Windows Server 2008 R2 Thread, NEED URGENT HELP WITH FOLDER SECURITY! :'( in Technical; Hey Guys
Hoping one of you geniuses can give me a hand here! We have an admin folder where all ...
2nd June 2014, 04:13 PM #1
NEED URGENT HELP WITH FOLDER SECURITY! :'(
Hoping one of you geniuses can give me a hand here! We have an admin folder where all the admin stuff such as attendance etc.. is. It sits on the staff share so everyone has been able to see it and open the documents inside which the head teacher flipped about and wants only the admin staff to be able to access it.
Easy enough I thought I will simply add all the admin staff into a AD Security Group and delete all the other Users/Groups who have access to the folder in security I will then give this Group Full Control and none else including the Administrator Username.
It hasn't worked like that none can access anything and the files and sub folders can't even be accessed by me the administrator! I'm really worried now as I have just checked and our FRIGGING BACKUP has failed! I'm loosing the will to live someone please help!
2nd June 2014, 04:16 PM #2
ok, you should be able to take ownership of the folder, using the instructions in the link below, to get the administrator account its access back, then try the security policies again.
Take Ownership of a File or Folder
I have done this before, it is worrying, but it is all still there, you will be fine :-)
2nd June 2014, 04:18 PM #3
You may need to take ownership of the folder plus subfolders/files and then re-do the permissions(security>advanced>ownership). Did you enter any deny permissions entries? these override any grant's that are in place.
Also in general I'd always leave the domain admins group with read permissions at the very least to allow backups to be performed
2nd June 2014, 04:31 PM #4
Ok I've took ownership of the folder and some files seem to open the others say they're corrupt and cannot be opened. The flaming backup hasn't backed up that one particular folder for some odd reason and I can't get it back.
2nd June 2014, 04:35 PM #5
Yep still not working, a select few of the folders have padlocks next to them and when I try to open a word document or PDF inside of them it says I do not have the rights to access the files!? GAHHH
2nd June 2014, 04:44 PM #6
Did you tell it to propagate the child folders with the new ownership / access permissions when you took ownership as it just sounds like it's not been through the process of updating the child folders of that top level admin folder.
Also, when you were locking it down, how did you go about that? The one rule to remember (that I learned in a very similar way to how you sound to be now) is don't check deny on the upper-most level that a staff member might have (so if the admins are a member of users, staff and schooladmins, if you check to Deny access on staff or users, this will also apply to the schoolsadmins group). Only use Deny to explicitly make sure a particular group (say students) can't access the folder. If you don't want staff to access it, just remove all the groups other than the one you do want to access it, then Windows normally will behave.
As others have mentioned though, may sure you leave at least some admin read access for backups and such.
Hope you get it sorted.
2nd June 2014, 04:44 PM #7
It seems that some folders and files within the admin area aren't updating their permissions, there are far too many files to edit the permissions one by one can someone please help me I'm really stressed out should have left work over an hour ago now!
2nd June 2014, 04:51 PM #8
Alex you need to tick this box which will push all perms set on that folder down to all children
2nd June 2014, 04:52 PM #9
Also, we have a different folder, on a different drive shared to Admin users mapped as a separate drive for this purpose.
2nd June 2014, 04:53 PM #10
Ah hold on I think it's worked if you two @faim010 & @soveryapt are right YOU ARE LEDGENDS
Thanks to abillybob from:
soveryapt (2nd June 2014)
2nd June 2014, 04:53 PM #11
EDIT: Didn't see the new posts!
Try opening a command prompt and navigating to the folder above this admin one, then running this:
takeown /a /r /f FolderName
See what messages you get. I'm around for another half hour or so.
2nd June 2014, 04:58 PM #12
If you right click on the main folder, and click properties, then click on the security tab and click Advanced.
On the Owner Tab of the advance, click Edit and choose the admin group / your account (which ever it is your trying to get back control to). The ones you can choose should be listed in the box.
Underneath that, there is a box "Replace Owner on subcontainers and objects" - make sure this is checked then click ok.
This will then go through the process of updating the owner on all the contents of that folder.
Once done, you can then in the advanced settings go into the Permissions Tab and click on "Change Permissions" which will bring up a page for you to set permissions on.
If you're doing custom permissions and this folder is within an existing structure staff have access to, then uncheck the "include permissions from this object's parent" box and also make sure you check the "Replace all child object permissions with inheritable permissions from this object" and then set the permissions for people you want to access the folder.
Personall, I would remove all the ones there, add the standard administrators group to it with full control (assuming staff aren't admins) and then add the group for the admin staff on there with full control, this should then mean anyone outside of those 2 groups cannot access this folder. You could of course limit either of those groups to only have specific controls, but to get it working, the above should be fine.
Click ok and it should go through the process of updating all the child object permissions and such (you'll probably get an Are You Sure box).
Then, log on as a member of staff to make sure they can't access it, if they can't, brilliant, then log on as a member of admin staff (set up test accounts if no one is about to do this for you if you don't have them already) and if they can access it, job done, go home, and take some EduHobNobs and Whiskey with you!
2nd June 2014, 04:58 PM #13
You've done it both of you are life saviours cheers
Thanks to abillybob from:
soveryapt (2nd June 2014)
2nd June 2014, 04:58 PM #14
2nd June 2014, 05:00 PM #15
No probs, been there, done it .. glad you're sorted!
Originally Posted by abillybob
By mrb-solutions in forum How do you do....it?
Last Post: 2nd August 2010, 10:28 AM
By My220x in forum Coding
Last Post: 10th October 2009, 11:12 PM
By martin88 in forum Windows
Last Post: 7th March 2008, 02:28 PM
By snsweigel in forum Thin Client and Virtual Machines
Last Post: 4th March 2008, 07:44 PM
By gh256 in forum Web Development
Last Post: 22nd November 2007, 04:03 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)