applied permissions. You don't need to be an owner to *have* permissions - but you need to be an owner to *reset* them.

For another folder, I had to
go into Properties | Security | Advanced and change access to "This
folder, subfolders, and files", and I'm not clear how I did that
(unless it was with edit.)

You did it in the advanced button in the NTFS security window.
The inheritance thing still escapes me. If you will, please give me
an example of when to use inheritance and when to avoid it.

In my example, since I want all user subfolders off of d:\data\users to have different permissions, I don't enable inheritence on them.
In d:\data\shared, I want all users to have access & I want subfolders to *inherit* that access. So, inheritence would be enabled on any new subfolders.

that our system is the simplest installation of all.

Is it? I'm sure there are simpler ones ;-)

The only
terminal services we are using is when I log in remotely to work on
the server. There are no "deny" settings on any folders. The owner of
every folder should be Administrator or Administrators.

No. If a user creates a folder (e.g., a subfolder), the user is going to be the owner. The fact that you as an admin aren't the owner, doesn't mean you won't have access, though.
I realize how it is possible that I stumbled onto a solution to get
access.

? I'm not sure what that means.

In my normal line of work, I can immediately know when a
person asking a question has not mastered the art of the question
being asked. It is not my intent to come to usenet to ask questions
that I should understand. It is my intent to get to the point that I
can say, "oh, that's easy."

I don't know what your normal line of work is, nor what the above paragraph implies. These newsgroups are very useful for specific technical questions, especially with examples, but to learn this stuff you will definitely want to do some reading and experimenting. I don't know of a good book or I'd recommend one.

As in the previous example, the only people who should be able to get
into the "janitor" user folder are Administrators and janitor. No one
else should be able to access the folder. Should CREATOR or SYSTEM be
included? They are not.

As I mentioned, System *should*. As should Administrators. I don't manually set creator owner most of the time. Did you check out the links I posted?

It's frustrating to
come in after someone else who may or may not have known what he was
doing.
Yep, but that gets a lot easier once you feel more confident that
*you* know better. ;-)
Thanks for taking the time.

I hope this has helped.

The "Copy" thing you recommended has been a good idea. Had you not suggested it, I would not have tried it.

With all of the information you posted, I will spend some time going back through it again to better try to understand it. I did read the links you provided, but the problem with most server help sites is that they are often written by people who cannot remember what it was like to try to understand this stuff when THEY were a beginner. Once I totally understand, if I ever do, when I go back and read the information, it will make perfect sense.

For now, everything appears to be working. People who are not supposed to have access, don't, at least as far as my testing goes.


Again, thanks for taking the time.
.

Loading