Thursday, February 3, 2011

windows server 2008 file permissions

I have the following folder structure:

A
|--B
|  |--C
|  |--D
|
|--E
   |--F
   |--G

Each sub-sub folder (C,D,F,G) has a corresponding AD group. I want allow only users who are members of a sub-sub-folder's group to access it, but i still want to allow the sub folders (B,E) to be browsed by everyone. (i.e. people can see C,D,F,G but cant access their contents)

I hope that makes sense.

I tried to do this:

Edit the permissions of the sub folders (B,E) and turn off "inherited permissions", but copied them rather than removing them. I then set them to not cascade down to children (this folder only).

This mean't that i could create the sub-sub folders (C,D,F,G) but then couldn't access them. This is what i wanted and as i expected. I then planned to add modify rights to the sub-sub folders for their respective groups, and added myself to a couple of the groups to test it out.

However, when i tried to assign the group-modify permission i get a generic "access denied" message. I thought it might be because i didnt have change permission rights on the sub-sub folders, so i modified the sub folders to cascade down "Change permissions" but that didnt help :(

Any ideas why I cant get this to work? I'm in Windows server 2008r1

All the users are Administrators by the way (this has to be the case)

Edit: I don't want to assign deny rights to all the groups that are not allowed to access a particular sub-sub folder as in reality this tree will be massive and that would create a maintenance nightmare!

Thanks.

From serverfault Andrew Bullock

  • On Folder A:
    Set Everyone to Read & Execute
    Set System to Full Control

    On Folders B & E:
    Enable Inheritance - Remove any explicit permissions

    On Folders C, D, F, G:
    Disable Inheritance - Remove All Permissions
    Set [Corresponding Group] to Modify

    Users will be able to override and change these permissions if they are Admins, there's no way around that.

    Andrew Bullock : yeah i dont mind that they _could_ override it, company policy can govern that. i just want to make it so inorder to see that data, they'd have had to deliberately hacked in. ill try your suggestion...
    Andrew Bullock : Ive done this, but then i cant get into `C,D,E,F` "You do not currently have permission to access this folder". I am in the group which i have granted `Modify` to. :(
    Chris S : Did you just create the groups, or add yourself to the group since you last rebooted your computer? If so, restart your computer.
    Jim B : Admins do not need to have full control. They only need read/change perms and traverse folder
    Andrew Bullock : aha! of course, just needed to log off for the permissions to apply to me. thanks a lot!
    Jim B : You shouls also consider enabling Access Based Enumeration (this might also reduce your permission/folder count) see http://technet.microsoft.com/en-us/library/dd772681(WS.10).aspx
    Chris S : @Jim B, at the time I put Admins in the answer, I assumed he was the only admin or at least that the other users aren't admins. I don't see how Access Based Enum will change the permissions or folder count (except the number of folders seen by users).
    Jim B : @chris ABE allows you to put files appropriately permissioned into a folder and have users see only the folders/files they have permissions to view. The typical example I give is the directory used for home directories. Without ABE you see a lot of folders that you cannot access, with ABE you see only 1- yours. The same might also apply to this structure. Typically folders are created for the sole purpose of applying permissions, with ABE you can apply correct permissions to the files and each unique permissioned user would get a different view of the same folder.
    Andrew Bullock : @Jim, thats not what i want, but thanks for pointing out that its possible :)
    From Chris S
Posted by Mu Cat at 8:52 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)