What am I doing wrong? DFS Folder/File permissions

Discussion in 'Windows Server' started by mike79, Jun 1, 2007.

  1. mike79

    mike79 Guest

    Hi everyone,

    I can't figure out what I'm doing wrong here. If someone can PLEASE help me
    out, I'd greatly appreciate it.

    This is on Windows Storage Server 2003 R2
    I have a DFS root and a bunch of shared folders. I created a new folder
    called "home." Next, I created a few home shares on the drive. d:\Home1,
    Home2, Home3 and Home4. I then created subfolders in DFS called Home1,
    Home2, etc. I set the target folders to the respective drive folders.

    So,

    \\root\home
    That is the master folder that will display the 4 home folders.

    \\root\home\Home1 links to the D:\Home1 folder.
    \\root\home\Home2 links to D:\Home2

    And so on.

    Now... in a 'normal' world, the way I would permissions is to set share
    permissions to be wide open, and then handle the security by the
    folder-permissions. So, the share-level security on the home1 share is
    'everyone=modify'. Then, on the 'security' tab, I set "domain admins" to
    full-control, and that's it.

    I then create the individual home folders within the home1 share... example,
    "JSmith" and "JDoe".

    The folder JSmith inherits permissions from the parent folder, Home1. I
    also add the user "JSmith" to the JSmith folder permissions, and give him
    modify access. For the JDoe folder, I do the same... security inherited, add
    JDoe with Modify.

    Sounds normal so far...

    So why won't it work? It seems as if the Share-Level permissions override
    EVERYTHING. Jdoe has full access to JSmith's folder. In fact, EVERYBODY has
    full permissions. If I take away 'modify' from the 'everyone' share-level
    permissions, Jdoe now only has 'read-only' permissions on JSmith's folder.
    If I remove 'everyone' alltogether, NOBODY has ANY access.. which is normal.

    How should I configure this? Is it DFS that's screwing everything up? I've
    set permissions on hundreds of shares in the past, and I've never run into
    this issue. Setting share-level wide open, yet restricting at folder-level
    has ALWAYS worked in the past. What is going on?

    Any help is very very much appreciated.

    Thanks!

    Mike
     
    mike79, Jun 1, 2007
    #1
    1. Advertising

  2. mike79

    mike79 Guest

    "AllenM" wrote:

    >
    > "mike79" <> wrote in message
    > news:...
    > > Hi everyone,
    > >
    > > I can't figure out what I'm doing wrong here. If someone can PLEASE help
    > > me
    > > out, I'd greatly appreciate it.
    > >
    > > This is on Windows Storage Server 2003 R2
    > > I have a DFS root and a bunch of shared folders. I created a new folder
    > > called "home." Next, I created a few home shares on the drive. d:\Home1,
    > > Home2, Home3 and Home4. I then created subfolders in DFS called Home1,
    > > Home2, etc. I set the target folders to the respective drive folders.
    > >
    > > So,
    > >
    > > \\root\home
    > > That is the master folder that will display the 4 home folders.
    > >
    > > \\root\home\Home1 links to the D:\Home1 folder.
    > > \\root\home\Home2 links to D:\Home2

    >
    > I think here you can eliminate one level. \\servername\home should be
    > sufficient. From under Home you can then create the users sub folders i.e.
    > \\servername\home\JDoe
    >
    > >
    > > And so on.
    > >
    > > Now... in a 'normal' world, the way I would permissions is to set share
    > > permissions to be wide open, and then handle the security by the
    > > folder-permissions. So, the share-level security on the home1 share is
    > > 'everyone=modify'. Then, on the 'security' tab, I set "domain admins" to
    > > full-control, and that's it.

    >
    > Wrong. In a normal world security on a share is set to Everyone=FULL. That
    > is all that is needed on the share level.
    >
    > > I then create the individual home folders within the home1 share...
    > > example,
    > > "JSmith" and "JDoe".
    > >
    > > The folder JSmith inherits permissions from the parent folder, Home1. I
    > > also add the user "JSmith" to the JSmith folder permissions, and give him
    > > modify access. For the JDoe folder, I do the same... security inherited,
    > > add
    > > JDoe with Modify.
    > >
    > > Sounds normal so far...

    >
    > No not normal. At the user level JSmith or JDoe you need to turn off and
    > copy the inheritance and remove EVERYONE from the NTFS security permissions.
    >
    > > So why won't it work? It seems as if the Share-Level permissions override
    > > EVERYTHING. Jdoe has full access to JSmith's folder. In fact, EVERYBODY
    > > has
    > > full permissions. If I take away 'modify' from the 'everyone' share-level
    > > permissions, Jdoe now only has 'read-only' permissions on JSmith's folder.
    > > If I remove 'everyone' alltogether, NOBODY has ANY access.. which is
    > > normal.

    >
    > You need to understand how share permissions interact with NTFS permissions.
    > Share permissions will "always superceed" NTFS permissions with the least
    > permissive access. For example let's say I set the SHARE security to
    > Everyone-READ only. This will superceed any NTFS permissions applied. So if
    > I give JDoe NTFS modify access what do you think will happen? She will only
    > have READ permissionss.
    >
    > > How should I configure this? Is it DFS that's screwing everything up?
    > > I've
    > > set permissions on hundreds of shares in the past, and I've never run into
    > > this issue. Setting share-level wide open, yet restricting at
    > > folder-level
    > > has ALWAYS worked in the past. What is going on?

    >
    > DFS has nothing to do with this. Here is how I would set it up.
    >
    > C:\ Is any Administrative share and by defualt is set to share C$. Only
    > administrators have access to this share.
    > NTFS permissions would be - Administrators-FULL / SYSTEM-FULL / Backup
    > Operators-FULL - Everyone - List
    > C:\Home - Share as "Home" and Everyone-FULL - Inherit NTFS permissions from
    > parent folder (C:\)
    > C:\Home\JSmith - Turn off inheritance and copy. Remove Everyone and add
    > JSmith-Modify.
    >
    >
    > > Any help is very very much appreciated.
    > >
    > > Thanks!
    > >
    > > Mike

    >
    >
    >


    That's exactly what I'm doing but the 'share' "full control" is overwriting
    my NTFS security settings.

    Details:

    D: is set to admin only, exactly as you described.

    D:\home is shared with Everyone-Full and it inherits permissions from D
    D:\home\JSmith has inheritance turned off, permissions are copied, and the
    'everyone' user is removed. Jsmith is given modify permissions.

    Sounds good so far, yes?

    I login as non-admin user JDoe (should not have writes to JSmith), and then
    connect directly to the server:

    \\servername\home

    double click on JSmith

    I'm in the folder. I can create new folders, delete files, anything. I
    have full modify-permissions. I just replicated this whole thing, did it
    exactly as you described (how I've always done it) and the problem persists.
    The 'full-control' Share-level permissions are 'winning' no matter how I
    restrict it via NTFS security.

    It's the same thing if I access it via the DFS links.


    holy hell...

    I just found it.

    In the NTFS permissions of JSmith, the following users are there:

    Administrators: \servername\administrators
    Creator Owner
    System
    JSmith
    Users: \severname\users

    That last one bugged me, so I went to 'manage servername' and checked who
    was in the 'users' field. Sure enough, 'domainname\users' was part of the
    local server 'users' group. I removed it, and ... lo and behold, JDoe can't
    access JSmith's home anymore.

    So simple...
    I hate these things.

    Thanks for the help you two =)
     
    mike79, Jun 4, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. swalexx

    WHat am i doing wrong

    swalexx, Jun 23, 2006, in forum: Windows Vista Hardware
    Replies:
    0
    Views:
    228
    swalexx
    Jun 23, 2006
  2. Hangetsu
    Replies:
    3
    Views:
    233
  3. manhattan123

    What am I doing wrong in organzing folder contents?

    manhattan123, Jul 22, 2008, in forum: Windows Vista File Management
    Replies:
    1
    Views:
    198
    Apache -=CW=-
    Aug 9, 2008
  4. Adam Sudol
    Replies:
    4
    Views:
    2,151
    Dan Lovinger [MSFT]
    Jul 6, 2004
  5. Adam Landefeld
    Replies:
    0
    Views:
    699
    Adam Landefeld
    Jan 23, 2006
Loading...

Share This Page