Folder Permissions

As I have posted here on several occasions, I am a voluntary admin on a Windows
Server 2003 for a non-profit organization. There are approximately 20 active
users on the server, which has been running well since it was installed in 2005.
All service packs and updates have been applied. It is the simplest of
singe-server installations.

The issue of folder permissions is not clear to me at all. Today I resolved to
understand folder permissions by reading the help files, but I am no further
along than I was when I started.

For example, on a "jane user" folder, on the Security tab of the Properties
window, the two entries listed are "Administrators" and "jane user". Both have
full control If I click the Advanced tab, under permission entries, I have the
following two entries:

Allow Administrators Full Control <not inherited> This folder, subfolders...
Allow jane user Full Control <not inherited> This folder, subfolders...

"Allow inherited permissions from the parent to propagate to this object and all
child objects. Include these with entries explicitly defined here" is not
checked. "Replace permission entires on all child objects with entries shown
here that apply to child objects" is not checked.

On another user account, say "john user", the Group or user names listed are
Administrators, CREATOR OWNER, john user, SYSTEM, and Users. On the Advanced
tab, "Allow inherited permissions..." is checked.

It seems to me that the Users group (Read & Execute, List Folder Contents, Read,
Special Permissions" has to be removed so that other users cannot read the
folder contents. If I try to remove Users, the server will not allow me until I
uncheck inheritance on the following page. So, on another account, I unchecked
it and removed it.

If someone can explain or point me to a plain English primer that will help me
understand these permission issues, I would very much appreciate it. I did not
set up the server, so I don't know which set of permissions is the right ones. I
would also appreciate hearing some recommendations for best practices for
managing folder permissions. The expensive book I bought on Windows Server 2003
seems to be written by the same people who wrote the online help.

mcp6453 <mcp6453@gmail.com> wrote:
> As I have posted here on several occasions, I am a voluntary admin on
> a Windows Server 2003 for a non-profit organization. There are
> approximately 20 active users on the server, which has been running
> well since it was installed in 2005. All service packs and updates
> have been applied. It is the simplest of singe-server installations.
>
> The issue of folder permissions is not clear to me at all. Today I
> resolved to understand folder permissions by reading the help files,
> but I am no further along than I was when I started.
>
> For example, on a "jane user" folder, on the Security tab of the
> Properties window, the two entries listed are "Administrators" and
> "jane user". Both have full control If I click the Advanced tab,
> under permission entries, I have the following two entries:
>
> Allow Administrators Full Control <not inherited> This folder,
> subfolders... Allow jane user Full Control <not inherited> This
> folder, subfolders...
> "Allow inherited permissions from the parent to propagate to this
> object and all child objects. Include these with entries explicitly
> defined here" is not checked. "Replace permission entires on all
> child objects with entries shown here that apply to child objects" is
> not checked.
> On another user account, say "john user", the Group or user names
> listed are Administrators, CREATOR OWNER, john user, SYSTEM, and
> Users. On the Advanced tab, "Allow inherited permissions..." is
> checked.
> It seems to me that the Users group (Read & Execute, List Folder
> Contents, Read, Special Permissions" has to be removed so that other
> users cannot read the folder contents.

Yep. Doesn't look like Users should be in there.

> If I try to remove Users, the
> server will not allow me until I uncheck inheritance on the following
> page. So, on another account, I unchecked it and removed it.

To be on the safe side: don't remove - click Copy, when prompted. Then
correct the permissions. Otherwise you can lock yourself out too!
>
> If someone can explain or point me to a plain English primer that
> will help me understand these permission issues, I would very much
> appreciate it. I did not set up the server, so I don't know which set
> of permissions is the right ones. I would also appreciate hearing
> some recommendations for best practices for managing folder
> permissions. The expensive book I bought on Windows Server 2003 seems
> to be written by the same people who wrote the online help.

These might help:
http://www.mcmcse.com/microsoft/guid...missions.shtml
http://www.windowsecurity.com/articl...rmissions.html
http://www.eventreporter.com/Common/...EATOROWNER.php

My recommendation for permissions is basically this:

Administrators + System has full control, plus anyone else who needs it
My share permissions are Everyone=Full Control.
I like to use groups rather than individual users to set permissions
whenever possible

Inheritence from the parent (e.g., d:\data\) is *not* enabled for any
subfolder I plan to share (e.g., d:\data\share1)
Inheritence for the subfolder's subfolders (e.g., d:\data\share1\subfolder)
*is* enabled, so any NTFS permissions on share1 will exist on any
subfolder/files therein.

Anything that requires different/unique permissions, goes in its own share -
i.e., don't get in the habit of setting different NTFS permissions on
subfolders under a share. If there is accounting data, it doesn't go in
\\server\shared\accounting, it goes in \\server\accounting, and only the
Accounting security group has rights. And so on for all other 'department'
type of folders.

I usually have a folder called Users, with a subfolder for each user.
Administrators has permissions to all, as does system (both = full control).
Each individual user *also* has rights to his or her subfolder. No user has
rights to any other user's folder. This is easy if you let Windows create
the folders....see
"How to dynamically create security-enhanced redirected folders by using
folder redirection in Windows 2000 and in Windows Server 2003"
http://support.microsoft.com/kb/274443

Hope this helps.

Lanwench [MVP - Exchange] wrote:
> mcp6453 <mcp6453@gmail.com> wrote:
>> As I have posted here on several occasions, I am a voluntary admin on
>> a Windows Server 2003 for a non-profit organization. There are
>> approximately 20 active users on the server, which has been running
>> well since it was installed in 2005. All service packs and updates
>> have been applied. It is the simplest of singe-server installations.
>>
>> The issue of folder permissions is not clear to me at all. Today I
>> resolved to understand folder permissions by reading the help files,
>> but I am no further along than I was when I started.
>>
>> For example, on a "jane user" folder, on the Security tab of the
>> Properties window, the two entries listed are "Administrators" and
>> "jane user". Both have full control If I click the Advanced tab,
>> under permission entries, I have the following two entries:
>>
>> Allow Administrators Full Control <not inherited> This folder,
>> subfolders... Allow jane user Full Control <not inherited> This
>> folder, subfolders...
>> "Allow inherited permissions from the parent to propagate to this
>> object and all child objects. Include these with entries explicitly
>> defined here" is not checked. "Replace permission entires on all
>> child objects with entries shown here that apply to child objects" is
>> not checked.
>> On another user account, say "john user", the Group or user names
>> listed are Administrators, CREATOR OWNER, john user, SYSTEM, and
>> Users. On the Advanced tab, "Allow inherited permissions..." is
>> checked.
>> It seems to me that the Users group (Read & Execute, List Folder
>> Contents, Read, Special Permissions" has to be removed so that other
>> users cannot read the folder contents.
>
> Yep. Doesn't look like Users should be in there.
>
>> If I try to remove Users, the
>> server will not allow me until I uncheck inheritance on the following
>> page. So, on another account, I unchecked it and removed it.
>
> To be on the safe side: don't remove - click Copy, when prompted. Then
> correct the permissions. Otherwise you can lock yourself out too!
>> If someone can explain or point me to a plain English primer that
>> will help me understand these permission issues, I would very much
>> appreciate it. I did not set up the server, so I don't know which set
>> of permissions is the right ones. I would also appreciate hearing
>> some recommendations for best practices for managing folder
>> permissions. The expensive book I bought on Windows Server 2003 seems
>> to be written by the same people who wrote the online help.
>
> These might help:
> http://www.mcmcse.com/microsoft/guid...missions.shtml
> http://www.windowsecurity.com/articl...rmissions.html
> http://www.eventreporter.com/Common/...EATOROWNER.php
>
> My recommendation for permissions is basically this:
>
> Administrators + System has full control, plus anyone else who needs it
> My share permissions are Everyone=Full Control.
> I like to use groups rather than individual users to set permissions
> whenever possible
>
> Inheritence from the parent (e.g., d:\data\) is *not* enabled for any
> subfolder I plan to share (e.g., d:\data\share1)
> Inheritence for the subfolder's subfolders (e.g., d:\data\share1\subfolder)
> *is* enabled, so any NTFS permissions on share1 will exist on any
> subfolder/files therein.
>
> Anything that requires different/unique permissions, goes in its own share -
> i.e., don't get in the habit of setting different NTFS permissions on
> subfolders under a share. If there is accounting data, it doesn't go in
> \\server\shared\accounting, it goes in \\server\accounting, and only the
> Accounting security group has rights. And so on for all other 'department'
> type of folders.
>
> I usually have a folder called Users, with a subfolder for each user.
> Administrators has permissions to all, as does system (both = full control).
> Each individual user *also* has rights to his or her subfolder. No user has
> rights to any other user's folder. This is easy if you let Windows create
> the folders....see
> "How to dynamically create security-enhanced redirected folders by using
> folder redirection in Windows 2000 and in Windows Server 2003"
> http://support.microsoft.com/kb/274443
>
> Hope this helps.

It helps some, but parts of it I still don't get. It's frustrating to come in
after someone else who may or may not have known what he was doing.

Thanks for taking the time.

mcp6453 <mcp6453@gmail.com> wrote:

<snipped for length>

>> Hope this helps.
>
> It helps some, but parts of it I still don't get.

What exactly is confusing? I suggest you start by explaining what problems
you see, and what you want to do to correct them.

> It's frustrating to
> come in after someone else who may or may not have known what he was
> doing.

Yep, but that gets a lot easier once you feel more confident that *you* know
better. ;-)
>
> Thanks for taking the time.

Lanwench [MVP - Exchange] wrote:
> mcp6453 <mcp6453@gmail.com> wrote:
>
> <snipped for length>
>
>>> Hope this helps.
>> It helps some, but parts of it I still don't get.
>
> What exactly is confusing? I suggest you start by explaining what problems
> you see, and what you want to do to correct them.

I want to understand what permissions to assign to a folder and how to assign
them. For example, at one point, while logged in as administrator through a
console session, I double clicked on a text file located in a user's folder.
Even as administrator, I was denied access. I had to take ownership of the
folder with the administrators group rather than as the administrator. For
another folder, I had to go into Properties | Security | Advanced and change
access to "This folder, subfolders, and files", and I'm not clear how I did that
(unless it was with edit.)

The inheritance thing still escapes me. If you will, please give me an example
of when to use inheritance and when to avoid it. Remember that our system is the
simplest installation of all. The only terminal services we are using is when I
log in remotely to work on the server. There are no "deny" settings on any
folders. The owner of every folder should be Administrator or Administrators.

I realize how it is possible that I stumbled onto a solution to get access. In
my normal line of work, I can immediately know when a person asking a question
has not mastered the art of the question being asked. It is not my intent to
come to usenet to ask questions that I should understand. It is my intent to get
to the point that I can say, "oh, that's easy."

As in the previous example, the only people who should be able to get into the
"janitor" user folder are Administrators and janitor. No one else should be able
to access the folder. Should CREATOR or SYSTEM be included? They are not.

>> It's frustrating to
>> come in after someone else who may or may not have known what he was
>> doing.
>
> Yep, but that gets a lot easier once you feel more confident that *you* know
> better. ;-)
>> Thanks for taking the time.
>
>
>

mcp6453 <mcp6453@gmail.com> wrote:
> Lanwench [MVP - Exchange] wrote:
>> mcp6453 <mcp6453@gmail.com> wrote:
>>
>> <snipped for length>
>>
>>>> Hope this helps.
>>> It helps some, but parts of it I still don't get.
>>
>> What exactly is confusing? I suggest you start by explaining what
>> problems you see, and what you want to do to correct them.
>
> I want to understand what permissions to assign to a folder and how
> to assign them.

The former depends entirely on your needs. I gave you examples of how I set
up permissions. The latter is pretty straightforward - although I understand
that inheritence can be a little tricky to grasp at first.

> For example, at one point, while logged in as
> administrator through a console session, I double clicked on a text
> file located in a user's folder. Even as administrator, I was denied
> access. I had to take ownership of the folder with the administrators
> group rather than as the administrator.


That's because the group Administrators (or the user Administrator) didn't
have any inherited or explicitly applied permissions. You don't need to be
an owner to *have* permissions - but you need to be an owner to *reset*
them.

> For another folder, I had to
> go into Properties | Security | Advanced and change access to "This
> folder, subfolders, and files", and I'm not clear how I did that
> (unless it was with edit.)

You did it in the advanced button in the NTFS security window.
>
> The inheritance thing still escapes me. If you will, please give me
> an example of when to use inheritance and when to avoid it.

In my example, since I want all user subfolders off of d:\data\users to have
different permissions, I don't enable inheritence on them.
In d:\data\shared, I want all users to have access & I want subfolders to
*inherit* that access. So, inheritence would be enabled on any new
subfolders.

> that our system is the simplest installation of all.

Is it? I'm sure there are simpler ones ;-)

> The only
> terminal services we are using is when I log in remotely to work on
> the server. There are no "deny" settings on any folders. The owner of
> every folder should be Administrator or Administrators.

No. If a user creates a folder (e.g., a subfolder), the user is going to be
the owner. The fact that you as an admin aren't the owner, doesn't mean you
won't have access, though.
>
> I realize how it is possible that I stumbled onto a solution to get
> access.

? I'm not sure what that means.

> In my normal line of work, I can immediately know when a
> person asking a question has not mastered the art of the question
> being asked. It is not my intent to come to usenet to ask questions
> that I should understand. It is my intent to get to the point that I
> can say, "oh, that's easy."

I don't know what your normal line of work is, nor what the above paragraph
implies. These newsgroups are very useful for specific technical
questions, especially with examples, but to learn this stuff you will
definitely want to do some reading and experimenting. I don't know of a good
book or I'd recommend one.

>
> As in the previous example, the only people who should be able to get
> into the "janitor" user folder are Administrators and janitor. No one
> else should be able to access the folder. Should CREATOR or SYSTEM be
> included? They are not.

As I mentioned, System *should*. As should Administrators. I don't manually
set creator owner most of the time. Did you check out the links I posted?

>
>>> It's frustrating to
>>> come in after someone else who may or may not have known what he was
>>> doing.
>>
>> Yep, but that gets a lot easier once you feel more confident that
>> *you* know better. ;-)
>>> Thanks for taking the time.

I hope this has helped.

Lanwench [MVP - Exchange] wrote:
> mcp6453 <mcp6453@gmail.com> wrote:
>> Lanwench [MVP - Exchange] wrote:
>>> mcp6453 <mcp6453@gmail.com> wrote:
>>>
>>> <snipped for length>
>>>
>>>>> Hope this helps.
>>>> It helps some, but parts of it I still don't get.
>>> What exactly is confusing? I suggest you start by explaining what
>>> problems you see, and what you want to do to correct them.
>> I want to understand what permissions to assign to a folder and how
>> to assign them.
>
> The former depends entirely on your needs. I gave you examples of how I set
> up permissions. The latter is pretty straightforward - although I understand
> that inheritence can be a little tricky to grasp at first.
>
>> For example, at one point, while logged in as
>> administrator through a console session, I double clicked on a text
>> file located in a user's folder. Even as administrator, I was denied
>> access. I had to take ownership of the folder with the administrators
>> group rather than as the administrator.
>
>
> That's because the group Administrators (or the user Administrator) didn't
> have any inherited or explicitly applied permissions. You don't need to be
> an owner to *have* permissions - but you need to be an owner to *reset*
> them.
>
>> For another folder, I had to
>> go into Properties | Security | Advanced and change access to "This
>> folder, subfolders, and files", and I'm not clear how I did that
>> (unless it was with edit.)
>
> You did it in the advanced button in the NTFS security window.
>> The inheritance thing still escapes me. If you will, please give me
>> an example of when to use inheritance and when to avoid it.
>
> In my example, since I want all user subfolders off of d:\data\users to have
> different permissions, I don't enable inheritence on them.
> In d:\data\shared, I want all users to have access & I want subfolders to
> *inherit* that access. So, inheritence would be enabled on any new
> subfolders.
>
>> that our system is the simplest installation of all.
>
> Is it? I'm sure there are simpler ones ;-)
>
>> The only
>> terminal services we are using is when I log in remotely to work on
>> the server. There are no "deny" settings on any folders. The owner of
>> every folder should be Administrator or Administrators.
>
> No. If a user creates a folder (e.g., a subfolder), the user is going to be
> the owner. The fact that you as an admin aren't the owner, doesn't mean you
> won't have access, though.
>> I realize how it is possible that I stumbled onto a solution to get
>> access.
>
> ? I'm not sure what that means.
>
>> In my normal line of work, I can immediately know when a
>> person asking a question has not mastered the art of the question
>> being asked. It is not my intent to come to usenet to ask questions
>> that I should understand. It is my intent to get to the point that I
>> can say, "oh, that's easy."
>
> I don't know what your normal line of work is, nor what the above paragraph
> implies. These newsgroups are very useful for specific technical
> questions, especially with examples, but to learn this stuff you will
> definitely want to do some reading and experimenting. I don't know of a good
> book or I'd recommend one.
>
>> As in the previous example, the only people who should be able to get
>> into the "janitor" user folder are Administrators and janitor. No one
>> else should be able to access the folder. Should CREATOR or SYSTEM be
>> included? They are not.
>
> As I mentioned, System *should*. As should Administrators. I don't manually
> set creator owner most of the time. Did you check out the links I posted?
>
>>>> It's frustrating to
>>>> come in after someone else who may or may not have known what he was
>>>> doing.
>>> Yep, but that gets a lot easier once you feel more confident that
>>> *you* know better. ;-)
>>>> Thanks for taking the time.
>
> I hope this has helped.

The "Copy" thing you recommended has been a good idea. Had you not suggested it,
I would not have tried it.

With all of the information you posted, I will spend some time going back
through it again to better try to understand it. I did read the links you
provided, but the problem with most server help sites is that they are often
written by people who cannot remember what it was like to try to understand this
stuff when THEY were a beginner. Once I totally understand, if I ever do, when I
go back and read the information, it will make perfect sense.

For now, everything appears to be working. People who are not supposed to have
access, don't, at least as far as my testing goes.


Again, thanks for taking the time.

mcp6453 <mcp6453@gmail.com> wrote:

<snipped for length>

> The "Copy" thing you recommended has been a good idea. Had you not
> suggested it, I would not have tried it.

Great!
>
> With all of the information you posted, I will spend some time going
> back through it again to better try to understand it. I did read the
> links you provided, but the problem with most server help sites is
> that they are often written by people who cannot remember what it was
> like to try to understand this stuff when THEY were a beginner.

Yes, I know.

> Once
> I totally understand, if I ever do, when I go back and read the
> information, it will make perfect sense.

I expect so.
>
> For now, everything appears to be working. People who are not
> supposed to have access, don't, at least as far as my testing goes.
>
>
> Again, thanks for taking the time.

You're very welcome, and do post back if you need more help.