File Server NTFS Permissions question

[[email protected]]

I am in the process of reconfiguring a file server for my company. It
is a Windows Server 2003 / Enterprise x64 Edition SP2

I have created a share called 'Shares' (\\servername\shares) that will
have 3 subfolders that are not shares, just subfolders.

One these subfolders is named 'Departments' and it represents a
logical division of departments in my company. (i.e. Accounting,
Finance, etc..)

Share permissions to the 'Shares' share are:
Domain Admins = Full Control
Domain Users = Change | Read

I have a network drive mapped for users to '\\servername\shares
\departments' = K:\
Users will see a list of department folders when browsing to the K:\.
For K:\ the permissions are as follows:

The NTFS permissions on the 'Departments' directory are as follows:
Domain Admins = Full Control (This Folder, Subfolders and
Files)
Domain Users = DENY -> ('This Folder Only') Create
Files / Write Data | Create Folders / Append Data
| Delete | Change Permissions |
Take Ownership
Domain Users = ALLOW -> ('This Folder Only') Traverse
Folder / Execute File | List Folder / Read Data


Each of the department will have their own subfolder of K:\ that will
have explicit permissions enforced by global security groups in Active
Directory. For example, I have

'\\servername\shares\departments\accounting' or K:\accounting and the
Accounting group members have access to this directory. NTFS
permissions to K:\accounting would be:
Domain Admins = Full Control (This Folder, Subfolders
and Files)
Accounting = DENY -> (This Folder Only) Delete
Subfolders and Files | Delete | Change Permissions | Take Ownership
Accounting = ALLOW -> (This Folder Only) Traverse
Folder | List Folder | Read Attributes | Create Files | Create Folders
| Write Attributes | Read Permissions
Accounting = ALLOW -> (Subfolders and Files only)
Allow is checked for everything except for Full Control and Take
Ownership

User John Doe (who is a member of the accounting group) is able to
browse/traverse K:\accounting and create subfolders and files. John
Doe is not able to delete the parent folder

'Accounting' or other department folders that he doesn't have
permissions to (which is what i want). He also is unable to create
new folders within K:\ (this is what i want as well).

However, when John Doe attempts to delete the 'Accounting' parent
folder, it displays this error - "Error Deleting File or Folder -
Cannot remove folder Accounting: Access is denied.

Make sure the disk in not full or write-protected and that the file
is not currently in use." - This is as I would expect, but then it
still deletes subfolders and files within the Accounting

folder!! Why???

Shouldn't the subfolders and files remain intact? Is there a way to
prevent this behavior, but still allow users to traverse the K:\?

I would like users to be able to create subfolders and files within
their department folders but they should NOT be able to delete the
parent department folder or create new

subfolders in K:\ only within the department folders.
The reason I have these department folders within the Shared Folder is
that we have many users that need access to multiple department
folders. I don't want to have to map a

network drive for each department folder that a user would require.

Many thanks for your help and insight

[Phillip Windell]

1. Forget Mapped Dirve letters and use Shortcuts based on the UNC path.
Place the Shortcut in the Desktop folder of the All Users Profile on each
machine. After that they can browse to it just as if it was a folder on
their desktop. It uses no resources and maintains on constant connection
like mapped drive letters do and does not slow down Windows Explorer and
other "browse" dialogs the way mapped drives do.

2. Avoid explicitily "Denying" anything. If you don't want someone to have
permission to something then just don't give them permissions in the first
place. Stop the inheritence at each Department Folder and start building
the Permissions from scratch at those folders and let inheritence cover the
folders below them. Keep more general permissions higher in the tree with
more specific permissions lower in the tree. You may have to stop
inheritence and restart building the permissions again in some places as you
go deeper into the tree.

On the top folder clear the inheritable permissions. Then create 3 sets of
permissions for the users. One applies to folders inside the folder share,
where you only give permissions to list and read, the other applies to
department folder, where you define read, modify, etc... to all subfolders
inside that.

[[email protected]]

On the top folder clear the inheritable permissions. Then create 3
sets of
permissions for the users. One applies to folders inside the folder
share,
where you only give permissions to list and read, the other applies
to
department folder, where you define read, modify, etc... to all
subfolders
inside that.

Thank you for respsonse, but i'm still having difficulties. I removed
any explicit deny for users.

For the Parent folder, E:\shares\departments, the permissions are as
follows:
- Server\administrators - <not inherited> / Full Control / This
folder, subfolders and files
- Authenticated Users - <not inherited> / Read & Execute / This Folder
only
- CREATOR OWNER - <not inherited> / Full Control / Subfolders and
files only

For the department folders (eg accounting):
- Server\administrators - <not inherited> / Full Control / This
folder, subfolders and files
- CREATOR OWNER - <not inherited> / Full Control / Subfolders and
files only
- Department Security Group (eg Accounting) <not inherited> / Read,
Write & Execute / This folder, subfolders and files.

Here is where I'm having an issue. UserA in the accounting security
group, can browse to E:\shares\departments and cannot create or delete
folders here (which is what I want). UserA can create files/folders
in e:\shares\departments\accounting, but not files/folders which they
are not the owner (which is also good). BUT, when UserA attempts to
delete E:\shares\departments\Accounting folder it says access denied,
as expected, but then the system deletes any files/folders under e:
\shares\departments\accounting that UserA is Creater/owner. Shouldn't
windows not delete this subfolders/files?

If I create a folder/file named '~', in e:\shares\departments
\accounting\~, and the users attempts to delete e:\shares\departments
\accounting\, the system will not delete anything with the folder.
I'm guessing because the folder named '~' is before anything other
files/folders in alphabetical order. Is there a way to control this
behavior that when a user attempts to delelete the department parent
folder (which they shouldn't do, but i'm sure someone will
accidentally try) that the server doesn't delete subfolders/files that
the users is CREATOR OWNER of?

[Jorge Silva]

Lets do in simple way:
-------------------
On top folder "Shares":
NTFS Permissions (To this folder and sub folders and files):
Clear inheritable permissions
Administrators:FULL
Users: Read

SHARE Permissions:
For example:
Domain Users: MODIFY
Administrators: FULL
-------------------
On SUBFolders:
Add a new set of permissions, lets consider the HR SubFolder.
NTFS Permissions (In this folder you don't need to clear the inheritable
permissions)
Just add the Security Goup "Human Resources" to the HR SubFolder with Modify
Permissions. Now, users members of this group have permissions to create and
change files.
-------------------
Note: If you give FULL permissions only to "CREATOR OWNER", you need to
consider the following, first the user must be allowed to create
Files/and/or/ Folders, second only the user will have modify permissions to
the folder that he/she creats, because you're allowing only the read right
to all other users.

[[email protected]]

I tested what you have suggested, with similar results as i have been
having.

I created a new share at the root of the logical drive called Company.

Share permissions - Domain Users: MODIFY | Administrators: FULL
NTFS Permissions (To this folder and sub folders and files):
Clear inheritable permissions
Administrators:FULL
Users: Read

I created a subfolder 'HR' and added a test user to the hr group.

User logs and is able to browse the HR folder. User can create new
files/folders and delete them. And user is able to delete the HR
folder....not good.

I apologize for the difficulty but I thought I was close to a solution
and now I'm just confused. Why does windows delete subfolders and
files when a user attempts to delete a parent folder and is denied
access?

[Jorge Silva]

Sorry, I didn't explain All steps, please review:

-------------------
On top folder "Shares":
NTFS Permissions (To this folder and sub folders and files):
Clear inheritable permissions
Administrators:FULL
Users: Read

SHARE Permissions:
For example:
Domain Users: MODIFY
Administrators: FULL
-------------------
On SUBFolders:
Add a new set of permissions, lets consider the HR SubFolder.
NTFS Permissions (In this folder you don't need to clear the inheritable
permissions)
Just add the Security Goup "Human Resources" to the HR SubFolder with Modify
permissions (Apply to Subfolders and files ONLY)
Permissions. Now, users members of this group have permissions to create and
change files.
-------------------

[[email protected]]

I did exactly what you suggest. Very close, but when user attempts to
delete the HR folder, and is denied access, subfolders and files are
deleted still?

What gives.

Thanks a lot for your help!

[Jorge Silva]

Eheheh...
But If the user tries to delete the HR folder, that means that he/she wants
to delete everything that is inside it, right?

So... If someone tries to delete the department folder, this means that
person is up to something... Of course all folders that he/she has access
will be deleted, because he/she has permissions to do that. That's why you
should have backps...

Remember that you have the ability to NOT allow delete of files and folders,
but then, if you deny that, the users won't be able to delete the files even
those that were created by mistake or those that are outdated :P

[jaolma]

I have the same setup and same problem. I think this is a major bug and has something to do with shares. If you create the same folder structure & permissions without the share, it works as it should. Meaning, when you try to delete the folder it doesn't delete the files & folders in it.

-Jani