+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Server 2008 Thread, Tearing my hair out over folder permissions in 2008 in Technical; Hopefully you guys can help me, I've got myself in a right muddle with some folder permissions on my Win ...
  1. #1
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18

    Tearing my hair out over folder permissions in 2008

    Hopefully you guys can help me, I've got myself in a right muddle with some folder permissions on my Win Server 2008 / Windows XP network.

    Here's the setup.

    A top-level shared folder, called "staff". Contains several other shared folders called after our different sites.

    The reason the sub-folders are also shared, is that they are directly mapped for student, who are still using non-AD logons.

    I want everyone in the "tutors" group in AD to have read access to the top level, but not write/modify. I want them also to have full rights to the sub-folders.

    So, I've set the two types of sharing on the top level "staff" folder. In the File Sharing bit, the tutors group is set as READER. In the NTFS bit they have "Read & Exe, List, Read" rights.

    When I logon as a staff member (i.e. in the tutors folder) I can see the contents of the staff folder, access them, but not Read or Write. This is correct.

    I then set the permissions on the sub-folders, within Staff. In the File Sharing bit, I set the tutors group to be "Co-Owner" and in NTFS, I give them Full Control.

    If I now logon as Staff member I have correct rights for the top level staff folder, but cannot Write / Delete.

    It's like the top level is setting the rights for the lower levels, but I can't work out why.

    Any ideas?

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,730
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    Quote Originally Posted by swpmre View Post
    It's like the top level is setting the rights for the lower levels, but I can't work out why.

    Any ideas?
    Did you put inheritance on the lower folders/shares?

    Steve

  3. #3
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    EDIT: I answered that backwards.

    No. Well at least I think I explicitly turned that off.

    On the permissions for the sub-folders, the tutors group is set to "Full Control", "Not Inherited", "Apply to This folder, Subfolders & Files".
    Last edited by swpmre; 8th September 2011 at 10:56 AM. Reason: clarify

  4. #4
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    Could it be to do with the "Read Only" attribute on the properties dialog on the folder? Looking at KB articles about turning that off....

  5. #5
    TheScarfedOne's Avatar
    Join Date
    Apr 2007
    Location
    Plymouth, Devon
    Posts
    1,161
    Thank Post
    705
    Thanked 172 Times in 156 Posts
    Blog Entries
    78
    Rep Power
    86
    Ok... I think I can see your problem. You need to set the share level permissions to be the highest you need (even for lower down the tree), and then restrict it back with NTFS permissions. So...

    Staff (Share: Modify; NTFS: Read)
    > UserFolder1.... (NTFS: Modify)

    This should do what you need.

  6. #6
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    Thanks for the response. I've tried that, and it still doesn't work.

    I've the tutor group permissions (shared: as co-owner)

    On the root of the share, I've given tutors NTFS permissions (set to this folder only)

    Traverse
    List Folder
    Read Attribs
    Read Extended Attribs
    Read Permissions

    Logging on as the tutor, I stil have write / delete / create access on the root.

    If I look at the EFFECTIVE permissions tab for that folder, when I look at the tutor group, the permissions are set correctly.

    However if I try to look for an individual user (indeed any user, staff, tutor or admin) I get the error

    "Windows cannot calculate effective permissions for [username]"

    So, I interpret this as meaning that for some reason, when I logon to the machine, my logon is not receiving proper permissions.

  7. #7

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,693
    Thank Post
    947
    Thanked 1,355 Times in 828 Posts
    Blog Entries
    1
    Rep Power
    451
    Just so its clear in my head:
    Quote Originally Posted by swpmre View Post
    Hopefully you guys can help me, I've got myself in a right muddle with some folder permissions on my Win Server 2008 / Windows XP network.

    Here's the setup.

    A top-level shared folder, called "staff". Contains several other shared folders called after our different sites.
    The reason the sub-folders are also shared, is that they are directly mapped for student, who are still using non-AD logons.
    So inside the top share called staff there are folders called "site1" "site2" for example that are mapped directly to local logins on the client for students?
    Quote Originally Posted by swpmre View Post
    I want everyone in the "tutors" group in AD to have read access to the top level, but not write/modify. I want them also to have full rights to the sub-folders.
    So everyone with the security group "tutors" who have an AD login have permissions to read anything inside "staff" but full writes to "site1" "site2" folder under that and any other folders.
    Quote Originally Posted by swpmre View Post
    So, I've set the two types of sharing on the top level "staff" folder. In the File Sharing bit, the tutors group is set as READER. In the NTFS bit they have "Read & Exe, List, Read" rights.
    As a general rule I never use share permissions and give "everyone" full control. I only use NTFS permissions to control shares as its simpler to get setup and find faults. We have never had an issue doing this so far as a tip.
    Quote Originally Posted by swpmre View Post
    When I logon as a staff member (i.e. in the tutors folder) I can see the contents of the staff folder, access them, but not Read or Write. This is correct.
    It may just be a typo but when you say "tutors folder" are you talking about a OU folder inside AD or an actual security group they are a member of as permissions etc are linked to security groups not the OU folder as such.
    Quote Originally Posted by swpmre View Post
    I then set the permissions on the sub-folders, within Staff. In the File Sharing bit, I set the tutors group to be "Co-Owner" and in NTFS, I give them Full Control.
    Try setting share permissions to group "everyone" full control and see if the ntfs part works at least.

    The thing to note is you can set permissions to apply to the folder and not subfolders or apply a permission set to only subfolders which I think is what you want.
    Can you possibly post some screenshots of what you have currently?

  8. #8
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    Thanks for the response and apologies for the delayed answer myself. Your description of the setup is correct and you spotted my mistake, I didn't mean a tutor folder, I meant a tutor security group in AD.

    Ok, I've tried your ideas. I set the top level folder to have SHARED permissions for EVERYONE to be Co-OWNER. I then restricted the permissions for the tutor AD security group (MAES\tutors) to be read-only. Yet despite this, when I logon as a user which is a member of the tutor group, I can create files in the top level folder.

    Note that to make these images I have used the STUDENT folder tree. This shows exactly the same behaviour and is setup identically to the TUTOR folders described before. A shared top level (in this case called Student Area) and within that Shared Folders for each centre.

    First image of the Shared Settings

    top_shared_1.jpg

    Second image of the security settings.

    top_security.jpg

    Thanks for taking the time to look at this.

  9. #9

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    851
    Thank Post
    188
    Thanked 70 Times in 65 Posts
    Rep Power
    50
    Be carefull with 2008 R2 sharing wizard it can as I've found change NTFS (Security) Permissions as well. It is much safer to share using the Properties of the folder > Click on Sharing Tab and then choose Advanced Sharing so you only change the Share Permissions. Then change the Security Permissions yourself.

    I think you'll find that if you share to a security group as read only this is the effective permission they will have with NTFS formatted drives. As stated previously in thread it is more workable setting everyone Full SHARE permissions and then controlling accessibilty and permissions with NTFS (Security) Permissions.

  10. #10
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    Hi,

    We don't have Win 2008 R2, it's normal Win 2008. So we've not used the wizard.

    I've set up with Everyone having full share permissions and tried to control with NTFS, but it still doesn't work. See screenshots in my last post.

  11. #11

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    851
    Thank Post
    188
    Thanked 70 Times in 65 Posts
    Rep Power
    50
    Quote Originally Posted by swpmre View Post
    Hi,

    We don't have Win 2008 R2, it's normal Win 2008. So we've not used the wizard.

    I've set up with Everyone having full share permissions and tried to control with NTFS, but it still doesn't work. See screenshots in my last post.
    You have got similar 'Share With' facility in 2008 R2. It is very wizard like. I strongly suggest you use the advanced sharing facility instead.

  12. #12
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    Ok, now I see what you mean. My mistake.

    I've done that. Instead of using the "Wizard" I have used the "advanced share".

    However this makes no difference at all.

    As it seems to me, I can either have

    (a) Read only access to the top level and all the sub-folders

    or

    (b) Read/Write etc access to the top level and all the sub-folders.

    Looking at this a different way.

    The ONLY thing that seems to effect the ability to Read or not Read is the Share permissions. the NTFS security settings seem to make NO difference on the top level shared folder.

    So I am back to asking, is it possible that for some reason AD is ignoring the security group that the tutor is part of?





    I just cannot believe it is so complex. Am I possibly missing something else?
    Last edited by swpmre; 14th September 2011 at 01:16 PM. Reason: extra info

  13. #13
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    I've further noticed that even if I give explicit Read Only permissions to the user I am logged in as, I can still create / write files in that folder.

  14. #14

    Join Date
    Jan 2010
    Posts
    109
    Thank Post
    2
    Thanked 19 Times in 19 Posts
    Rep Power
    13
    Quote Originally Posted by swpmre View Post
    I've further noticed that even if I give explicit Read Only permissions to the user I am logged in as, I can still create / write files in that folder.
    What permissions does "CREATOR OWNER" have?

  15. #15
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    77
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    18
    Full Control, for this and sub-folders.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Moodle SSO - tearing my hair out!
    By jgcracknell in forum Virtual Learning Platforms
    Replies: 6
    Last Post: 18th April 2011, 01:05 PM
  2. Shares and folder permissions in VB.NET
    By GoldenWonder in forum Coding
    Replies: 5
    Last Post: 18th June 2010, 11:55 AM
  3. Help needed (before I pull my hair out :) )
    By Talorin in forum General Chat
    Replies: 13
    Last Post: 29th June 2009, 09:26 AM
  4. Problems setting folder permissions in GP
    By TheWhiteWiltord in forum Windows
    Replies: 3
    Last Post: 27th January 2009, 12:42 PM
  5. AFP Automount - tearing my hair out over it
    By sidewinder in forum Mac
    Replies: 2
    Last Post: 4th November 2008, 10:34 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •