Re: Folder permissions

From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Nov 2007 13:29:24 -0500

Adrian Marsh <adrianmarsh@xxxxxxxxxxxxxxxx> wrote:

Hi,

I'm getting some confusing test results on shared folder permissions.

I've a standard "Domain Users" group, of which everyone is a member.
I've a "GGVPs" group of which only certain people are a member
I've a testuser USER, who is a memeber of Users.

I've a share: \\serv1\Public which has R/W to all Domain Users

I need to limit \\serv1\Public\AM_test\folder to Read/write of GGVPs,
but not readable by anyone else.

If I apply a Deny to Domain Users, then no-one in GGVPs can access the
folder.

So I Create the folder as:

Administrators (Full Control - This folder, sub and files))
Creator/Owner (Full control - Subfolders and files only)
SYSTEM (Full Control - This fold, sub and files)

Then if I add "testuser" to GGVPs and add Read access for GGVPs to the
folder, then that user can get in ok.

Heres where it goes strange. If I remove testuser from the GGVPs
group, that user can STILL get in. If I remove GGVPs, then that user
can't get in... and if I then add the group again, then testuser can
still access it, even though its not a member of GGVPs anymore.

Any chance theres some caching going on?

No, it's because you're using Domain Users - and creator/owner is weird &
hard to understand. To keep things simple & make this work more easily for
you, I suggest a couple of things -

a) Don't use Domain Users (or creator/owner) for your any permissions
settings on folders you create/share. Create your own groups to use, remove
Domain Users. I create an AD security group called "Companyname Staff" and
use that, as my general group. Plus others (Management, Accounting, HR,
whatnot).

b) Don't get into the business of applying different security for different
subfolders within a single shared folder.....it will lead to madness. Create
additional shares at the same level, instead. If you have a folder called
PUBLIC, and you have subfolders containing data that not everyone who sees
PUBLIC should be able to access, don't put them there - create additional
shares. I tend to set up folders called Shared (\\server\shared%$),
Management (\\server\management$), Accounting (\\server\accounting$) and so
forth - with the appropriate groups granted permission to each.

You should try posting in m.p.windows.server.general for more help ....this
isn't SBS specific, and you may as well cast a wider net.

.

References:
- Folder permissions
  - From: Adrian Marsh

Prev by Date: Citrix & Sonicwall
Next by Date: Re: Security and Folder Redirection
Previous by thread: Re: Folder permissions
Next by thread: Re: Folder permissions
Index(es):
- Date
- Thread

Relevant Pages

Re: OWA distorted
... I have added the domain users, users, Authenticated Users in the securit ... on the bin folder if that will help in any way. ... if you hadn't changed the account used for Anonymous Access. ...
(microsoft.public.exchange.admin)
Re: xp pro, granting domain user access to local resources?
... computers are members of the domain, and I've set up domain users for each computer. ... I have a USB scanner installed on one computer, and when a user logs on to the local machine, they can access the scanner, but if they log on using the domain account, they get an error when the scanner application tries to load the USB drivers for the scanner. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. ...
(microsoft.public.windowsxp.security_admin)
Re: Shared Folder NTFS Permission Problems with Domain Accounts
... I just tried sharing the folder using Domain Users and it did indeed work. ... Odd thing was though that the domain was already in Server 2003 native mode. ... You cannot use LOCAL groups of the domain on non-DCs unless you are ...
(microsoft.public.windows.server.general)
Re: Specific folder permission only?
... When you have shares for your users or branches etc. configured, you should create your own security groups to configure NTFS permissions on the folders that fit for your needs. ... Domain guests have the same permissions as the domain users. ... I'm aiming to have a specific user to access only 1 folder that's ...
(microsoft.public.windows.server.active_directory)
RE: Folder Redirection Problem
... redirection on one of the domain users? ... and then click Resultant Set of Policy. ... Please make sure that "Redirect the folder back to the local ...
(microsoft.public.windows.server.sbs)