Share Permissions
I feel embarrassed to ask this, but I'm not proud, so here it goes: I have a folder called USERS. Under this folder are individual user folders (i.e. DGrohl, JPJones, JHomme) My question: I use a VBScript to backup the folder and it's failing with a permission denied error. When I right click on the folder, under Sharing, i have "Share this Folder" with the name "Users". In the Permissions Tab, Administrators have Full Control, and so does Everyone. On the Security tab, permissions are more granular. What's the proper way to do this? Ultimately what I want, is for DGrohl to be able to login, get the Users folder and see anything in that root. He can see JPJones folder, but he should not be able to see into it. He should only be able to see into and write to his folder. Same for all users. Administrator should be able to see into all folders for the backup script to function properly. What's the right way with the permissions? Should I ignore permissions altogether on the Share tab?
August 3rd, 2010 4:39pm

Usually you control access with NTFS permissions and grant full control on share permissions. Access Based Enumeration has been around since 2003 SP1, so this might handle the visibility problem. http://technet.microsoft.com/en-us/library/cc784710(WS.10).aspx http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx -- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2010 5:13pm

Differences between Authenticated Users, Domain Users, and Everyone groups http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Differences%20between%20Authenticated%20Users,%20Domain%20Users,%20and%20Everyone%20groups.aspx Recommended NTFS Permissions for New Drives http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Permissions%20for%20New%20Drives.aspx Creator Owner Explained http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx The Golden Rules of Permissions Administration http://networkadminkb.com/Shared%20Documents/The%20Golden%20Rules%20of%20Permissions%20Administration.aspx Axioms of Permissions Administration http://networkadminkb.com/Shared%20Documents/Axioms%20of%20Permissions%20Administration.aspx Always make sure SYSTEM has FULL CONTROL, as well as the Local Administrator Group. Creator Owner is not needed on New drives (non-C drives) used for file sharing. Ultimately, doing security is about creating an devloping a philosophy, there are many out there. The one below is mine and works for most situations. This is just a simlified explaination of how the Axioms and Golden Rules are applied. For shares you should do the following 1) Everyone - Read (optional not really needed but a nice just in case) 2) Authenticated Users - Change 3) Local Administators - Full Control 4) File Strucutre Administrators - Full Control For Share note the following: Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure. You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share. This allows them to remotely administrater shares without being local administartors. For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories. 1) Authenticated Users - Read 2) Local Administators - Full Control 3) File Strucutre Administrators - Full Control 4) SYSTEM - Full Control For NTFS in this situation note: Alway limited Authenticated Users to Read to pervent non-admin users chaning folders and creating files here. You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors. For NTFS permissions where users need to write data, stop inheritance, copy permissions and replace Authenticated users to two different groups 1) Directory group - Read Only 2) Directory group - Read and Write 3) Local Administators - Full Control 4) File Strucutre Administrators - Full Control 5) SYSTEM - Full Control For NTFS in this situation note: Alway remove Authenticated Users so the appropriate group(s) limit access You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
August 3rd, 2010 6:10pm

OK, I know I marked this as answered, but once again, I'm stumped. A little history: At one point I turned on Folder Replication (I think it's called that, where the user's My Docs and Local Settings are synched with the server at each logon and logoff). I have since disabled it, though it still happens for some users like a possessed demon. So anyway, here's where it fails. Here's the directory tree: Users Debbie Desktop Anything in a user's Desktop folder is inaccessible to the Administrator. I must go to EACH item in this folder, take ownership, then add Admin with full rights. This will be a bad thing with many users. At the USERS level, for Sharing I have Admin, Everyone, and SYSTEM, all with Full control. Same on the Security tab. The check box to Allow Inheritable Permissions under Advanced is NOT CHECKED. For DEBBIE, Debbie and Admin have full control. The check box to Allow Inheritable Permissions under Advanced is NOT CHECKED. For DESKTOP, same as above. Why is it just this Desktop folder? What the %$&%#$ am I doing wrong, lol!! Appreciate any help.
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2010 10:27pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics