Correct File Permissions

[james24]

Hi everyone,

 

I've started setting up a Windows 2008 server as a bit of a home project, basically to teach myself how to use it.

 

I'm having trouble with some file permissions. Here's what I have set up:

 

In my active directory, I have "user one", "user two" and "user three" which are all part of the domain users group.

I also have "administrator" in the domain admins group.

 

I have created a folder called "HomeFolders" on the C drive of the server and shared it. I can see this folder from my client PC when logged into the domain.

The HomeFolders folder has read only access from domain users and full access from domain admins. This works correctly.

 

Inside the HomeFolders folder I have a few subfolders, one for each user. So there is a folder called "one" for user one, a folder called "two" for user two, etc.

For each subfolder, I have the permissions set up differently. I only want each user to have full access to their own folder.

So the settings I have for the folder "one" is: userone@domain.local - full access and domain admins - full access.

 

However I find when I login to the domain as user one I do not have write access to the "one" folder.

It has been successfully mapped from the setting in the AD and I can see it, but I have no write access.

When I login as administrator (part of the domain admins group) I do have write access to this folder.

 

I suspect this is because I have the parent folder "HomeFolders" setup with read only access for anyone in the domain users group which user one is part of.

I figured I would work around this by allowing userone@domain.local full access on the "one" folder itself, but it doesn't seem to work. It seems to me that it is getting its permissions from its parent folder.

 

I am fairly new to server 2008 and I do not have a lot of experience with file permissions, so some help on this would be great!

 

Thanks!

James

[ICTCity]

I suspect this is because I have the parent folder "HomeFolders" setup with read only access for anyone in the domain users group which user one is part of.

I figured I would work around this by allowing userone@domain.local full access on the "one" folder itself, but it doesn't seem to work. It seems to me that it is getting its permissions from its parent folder.

 

Here's the point.

 

Right click the "one" folder > properties > security > advanced > Change permissions and UNTICK "Include inheritable permissions...".

 

Let me know!

[james24]

I've just tried that.

All I have in the list are "Domain Admins - Full Control" and "Userone@domain.local - Full Control"

Though when I logon as userone, I still don't have full access.

 

Am I able to have a user which is part of a group which only has read access but give that particular user full access?

To me it sounds like I should be able to, but I'm not sure.

 

Thanks.

[ICTCity]

On the advanced screen, select EFFECTIVE PERMISSION tab and add your user, then check if there he has full control or not.

[james24]

Under effective permissions, the user has full control - a tick in every box.

[ICTCity]

Is your user member of another group?

 

If you run "net use" on cmd when logged in as user, what's the output?

[james24]

The user is only a member of domain users.

When I run "net use" I get this:

S: and T: are two drives I have mapped in the login script.

 

C:\Windows\system32>net use

New connections will be remembered.

 

 

Status Local Remote Network

 

-------------------------------------------------------------------------------

OK S: \\192.168.1.197\ShareA Microsoft Windows Network

OK T: \\192.168.1.197\ShareB Microsoft Windows Network

The command completed successfully.

[ICTCity]

This looks like the share, not the path itself.

 

Try to map the full path, just to test it.

 

\\IP\Full\Path\ShareA

[james24]

The S: and T: drives are not what I am having trouble with. I have assigned the permissions I want to those and they are fine.

I have created the share called "one" which is having the problem and I access it by going to "192.168.1.197" (the server IP) in Windows Explorer then going into "Home" then "One".

The "one" drive is not mapped, just shared on the server.

The path looks like this: "\\192.168.1.197\home\one"

[ICTCity]

The S: and T: drives are not what I am having trouble with. I have assigned the permissions I want to those and they are fine.

I have created the share called "one" which is having the problem and I access it by going to "192.168.1.197" (the server IP) in Windows Explorer then going into "Home" then "One".

The "one" drive is not mapped, just shared on the server.

The path looks like this: "\\192.168.1.197\home\one"

 

So that's correct!

 

If you have READ ONLY in share permissions, you can only READ. Set full control to share permissions and then change the NTFS permissions according to your needs.

[james24]

Sorry, I'm getting a bit confused.

For the HOME FOLDER, I have read only for the domain users group.

For the ONE FOLDER, I have full access for userone, who I am logging in as.

 

Your previous post said to change the share permissions to full control, but I already have.

I do NOT want everyone in the domain users group to write to the "one" folder, just user one.

Hence having read only for the domain users group on the home folder and full access for userone and the one folder.

 

If I'm completely missing your point, please explain where.

 

EDIT:

I may be going about this the wrong way.

I simply want a folder with a folder for each user inside it. Each users folder should not be able to be accessed by any other user.

[ICTCity]

Usually I do the following:

 

Share permissions: domain users: full control (root folder, and sub folders).

 

Then, NTFS permissions to prevent access to some users, but basically share permissions are full control to "everyone".

[james24]

Ok, I will give that a shot tomorrow and report back.

Thank you very much for the help and putting up with my questions!

It's very much appreciated.

[ICTCity]

you're welcome :)

[james24]

Usually I do the following:

 

Share permissions: domain users: full control (root folder, and sub folders).

 

Then, NTFS permissions to prevent access to some users, but basically share permissions are full control to "everyone".

Worked perfectly!

Thank you :)