> Hi all.
>
> First of all, if this is not the appropriate group for this topic,
> please point to the right one.
>
> What I need is to share a folder with the next permissions:
>
> A Group -> Full control over ALL the sub-folders and files.
> B Group -> Read only permissions over ALL the sub-folders and files
> C Group -> Full control over SOME sub-folders & files only, and Read
> only over all others files and folders
>
> I don´t have problems setting permission with A & B groups ;-)....
> But ¿how can I accomplish the configuration for the Group C?
>
> I've tried combining sharing and ntfs permissions, but I think I'm
> just messing things up.
>
> Thanks in advance.
> Robert
Here's an overview.
How to set, view, change, or remove special permissions for files
....Folder permissions include Full Control, Modify, Read & Execute,
List Folder Contents, Read, and Write. Each of these permissions
consists of a logical ...
http://support.microsoft.com/kb/308419
Also, you need to remove the Everyone group, otherwise that may
interfere or allow others to read stuff that are not supposed to get
into the folder structure. To do that, you need to uncheck inheritance,
then manually add the groups you want to allow. Don't forget to keep
System and Domain Admins in there as FC.
For Group C, assuming you've unchecked inheritance, you can go into
each subfolder and add GroupC. If you have inheritance still enabled,
then at the parent folder add GroupC providing Read only, then each
subfolder they need additional permissions, go into them and check off
what they need in addition to what's been inherited.
As for the Share permissions, you must allow the greatest amount of
permissions in the subfolder structure, or they will not get it.
Usually we just add Domain Admins FC, and Authenticated Users, Change.
Then whatever is set in the folder structure using NTFS will dicate
their effective permissions. This is because the system will look at
the Share permissions and combine any groups you've added. If a user is
part of more than one group, they will get all of them. This is called
the Least Restrictive. Then it looks at the NTFS permissions, aame
thing goes providing the Least Restrictive.. Then it combines each
evaluated Least rstrictive permissions and provides the MOST
restrictive.
For example, if Joe is part of Sales and Accounting, and Sales has
Share permissions Change, and Share permissions Read, then his Least
Restrictive is Change. In the NTFS permissions Sales and Accounting
both are set to Read only. So the NTFS Least Restrictive is Read. Then
it combines the two, and it comes up with Joe having Read, which is the
Most Restrictive.
Here are more examples:
================================================== ================
Share Permissions and NTFS Permissions Folder Access Control & Folder
Permissions
The easiest way to do it is with groups.
Keep in mind for the following, that Share permissions allows the
intial connection. Then the NTFS permissions are combined with the
Share permissions to provide the Most Restrictive. This means that if a
user has Full Control on the Share permissions, and Read on the NTFS
permissions, the Effective (resulting) permissions is the user will
only have Read. That's why we can set higher Share permissions at the
parent for the initial access, then control the resulting or Effective
permissions with NTFS. No passwords are needed other than the user
being successfully logged on to the domain. When a user is logged on
successfully to a domain, an access token is given the user account.
The access token is compared to the ACL (Access Control List) in the
Share and NTFS (security tab) permissions to determine access. That's
why no passwords are required, and is much easier than trying to deal
with multiple passwords. The system simply uses the AD user account for
access enumeration.
Let's say you have the following structure.
Office Data
Accounting Folder
Marketing Folder
Sales Folder
Operations
Your users are as follows. They require access to their respective
folders but to no others.
Joe and Sally are accountants.
Bob and Sue are Marketing reps.
Tom and Jerry are in sales.
Wyle E and the Road Runner are in operations.
You create the following groups and add the appropriate users into
those groups.
Accounting Group
Marketing Group
Sales Group
Operations Group
Then you share the Office Data folder, but not the others below it. You
set the Share permissions and NTFS (security tab) permissions as
follows:
Office Data Folder:
Sharename = Office Data
Share Permissions on the Office Data Share:
Domain Admins = FC
Authenticated Users = Change
The following are the NTFS (security tab) Permissions you will set.
This is assuming the respective users will require read/write access to
their respective folders. If they only need Read, then alter the Modify
permissions in the suggested instructions below to Read, Read +
Execute.
It is important that inheritance is disabled, as stated below in each
folder, so you that can remove the default Everyone or Domain users, if
they exist. Otherwise, that will thwart security control.
Office Data Folder
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Authenticated Users = Modify
Accounting Folder:
Click Advanced, uncheck Inherited, click on Copy when the
message pops up
Remove Everyone and Domain users. Leave everything else. Add
the following:
Domain Admins = FC
Accounting Group = Modify (not full control)
Marketing Folder:
Click Advanced, uncheck Inherited, click on Copy when the
message pops up
Remove Everyone and Domain users. Leave everything else. Add
the following:
Domain Admins = FC
Marketing Group = Modify (not full control)
Sales Folder:
Click Advanced, uncheck Inherited, click on Copy when the
message pops up
Remove Everyone and Domain users. Leave everything else. Add
the following:
Domain Admins = FC
Sales Group = Modify (not full control)
Operations:
Click Advanced, uncheck Inherited, click on Copy when the
message pops up
Remove Everyone and Domain users. Leave everything else. Add
the following:
Domain Admins = FC
Operations Group = Modify (not full control)
With the permissions set as suggested, Bob in Marketing cannot access
any other folder other than Marketing, and Jerry in Sales cannot access
anything else other than Sales. They can see the other folders, but
they simply can't get into them.
If just Bob in Marketing needs Read Only access to the Sales folder,
simply create an additional group, and call it "Marketing Group Access
to Sales Folder," and place Bob in that group. Then in the NTFS
(security tab) permissions, add the "Marketing Group Access to Sales
Folder" group to the Sales Folder group, and set the permissions to
Read and Read + Execute. This way Bob has read only permissions to see
the files in that folder.
======
Regarding Read and Read/Execute Permissions:
If an exe needs to be run, a user will need Execute, otherwise Read
will suffice. You can view the specific permissions set by going into
Advanced to see exactly what permissions are being provided. The ACL
(the first list of permissions) are standard pre-canned permissions.
Advanced will show you specifics. You can also set permissions in
Advanced, but you must understand what they mean. If you do it in
Advanced, and hit Ok, the ACL will show "Special Permissions" because
what you set in ADvanced does not equal to any of the pre-canned
permissions. the system provides.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE
& MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
If you feel this is an urgent issue and require immediate assistance,
please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Similar Threads
Linear Mode
