Hopefully you guys can help me, I've got myself in a right muddle with some folder permissions on my Win Server 2008 / Windows XP network.
Here's the setup.
A top-level shared folder, called "staff". Contains several other shared folders called after our different sites.
The reason the sub-folders are also shared, is that they are directly mapped for student, who are still using non-AD logons.
I want everyone in the "tutors" group in AD to have read access to the top level, but not write/modify. I want them also to have full rights to the sub-folders.
So, I've set the two types of sharing on the top level "staff" folder. In the File Sharing bit, the tutors group is set as READER. In the NTFS bit they have "Read & Exe, List, Read" rights.
When I logon as a staff member (i.e. in the tutors folder) I can see the contents of the staff folder, access them, but not Read or Write. This is correct.
I then set the permissions on the sub-folders, within Staff. In the File Sharing bit, I set the tutors group to be "Co-Owner" and in NTFS, I give them Full Control.
If I now logon as Staff member I have correct rights for the top level staff folder, but cannot Write / Delete.
It's like the top level is setting the rights for the lower levels, but I can't work out why.
EDIT: I answered that backwards.
No. Well at least I think I explicitly turned that off.
On the permissions for the sub-folders, the tutors group is set to "Full Control", "Not Inherited", "Apply to This folder, Subfolders & Files".
Last edited by swpmre; 8th September 2011 at 10:56 AM. Reason: clarify
Could it be to do with the "Read Only" attribute on the properties dialog on the folder? Looking at KB articles about turning that off....
Ok... I think I can see your problem. You need to set the share level permissions to be the highest you need (even for lower down the tree), and then restrict it back with NTFS permissions. So...
Staff (Share: Modify; NTFS: Read)
> UserFolder1.... (NTFS: Modify)
This should do what you need.
Thanks for the response. I've tried that, and it still doesn't work.
I've the tutor group permissions (shared: as co-owner)
On the root of the share, I've given tutors NTFS permissions (set to this folder only)
Read Extended Attribs
Logging on as the tutor, I stil have write / delete / create access on the root.
If I look at the EFFECTIVE permissions tab for that folder, when I look at the tutor group, the permissions are set correctly.
However if I try to look for an individual user (indeed any user, staff, tutor or admin) I get the error
"Windows cannot calculate effective permissions for [username]"
So, I interpret this as meaning that for some reason, when I logon to the machine, my logon is not receiving proper permissions.
Just so its clear in my head:
The thing to note is you can set permissions to apply to the folder and not subfolders or apply a permission set to only subfolders which I think is what you want.
Can you possibly post some screenshots of what you have currently?
Thanks for the response and apologies for the delayed answer myself. Your description of the setup is correct and you spotted my mistake, I didn't mean a tutor folder, I meant a tutor security group in AD.
Ok, I've tried your ideas. I set the top level folder to have SHARED permissions for EVERYONE to be Co-OWNER. I then restricted the permissions for the tutor AD security group (MAES\tutors) to be read-only. Yet despite this, when I logon as a user which is a member of the tutor group, I can create files in the top level folder.
Note that to make these images I have used the STUDENT folder tree. This shows exactly the same behaviour and is setup identically to the TUTOR folders described before. A shared top level (in this case called Student Area) and within that Shared Folders for each centre.
First image of the Shared Settings
Second image of the security settings.
Thanks for taking the time to look at this.
Be carefull with 2008 R2 sharing wizard it can as I've found change NTFS (Security) Permissions as well. It is much safer to share using the Properties of the folder > Click on Sharing Tab and then choose Advanced Sharing so you only change the Share Permissions. Then change the Security Permissions yourself.
I think you'll find that if you share to a security group as read only this is the effective permission they will have with NTFS formatted drives. As stated previously in thread it is more workable setting everyone Full SHARE permissions and then controlling accessibilty and permissions with NTFS (Security) Permissions.
We don't have Win 2008 R2, it's normal Win 2008. So we've not used the wizard.
I've set up with Everyone having full share permissions and tried to control with NTFS, but it still doesn't work. See screenshots in my last post.
Ok, now I see what you mean. My mistake.
I've done that. Instead of using the "Wizard" I have used the "advanced share".
However this makes no difference at all.
As it seems to me, I can either have
(a) Read only access to the top level and all the sub-folders
(b) Read/Write etc access to the top level and all the sub-folders.
Looking at this a different way.
The ONLY thing that seems to effect the ability to Read or not Read is the Share permissions. the NTFS security settings seem to make NO difference on the top level shared folder.
So I am back to asking, is it possible that for some reason AD is ignoring the security group that the tutor is part of?
I just cannot believe it is so complex. Am I possibly missing something else?
Last edited by swpmre; 14th September 2011 at 01:16 PM. Reason: extra info
I've further noticed that even if I give explicit Read Only permissions to the user I am logged in as, I can still create / write files in that folder.
Full Control, for this and sub-folders.
There are currently 1 users browsing this thread. (0 members and 1 guests)