Folder Permissions.

I am trying to create a folder system where users can put there files on the
network to share with others. BUT! I want to restrict access. For instance,
I want Bob to be able to have full permission to his folder, then I want
Mary to be able to access the folder, but not delete anything. Here's what I
have done so far:

Created a folder for Bob, added the "Everyone Group" giving them "Special
Permissions," then I added Bob with "Full Permissions." I also removed the
option to "Inherit From Parent." The problem is that since Bob is part of
the Everyone Group, it's causing a conflict and he can't delete items.

I'm not heavy in AD, etc. Any ideas on how to fix it?

Brent

"Brent" <somebody@somewhere.com> wrote in message
news:uSPsyVcUKHA.2836@TK2MSFTNGP04.phx.gbl...
>I am trying to create a folder system where users can put there files on
>the network to share with others. BUT! I want to restrict access. For
>instance, I want Bob to be able to have full permission to his folder, then
>I want Mary to be able to access the folder, but not delete anything.
>Here's what I have done so far:
>
> Created a folder for Bob, added the "Everyone Group" giving them "Special
> Permissions," then I added Bob with "Full Permissions." I also removed the
> option to "Inherit From Parent." The problem is that since Bob is part of
> the Everyone Group, it's causing a conflict and he can't delete items.
>
> I'm not heavy in AD, etc. Any ideas on how to fix it?
>
> Brent
>


Remove Everyone. Use Authenticated Users with Read, Read & Execute, List,
then give Bob FC. No need to go into Advanced other than removing
inheritance. This will give all Authenticated Users (people logged on, but
not the Guest or IIS_USR accounts, etc). Everyone includes the guest, etc,
which is why I don't recommend using that security principle. If you want
just Mary to access the folder, and not all authenticated users, remove Auth
Users, and only give Mary those permissions.

Such as:
Parent folder: Data
Shared as Data
Share permissions:
Remove Inheritance
Remove Everyone.
Auth Users = C
Domain Admins = FC

NTFS (security tab) permissions:
Auth Users = M (not FC or they can change perms)
Domain Admin = FC
Bob = M (not FC or he can change perms)
System = FC (for the system)

The system evaluate the share perms and the NTFS perms resulting in the Most
Restrictive. Then the system evaluates the NTFS perms and results in the
Least restrictive. That's why if Bob is in there with Modify, and Auth Users
have R, R&E, L, he has all of them, unless you go into special and deny auth
users the ability to delete or deny something else.

So the only reason Bob can't delete files if the delete files was denied.
Deny overrides everything, otherwise if there is no Deny on anything,
permissions are accumulated under the ACL (Least Restrictive).

You can also go into Advanced, Effective Permissions, and run Bob and see
what he gets.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hello Brent,

In a domain don't work with everyone group and single user accounts when
configuring NTFS permissions. Use Domain users or authenticated users as
the top level group and then create security groups for your needs, one with
"read&execute" and another one with "modify", in AD for 1st only reading
and second read/write/delete. With this basic setup on the folders you can
define the basic settings without digging into deep with special permissions.

Administrators and System i would use on each folders with Full control.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I am trying to create a folder system where users can put there files
> on the network to share with others. BUT! I want to restrict access.
> For instance, I want Bob to be able to have full permission to his
> folder, then I want Mary to be able to access the folder, but not
> delete anything. Here's what I have done so far:
>
> Created a folder for Bob, added the "Everyone Group" giving them
> "Special Permissions," then I added Bob with "Full Permissions." I
> also removed the option to "Inherit From Parent." The problem is that
> since Bob is part of the Everyone Group, it's causing a conflict and
> he can't delete items.
>
> I'm not heavy in AD, etc. Any ideas on how to fix it?
>
> Brent
>

Didn't work :( I tried it with the Bob - FC and Authenticated Users -
R/R&E/L, and then I tried Domain Users - R/R&E/L. Both didn't work. Bob
can't create files or delete them. Any other ideas?


"Brent" <somebody@somewhere.com> wrote in message
news:uSPsyVcUKHA.2836@TK2MSFTNGP04.phx.gbl...
>I am trying to create a folder system where users can put there files on
>the network to share with others. BUT! I want to restrict access. For
>instance, I want Bob to be able to have full permission to his folder, then
>I want Mary to be able to access the folder, but not delete anything.
>Here's what I have done so far:
>
> Created a folder for Bob, added the "Everyone Group" giving them "Special
> Permissions," then I added Bob with "Full Permissions." I also removed the
> option to "Inherit From Parent." The problem is that since Bob is part of
> the Everyone Group, it's causing a conflict and he can't delete items.
>
> I'm not heavy in AD, etc. Any ideas on how to fix it?
>
> Brent
>

"Brent" <somebody@somewhere.com> wrote in message
news:%23homNamUKHA.4816@TK2MSFTNGP06.phx.gbl...
> Didn't work :( I tried it with the Bob - FC and Authenticated Users -
> R/R&E/L, and then I tried Domain Users - R/R&E/L. Both didn't work. Bob
> can't create files or delete them. Any other ideas?


Ok, we'll need more specifics to evaluate and diagnose this.

Describe the exact folder structure and permissons. Use the format that I
used in my other post with my suggests. Specify the parent folder name, the
Share Permissions, and the Security Tab permissions.

Example:

Parent Folder
List of all of the Share Permissions (all groups and user accts)
List of all of the Security Tab Permissions (all groups and user accts)

Child Folder (Bob's folder)
List of all of the Security Tab Permissions (all groups and user accts)
List of all Inheritance status

Ace

Okay. In order of tree:

E:\ - Admin - FC, Creator Owner - SP, Everyone - L, R, System - FC, Users -
R&E, L, R
Folder:\ - Admin - FC, Creator Owner - SP, Everyone - L, SP, System - FC,
Users - R&E, L, R,SP
Folder:\ - Same as above
Folder:\ - The one I am working with.

Except for the drive letter, all have interit.

Hope that helps.


"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:u0BvgSnUKHA.3404@TK2MSFTNGP04.phx.gbl...
> "Brent" <somebody@somewhere.com> wrote in message
> news:%23homNamUKHA.4816@TK2MSFTNGP06.phx.gbl...
>> Didn't work :( I tried it with the Bob - FC and Authenticated Users -
>> R/R&E/L, and then I tried Domain Users - R/R&E/L. Both didn't work. Bob
>> can't create files or delete them. Any other ideas?
>
>
> Ok, we'll need more specifics to evaluate and diagnose this.
>
> Describe the exact folder structure and permissons. Use the format that I
> used in my other post with my suggests. Specify the parent folder name,
> the Share Permissions, and the Security Tab permissions.
>
> Example:
>
> Parent Folder
> List of all of the Share Permissions (all groups and user accts)
> List of all of the Security Tab Permissions (all groups and user accts)
>
> Child Folder (Bob's folder)
> List of all of the Security Tab Permissions (all groups and user accts)
> List of all Inheritance status
>
> Ace
>

"Brent" <somebody@somewhere.com> wrote in message
news:%23HT%23GanUKHA.4004@TK2MSFTNGP05.phx.gbl...
> Okay. In order of tree:
>
> E:\ - Admin - FC, Creator Owner - SP, Everyone - L, R, System - FC,
> Users - R&E, L, R
> Folder:\ - Admin - FC, Creator Owner - SP, Everyone - L, SP, System - FC,
> Users - R&E, L, R,SP
> Folder:\ - Same as above
> Folder:\ - The one I am working with.
>
> Except for the drive letter, all have interit.
>
> Hope that helps.

The way you listed it is difficult to understand. I was hoping to see it in
the form of my example.

From what you posted, I am translating it as:

===
E: Drive
Share permission:
....Everyone = Read

Security tab permissions:
....Everyone List & Read & Read/Execute
....System FC
....Users - Read/Execute, List, Read, Special Permission
(What are the Special Permissions????? -Please list them out.)
===

E:\FolderName
Share permissions:
Everyone List
Security permissions:

I don't full understand this part below.
===
Folder:\ - Admin - FC, Creator Owner - SP, Everyone - L, SP, System - FC,
> Users - R&E, L, R,SP
===

Can you break it down, please? List it out specifically what the SHARE
permissions are and the Security Tab permissions are. If there is a "Special
Permissions," PLEASE list what those special permissions are. This way we
are all understand what permissions you've set on the SHARE and the SECURITY
tab.

Remember what I said earlier - the system evaluates the SHARE permissions
and the Security tab permissions to come up with an EFFECTIVE permission,
which is the "MOST restrictive." What that simply means is that if Everyone
has Read in the share permissions, and that is the ONLY permission set in
the Share Permissions, and you give Bob Full Control in the security tab,
then Bob ONLY gets Read.

Ace

Hello Brent,

Please post the SHARE permissions you have configured, by default on 2003
and higher OS they are set to read&execute. They will win doesn't matter
which NTFS permissions are configured. So set them to Full control of not
done.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Didn't work :( I tried it with the Bob - FC and Authenticated Users -
> R/R&E/L, and then I tried Domain Users - R/R&E/L. Both didn't work.
> Bob can't create files or delete them. Any other ideas?
>
> "Brent" <somebody@somewhere.com> wrote in message
> news:uSPsyVcUKHA.2836@TK2MSFTNGP04.phx.gbl...
>
>> I am trying to create a folder system where users can put there files
>> on the network to share with others. BUT! I want to restrict access.
>> For instance, I want Bob to be able to have full permission to his
>> folder, then I want Mary to be able to access the folder, but not
>> delete anything. Here's what I have done so far:
>>
>> Created a folder for Bob, added the "Everyone Group" giving them
>> "Special Permissions," then I added Bob with "Full Permissions." I
>> also removed the option to "Inherit From Parent." The problem is that
>> since Bob is part of the Everyone Group, it's causing a conflict and
>> he can't delete items.
>>
>> I'm not heavy in AD, etc. Any ideas on how to fix it?
>>
>> Brent
>>

Hey Guys,

I was talking to the admin. Turns out the previous admin did a REAL number
on the AD. So basically the previous admin went through AD willy nilly and
was doing his own thing, which basically left the AD in shambles. We're
pretty much screwed on all fronts. Until we blast the server or something,
we have to be careful. The AD is so messed up, that changing particular
permissions causes account to go crazy and desktops get wiped.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d80068cc211c1fd9433e@msnews.microsoft.com...
> Hello Brent,
>
> Please post the SHARE permissions you have configured, by default on 2003
> and higher OS they are set to read&execute. They will win doesn't matter
> which NTFS permissions are configured. So set them to Full control of not
> done.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Didn't work :( I tried it with the Bob - FC and Authenticated Users -
>> R/R&E/L, and then I tried Domain Users - R/R&E/L. Both didn't work.
>> Bob can't create files or delete them. Any other ideas?
>>
>> "Brent" <somebody@somewhere.com> wrote in message
>> news:uSPsyVcUKHA.2836@TK2MSFTNGP04.phx.gbl...
>>
>>> I am trying to create a folder system where users can put there files
>>> on the network to share with others. BUT! I want to restrict access.
>>> For instance, I want Bob to be able to have full permission to his
>>> folder, then I want Mary to be able to access the folder, but not
>>> delete anything. Here's what I have done so far:
>>>
>>> Created a folder for Bob, added the "Everyone Group" giving them
>>> "Special Permissions," then I added Bob with "Full Permissions." I
>>> also removed the option to "Inherit From Parent." The problem is that
>>> since Bob is part of the Everyone Group, it's causing a conflict and
>>> he can't delete items.
>>>
>>> I'm not heavy in AD, etc. Any ideas on how to fix it?
>>>
>>> Brent
>>>
>
>

Hello Brent,

You where talking about folder permissions, now you state AD? So do you talk
about permissions in AD UC on the OUs or do you talk about data folders/shares
and there permissions?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hey Guys,
>
> I was talking to the admin. Turns out the previous admin did a REAL
> number on the AD. So basically the previous admin went through AD
> willy nilly and was doing his own thing, which basically left the AD
> in shambles. We're pretty much screwed on all fronts. Until we blast
> the server or something, we have to be careful. The AD is so messed
> up, that changing particular permissions causes account to go crazy
> and desktops get wiped.
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911d80068cc211c1fd9433e@msnews.microsoft.com...
>
>> Hello Brent,
>>
>> Please post the SHARE permissions you have configured, by default on
>> 2003 and higher OS they are set to read&execute. They will win
>> doesn't matter which NTFS permissions are configured. So set them to
>> Full control of not done.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Didn't work :( I tried it with the Bob - FC and Authenticated Users
>>> - R/R&E/L, and then I tried Domain Users - R/R&E/L. Both didn't
>>> work. Bob can't create files or delete them. Any other ideas?
>>>
>>> "Brent" <somebody@somewhere.com> wrote in message
>>> news:uSPsyVcUKHA.2836@TK2MSFTNGP04.phx.gbl...
>>>> I am trying to create a folder system where users can put there
>>>> files on the network to share with others. BUT! I want to restrict
>>>> access. For instance, I want Bob to be able to have full permission
>>>> to his folder, then I want Mary to be able to access the folder,
>>>> but not delete anything. Here's what I have done so far:
>>>>
>>>> Created a folder for Bob, added the "Everyone Group" giving them
>>>> "Special Permissions," then I added Bob with "Full Permissions." I
>>>> also removed the option to "Inherit From Parent." The problem is
>>>> that since Bob is part of the Everyone Group, it's causing a
>>>> conflict and he can't delete items.
>>>>
>>>> I'm not heavy in AD, etc. Any ideas on how to fix it?
>>>>
>>>> Brent
>>>>

From what I understand, everything is steming from AD. The previous admin
created his own set of users/computer groups with some crazy security groups
etc. Seems that is causing alot of conflicts. In addition to which he did
another number on the group policies. So it's bascially left the server in a
position where the smallest of changes to things like policies and
permissions/rights causes the system to go crazy.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d80ce8cc217ca0f7d13f@msnews.microsoft.com...
> Hello Brent,
>
> You where talking about folder permissions, now you state AD? So do you
> talk about permissions in AD UC on the OUs or do you talk about data
> folders/shares and there permissions?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hey Guys,
>>
>> I was talking to the admin. Turns out the previous admin did a REAL
>> number on the AD. So basically the previous admin went through AD
>> willy nilly and was doing his own thing, which basically left the AD
>> in shambles. We're pretty much screwed on all fronts. Until we blast
>> the server or something, we have to be careful. The AD is so messed
>> up, that changing particular permissions causes account to go crazy
>> and desktops get wiped.
>>
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:6cb2911d80068cc211c1fd9433e@msnews.microsoft.com...
>>
>>> Hello Brent,
>>>
>>> Please post the SHARE permissions you have configured, by default on
>>> 2003 and higher OS they are set to read&execute. They will win
>>> doesn't matter which NTFS permissions are configured. So set them to
>>> Full control of not done.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Didn't work :( I tried it with the Bob - FC and Authenticated Users
>>>> - R/R&E/L, and then I tried Domain Users - R/R&E/L. Both didn't
>>>> work. Bob can't create files or delete them. Any other ideas?
>>>>
>>>> "Brent" <somebody@somewhere.com> wrote in message
>>>> news:uSPsyVcUKHA.2836@TK2MSFTNGP04.phx.gbl...
>>>>> I am trying to create a folder system where users can put there
>>>>> files on the network to share with others. BUT! I want to restrict
>>>>> access. For instance, I want Bob to be able to have full permission
>>>>> to his folder, then I want Mary to be able to access the folder,
>>>>> but not delete anything. Here's what I have done so far:
>>>>>
>>>>> Created a folder for Bob, added the "Everyone Group" giving them
>>>>> "Special Permissions," then I added Bob with "Full Permissions." I
>>>>> also removed the option to "Inherit From Parent." The problem is
>>>>> that since Bob is part of the Everyone Group, it's causing a
>>>>> conflict and he can't delete items.
>>>>>
>>>>> I'm not heavy in AD, etc. Any ideas on how to fix it?
>>>>>
>>>>> Brent
>>>>>
>
>

Hello Brent,

In AD you create/manage the computer/user accounts and can create security
groups, this is correct. With this createed security groups you set NTFS/share
permissions on the folders where your files are located, also correct.

Security groups can create 'conflicts' if some user accunts are members of
multiple security groups that are used with concurrent permissions on your
data folders/shares.

Group policies are applied to users and computers according to the level
where they are linked to. This can be local, site, domain or OU level, where
local has the lowest precedence. For example on a local GPO some settings
is set to enabled and on OU level exactly the same setting is set to disabled,
then OU setting will win.

So in your case i would start with collecting information about the needs
of your users, where they need which kind of access on the shared folders.
If this is clear and your folder permission are not really to understand
for you, i would create a new folder structure on a new shared fodler and
copy data to the new structure where the permissions set as needed in the
company, which is now done with your own created new security groups. This
way you can ensure that you will know how are the permissions are set. Maybe
some users will complain about, that they can not access some data, but then
you can easily built new security groups according to the needs that you
really understand.

More or less the same way you can use to built a new OU structure with new
GPOs and move the users/computers to them, of course you have to test all
new structures before with test accounts. It is a lot of work, but later
on you know whats going on and if nobody is in the old structures located
you can remove old GPOs and the old self created OUs.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> From what I understand, everything is steming from AD. The previous
> admin created his own set of users/computer groups with some crazy
> security groups etc. Seems that is causing alot of conflicts. In
> addition to which he did another number on the group policies. So it's
> bascially left the server in a position where the smallest of changes
> to things like policies and permissions/rights causes the system to go
> crazy.
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911d80ce8cc217ca0f7d13f@msnews.microsoft.com...
>
>> Hello Brent,
>>
>> You where talking about folder permissions, now you state AD? So do
>> you talk about permissions in AD UC on the OUs or do you talk about
>> data folders/shares and there permissions?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hey Guys,
>>>
>>> I was talking to the admin. Turns out the previous admin did a REAL
>>> number on the AD. So basically the previous admin went through AD
>>> willy nilly and was doing his own thing, which basically left the AD
>>> in shambles. We're pretty much screwed on all fronts. Until we blast
>>> the server or something, we have to be careful. The AD is so messed
>>> up, that changing particular permissions causes account to go crazy
>>> and desktops get wiped.
>>>
>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>> news:6cb2911d80068cc211c1fd9433e@msnews.microsoft.com...
>>>
>>>> Hello Brent,
>>>>
>>>> Please post the SHARE permissions you have configured, by default
>>>> on 2003 and higher OS they are set to read&execute. They will win
>>>> doesn't matter which NTFS permissions are configured. So set them
>>>> to Full control of not done.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Didn't work :( I tried it with the Bob - FC and Authenticated
>>>>> Users - R/R&E/L, and then I tried Domain Users - R/R&E/L. Both
>>>>> didn't work. Bob can't create files or delete them. Any other
>>>>> ideas?
>>>>>
>>>>> "Brent" <somebody@somewhere.com> wrote in message
>>>>> news:uSPsyVcUKHA.2836@TK2MSFTNGP04.phx.gbl...
>>>>>> I am trying to create a folder system where users can put there
>>>>>> files on the network to share with others. BUT! I want to
>>>>>> restrict access. For instance, I want Bob to be able to have full
>>>>>> permission to his folder, then I want Mary to be able to access
>>>>>> the folder, but not delete anything. Here's what I have done so
>>>>>> far:
>>>>>>
>>>>>> Created a folder for Bob, added the "Everyone Group" giving them
>>>>>> "Special Permissions," then I added Bob with "Full Permissions."
>>>>>> I also removed the option to "Inherit From Parent." The problem
>>>>>> is that since Bob is part of the Everyone Group, it's causing a
>>>>>> conflict and he can't delete items.
>>>>>>
>>>>>> I'm not heavy in AD, etc. Any ideas on how to fix it?
>>>>>>
>>>>>> Brent
>>>>>>