S Drive Permissions
Please excuse my ignorance, I am a data manager starting to get his feet wet in the murky waters of server administration so this question may be naieve!
I wondered if anyone could advise on setting permissions on the S Drive. Over the summer our IT team installed new domain controllers, and pretty much gutted everything. Initially the default permissions to the S Drive for staff were pretty locked down which meant certain key staff couldn't access things like Exams, Nova and CTF creation.
Some individual accounts were given access to certain folders on a kind of ad-hoc basis but at some point this went wrong and now we have some users not able to access random folders and/or files and trying to adjust the permissions gives lots of errors along the lines of "cannot change permisssions for blah blah blah)
My question is, how would we go about re-setting staff permissions on the S Drive, and what would be the best/accepted way to grant individual users permissions to either the entire S Drive, or specific folders. Any other advice for a novice would be greatly appreciated!
You'll need to read up on it really - there are some basic principles that need to be understood before changing things - here is a good start Managing Permissions You may need a MS account to log in before you can access it...
File and Folder Permissions
Understanding Windows Server 2008 File and Folder Ownership and Permissions - Techotopia
Read the above articles, make a cup of tea and re-read. The top article is based on Server 2000 and the bottom is on 2008. More than likley you've had 2008 installed but the top article is still a good read.
I would use Groups as much as possible and not individual user accounts. Staff come and go or move sideways more often than the job roles do.
I give the S drive share Full Control to Everyone. This is the Share permission.
Then on the folder itself, the NTFS permission is read/list/execute, or whatever the basic one is. This ensures that they can't change anything.
As required, i then add special permissions for certain staff members e.g. the Nova folder, or the folder where the Cover is published, etc. It would as suggested be wiser to do this by group, but i don't control the groups, and i only ever really need a single user to do stuff, so it works okay.
The way you did it, locking down, followed by granting as required, is still probably the best way to go. What has probably happened is that either something got corrupted, or permissions were overwritten on a set of folders with something else that shouldn't have been.
Start again in the same way, just make sure you document each exception, i.e. each group that has added permissions, like read/write access to CTF-IN folder etc.
Many thanks to all for the advice.
Vikpaw, that's really useful, thanks.
I just have one more question (which really comes from my network manager.) What services would you need to stop in order to make wholesale changes to the S Drive permissions? It appears some of the problems are down to the fact that permissions won't change while SIMS is running since certain files are constantly in use. In other words once the SIMS server has been re-booted how can we then effectively stop SIMS running?
Hopefully I've asked that in a way that makes sense!
Stop the SQL service(s) from SQL server configuration manager.
Or just take the sims / fms dbs offline from management studio if the server has other sql dbs running on it.
i'm trying to think which files will be in constant use, and couldn't think which. it's mostly users accessing the S drive i thought.
Thanks again vikpaw,
I'll admit I didn't really understand why certain files might be in use. The specific problem that we are having currently is that if I try to allow a single user full control (for example) of the S:SIMS\SNOVA folder on it's own when I try to apply I get various "unable to change permission, access is denied" error messages for each individual timetable file in the 2012 folder. This means that the user in question is unable to access the current timetable file.
Strangely, when logged in with my domain admin account, if I try to view the permissions to an individual file in the SNOVA\2012 folder, it tells me that I do not have permission to view or edit the permissions settings. I have now discovered that I also can't access the timetable table files through Nova using my domain account, but can with my standard account (which has no additional specific permissions granted)
The plot thickens!
That share folder will require write access on the share so if you've only given read and execute only at the share level then giving write access at NTFS level won't do anything.
I've made changes to the SIMS share before without having to stop SIMS or FMS so as vikpaw says I don't think it is left open on the server end i.e. only clients open it. Is domain admins the owner of all the files in the SIMS share?
taking ownership as domain admin at the start might help. share permissions could also be at fault.
it's worth trying the same access on a PC as well as on the server.
when i first set up the server (win 2008) i found that when i thought i was applying share permissions i wasn't. There are a couple of routes to do it on the server. I had access from the server, but not when i accessed the share from my PC or something strangely complex like that.
anyway, after you've taken ownership, you will have access, then give yourself permission explicitly and force it to propagate down through the subfolders.