Folder Permissions Question - Server 2003

Hi, I have a disk (Windows 2003 Server) set aside for storing files/folders
for all users in our small domain. I few subfolders I want to only allow
access to some users. Is the right way to do this, to add those users
individually to the security of that folder with proper access rights, remove
the inherit from parent folder, and deny the domain\users access - or will
that deny all users access?

I want individual user to have access, but other users to get a permission
denied message if they click on these subfolders.

Thanks for any advice.

Mike

Hello Mike,

Domain users include your single accounts also. So if you set an explicit
deny on that folder hey are also effected.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi, I have a disk (Windows 2003 Server) set aside for storing
> files/folders for all users in our small domain. I few subfolders I
> want to only allow access to some users. Is the right way to do this,
> to add those users individually to the security of that folder with
> proper access rights, remove the inherit from parent folder, and deny
> the domain\users access - or will that deny all users access?
>
> I want individual user to have access, but other users to get a
> permission denied message if they click on these subfolders.
>
> Thanks for any advice.
>
> Mike
>

Hello Mike,

Normally you should never work with "Deny". Removing inheritance is ok, then
kick out domain users and add a security group for the users instead of the
account itself. This way you are flexibel with just adding members to that
group instead always changing the user account on that folder.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi, I have a disk (Windows 2003 Server) set aside for storing
> files/folders for all users in our small domain. I few subfolders I
> want to only allow access to some users. Is the right way to do this,
> to add those users individually to the security of that folder with
> proper access rights, remove the inherit from parent folder, and deny
> the domain\users access - or will that deny all users access?
>
> I want individual user to have access, but other users to get a
> permission denied message if they click on these subfolders.
>
> Thanks for any advice.
>
> Mike
>

On Thu, 3 Dec 2009 05:23:01 -0800, Mike wrote:

> Hi, I have a disk (Windows 2003 Server) set aside for storing files/folders
> for all users in our small domain. I few subfolders I want to only allow
> access to some users. Is the right way to do this, to add those users
> individually to the security of that folder with proper access rights, remove
> the inherit from parent folder, and deny the domain\users access - or will
> that deny all users access?
>
> I want individual user to have access, but other users to get a permission
> denied message if they click on these subfolders.
>
> Thanks for any advice.

Don't use Deny option cause it has precendence over Allow permission. Just
put those users you want to give access in ntfs permission settings, and
uncheck Inherit from parent....

--
MCSA/MCSE/MCT/CCNA

Thanks for the reply. OK, so do I just remove the domain\users all together
from that particular subfolder, and add the individual users/groups that I
want to have access?

Mike


"Meinolf Weber [MVP-DS]" wrote:

> Hello Mike,
>
> Normally you should never work with "Deny". Removing inheritance is ok, then
> kick out domain users and add a security group for the users instead of the
> account itself. This way you are flexibel with just adding members to that
> group instead always changing the user account on that folder.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi, I have a disk (Windows 2003 Server) set aside for storing
> > files/folders for all users in our small domain. I few subfolders I
> > want to only allow access to some users. Is the right way to do this,
> > to add those users individually to the security of that folder with
> > proper access rights, remove the inherit from parent folder, and deny
> > the domain\users access - or will that deny all users access?
> >
> > I want individual user to have access, but other users to get a
> > permission denied message if they click on these subfolders.
> >
> > Thanks for any advice.
> >
> > Mike
> >
>
>
> .
>

Vjekoslav,

Thanks for the reply. It sounds like I would uncheck the inherit from
parent folder, remove the domain\users entirely, and add the individual
domain\username and assign the permissions they need, correct?

Mike


"Vjekoslav Ribaric" wrote:

> On Thu, 3 Dec 2009 05:23:01 -0800, Mike wrote:
>
> > Hi, I have a disk (Windows 2003 Server) set aside for storing files/folders
> > for all users in our small domain. I few subfolders I want to only allow
> > access to some users. Is the right way to do this, to add those users
> > individually to the security of that folder with proper access rights, remove
> > the inherit from parent folder, and deny the domain\users access - or will
> > that deny all users access?
> >
> > I want individual user to have access, but other users to get a permission
> > denied message if they click on these subfolders.
> >
> > Thanks for any advice.
>
> Don't use Deny option cause it has precendence over Allow permission. Just
> put those users you want to give access in ntfs permission settings, and
> uncheck Inherit from parent....
>
> --
> MCSA/MCSE/MCT/CCNA
> .
>

Hello Mike,

Yes, add the user/group and keep administrators and system on the folder
with FC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for the reply. OK, so do I just remove the domain\users all
> together from that particular subfolder, and add the individual
> users/groups that I want to have access?
>
> Mike
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Mike,
>>
>> Normally you should never work with "Deny". Removing inheritance is
>> ok, then kick out domain users and add a security group for the users
>> instead of the account itself. This way you are flexibel with just
>> adding members to that group instead always changing the user account
>> on that folder.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi, I have a disk (Windows 2003 Server) set aside for storing
>>> files/folders for all users in our small domain. I few subfolders
>>> I want to only allow access to some users. Is the right way to do
>>> this, to add those users individually to the security of that folder
>>> with proper access rights, remove the inherit from parent folder,
>>> and deny the domain\users access - or will that deny all users
>>> access?
>>>
>>> I want individual user to have access, but other users to get a
>>> permission denied message if they click on these subfolders.
>>>
>>> Thanks for any advice.
>>>
>>> Mike
>>>
>> .
>>

On Thu, 3 Dec 2009 06:48:02 -0800, Mike wrote:

> Vjekoslav,
>
> Thanks for the reply. It sounds like I would uncheck the inherit from
> parent folder, remove the domain\users entirely, and add the individual
> domain\username and assign the permissions they need, correct?

Yes that's it, and it is ok if you have only several users to add, but just
like Meinolf said, for future administration, it is suggested to create AD
security group and give that group permissions you want, and then add all
user accounts you want to give access to the particular folder in that
group.

--
MCSA/MCSE/MCT/CCNA

In article <66E4B814-1FC1-4255-B73C->,
says...
>
> Hi, I have a disk (Windows 2003 Server) set aside for storing files/folders
> for all users in our small domain. I few subfolders I want to only allow
> access to some users. Is the right way to do this, to add those users
> individually to the security of that folder with proper access rights, remove
> the inherit from parent folder, and deny the domain\users access - or will
> that deny all users access?
>
> I want individual user to have access, but other users to get a permission
> denied message if they click on these subfolders.
>
> Thanks for any advice.

You don't use DENY when you can avoid it.

As for security and how to, using GROUPS and then adding members to the
GROUPS where the security is applied to the GROUP is the best way.

So, lets say you have a network share called ACCOUNTING (Drive T):

You create a security group called SG_Accounting, then add the people
that have permission for the Accounting group to the SG_Accounting group
membership.

On the ACCOUNTING SHARE you uncheck Inherit permissions, select COPY,
remove the "Domain Users" group, then ADD SG_Accounting, you could stop
here, and it would block everyone that isn't a member of SG_Accounting,
but, people that are members can change ownership and access, so you
want to use the Advanced Edit for permissions and remove Take Ownership
and the other one at the bottom of the list - set those to DENY for
SG_Accounting.

If you have a Share called ACCOUNTING and a folder inside ACCOUNTING
called "COMPANY2", and you want to block access to COMPANY2 for some
users, well, I would move COMPANY2 out of the ACCOUNTING share and
create a new share, with a new Security Group...

When you start messing with Deny or different permissions within folders
it can get real messy if you don't keep strict control/track of it.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

On Thu, 3 Dec 2009 06:47:01 -0800, Mike <> wrote:

>Thanks for the reply. OK, so do I just remove the domain\users all together
>from that particular subfolder, and add the individual users/groups that I
>want to have access?

Yes but this is very difficult to maintain. Rather create a local group and set
the permissions to that group. Then add the users and/or global groups to the
local group.

This may seem a lot harder but remember you may want to add a new user (or
group) to have access. You can change the Local group membership in a
milli-second. To add the user/group to 1 million files/folder may take hours.


>
>Mike
>
>
>"Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Mike,
>>
>> Normally you should never work with "Deny". Removing inheritance is ok, then
>> kick out domain users and add a security group for the users instead of the
>> account itself. This way you are flexibel with just adding members to that
>> group instead always changing the user account on that folder.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>> > Hi, I have a disk (Windows 2003 Server) set aside for storing
>> > files/folders for all users in our small domain. I few subfolders I
>> > want to only allow access to some users. Is the right way to do this,
>> > to add those users individually to the security of that folder with
>> > proper access rights, remove the inherit from parent folder, and deny
>> > the domain\users access - or will that deny all users access?
>> >
>> > I want individual user to have access, but other users to get a
>> > permission denied message if they click on these subfolders.
>> >
>> > Thanks for any advice.
>> >
>> > Mike
>> >
>>
>>
>> .
>>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.