File System / Directory Security

  • Thread starter Thread starter Mark
  • Start date Start date
M

Mark

I have spent hours trying to accomplish this with no luck. Maybe someone in
here has this implemented and could help me out. The concept here seems so
simple, but no simple way to implement it.....

I have a Windows Server 2003. I have a folder created called E:\Projects. I
ONLY wand a few people to be able to create/modify/delete files and folders
from within E:\Projects, but everyone else to have read-only access. Once
there have been sub-folders created (by only a few designated people) in
E:\Projects, everyone else can have full control of the sub-folders. In
other words.....

E:\Projects\: Everyone = read-only, allowed user(s) = full
control
E:\Projects\sub-folder1\: Everyone = full control
E:\Projects\sub-folder1\sub-folder2\: Everyone = full control
and so-on and so-on

Any ideas?? Thanks.
 
Hello,

don't give full control to users, so ntfs security can't be changed
(accidently or by users)

Security should be inherited

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Mark" <me@mymail.com> wrote in message
news:uoRyhVP4HHA.5724@TK2MSFTNGP05.phx.gbl...
> I have spent hours trying to accomplish this with no luck. Maybe someone
> in here has this implemented and could help me out. The concept here seems
> so simple, but no simple way to implement it.....
>
> I have a Windows Server 2003. I have a folder created called E:\Projects.
> I ONLY wand a few people to be able to create/modify/delete files and
> folders from within E:\Projects, but everyone else to have read-only
> access. Once there have been sub-folders created (by only a few
> designated people) in E:\Projects, everyone else can have full control of
> the sub-folders. In other words.....
>
> E:\Projects\: Everyone = read-only, allowed user(s) = full
> control
> E:\Projects\sub-folder1\: Everyone = full control
> E:\Projects\sub-folder1\sub-folder2\: Everyone = full control
> and so-on and so-on
>
> Any ideas?? Thanks.
>
 
"Mark" <me@mymail.com> wrote in message
news:uoRyhVP4HHA.5724@TK2MSFTNGP05.phx.gbl...
> I have spent hours trying to accomplish this with no luck. Maybe someone
> in here has this implemented and could help me out. The concept here seems
> so simple, but no simple way to implement it.....
>
> I have a Windows Server 2003. I have a folder created called E:\Projects.
> I ONLY wand a few people to be able to create/modify/delete files and
> folders from within E:\Projects, but everyone else to have read-only
> access. Once there have been sub-folders created (by only a few
> designated people) in E:\Projects, everyone else can have full control of
> the sub-folders. In other words.....
>
> E:\Projects\: Everyone = read-only, allowed user(s) = full
> control
> E:\Projects\sub-folder1\: Everyone = full control
> E:\Projects\sub-folder1\sub-folder2\: Everyone = full control
> and so-on and so-on
>
> Any ideas?? Thanks.
>

On e:\projects grant Read to Users for This folder, subfolders and files
On e:\projects grant Modify to Users for Subfolders and files
On e:\projects grant Modify to SpecialUsers for This folder, subfolders and
files

You need to use the edit button in the Advanced NTFS dialog
for the second in order to get to the Applies-To dropbox
 
Just thought I'd add that I've been down this road, and found one
insurmountable problem, namely that files moved between folders within the
same share don't acquire correct permissions for the folder they're in. Thus,
after a few things get shuffled around in the normal course of work, you have
a chaotic situation in which no-one can predict which files will be
accessible.

I don't know of any answer, other than to use share permissions instead,
which is what I normally do.

In Linux you can chmod 2770 (sticky group rights) to (largely) overcome this
problem, but I don't know of any Windows equivalent. Does anyone else?
 
In Windows most storage on people's own workstations is
fairly uniform in permissioning, at least the part where limited
users can save things, so this is not a big issue on workstations.

For server storage on Windows 2003 and earlier the intra-
partition move retaining explicit permissions is an issue as
you outline. There are a couple of approaches. When you
have two distinctly differently permissioned storage areas,
putting them on separate partitions is the main way to avoid
the problem. Another approach is to make it so that the user
modifiable storage areas have no explicit but only inherited
permissions, since the inherited permissions are always set
due to the location, before or after a move.

"Anteaus" <Anteaus@discussions.microsoft.com> wrote in message
news:A606E349-B9AA-4CEE-9D4A-7DC2270B452D@microsoft.com...
> Just thought I'd add that I've been down this road, and found one
> insurmountable problem, namely that files moved between folders within the
> same share don't acquire correct permissions for the folder they're in.
> Thus,
> after a few things get shuffled around in the normal course of work, you
> have
> a chaotic situation in which no-one can predict which files will be
> accessible.
>
> I don't know of any answer, other than to use share permissions instead,
> which is what I normally do.
>
> In Linux you can chmod 2770 (sticky group rights) to (largely) overcome
> this
> problem, but I don't know of any Windows equivalent. Does anyone else?
>
 
Back
Top