How can I learn the proper way to deal with permissions on a Windows server when I am clearly a n00b?
May 21, 2008 12:19 PM Subscribe
File and folder permissions on Windows Small Business Server 2003: what's the right way to set up a shared folder so it can only be accessed by a particular group?
So I'm having a devil of a time setting up permissions on our server at work. I'll try to boil it down to one question.
We have a server running Small Business Server 2003. It's nice and new and shiny.
On the server, we have a D: drive with a folder called "office" that is used for all of our shared files. I have apparently been hit with the Totally Incompetent Stick because I can't for the life of me figure out how to set up a couple of private folders within the share.
I've set up a security group called Personnel. I have added the people who should have access to personnel records to that security group. Now what's the RIGHT way to set a folder so only people in the Personnel group can access it? The way I did it the first time meant that people in that group could open the folder, but then they couldn't access any files or folders within it—and when I went back to the server to try and correct the mistake, my administrator account has been locked out of making changes to any of those files/folders as they no longer seem to have an owner.
Various attempts at reclaiming ownership and resetting permissions have left everything in a confusing state. So I guess what I'm looking for is how to reset a tree of files/folders to a pristine "just the ordinary inherited permissions from above please, kthx" state; how to then properly set their permissions to allow only access from one security group; and how to keep myself from getting into this mess by reading The Most Awesome Book or Website on "How to Grok Windows Permissiony Things" Ever. Thank you.
(I have had a look through this previous post but something about the explanation is just not getting through my thick skull; I may have the admin password but that doesn't make me a real admin.)
So I'm having a devil of a time setting up permissions on our server at work. I'll try to boil it down to one question.
We have a server running Small Business Server 2003. It's nice and new and shiny.
On the server, we have a D: drive with a folder called "office" that is used for all of our shared files. I have apparently been hit with the Totally Incompetent Stick because I can't for the life of me figure out how to set up a couple of private folders within the share.
I've set up a security group called Personnel. I have added the people who should have access to personnel records to that security group. Now what's the RIGHT way to set a folder so only people in the Personnel group can access it? The way I did it the first time meant that people in that group could open the folder, but then they couldn't access any files or folders within it—and when I went back to the server to try and correct the mistake, my administrator account has been locked out of making changes to any of those files/folders as they no longer seem to have an owner.
Various attempts at reclaiming ownership and resetting permissions have left everything in a confusing state. So I guess what I'm looking for is how to reset a tree of files/folders to a pristine "just the ordinary inherited permissions from above please, kthx" state; how to then properly set their permissions to allow only access from one security group; and how to keep myself from getting into this mess by reading The Most Awesome Book or Website on "How to Grok Windows Permissiony Things" Ever. Thank you.
(I have had a look through this previous post but something about the explanation is just not getting through my thick skull; I may have the admin password but that doesn't make me a real admin.)
Seeing that you have completely borked things up on your current folder, I would delete it and start over.
If it won't let you delete it due to the lack of ownership you can seize ownership with the admin account. Or you could just leave it there empty and unused.
For the new folder.
Make one.
Share it. Make sure you change the share permissions to Everyone-Full Control. Don't worry about the full control part, we will lock it down on the security tab.
In the Security tab. Add the security group you created. Define the appropriate level of permissions using the check boxes.
Remove all the other users/groups in the security tab, but leave the administrator with full control.
In a nutshell, without getting too involved, that will do what you want.
Post if you have more questions and we can get more involved if need be.
posted by a3matrix at 12:54 PM on May 21, 2008
If it won't let you delete it due to the lack of ownership you can seize ownership with the admin account. Or you could just leave it there empty and unused.
For the new folder.
Make one.
Share it. Make sure you change the share permissions to Everyone-Full Control. Don't worry about the full control part, we will lock it down on the security tab.
In the Security tab. Add the security group you created. Define the appropriate level of permissions using the check boxes.
Remove all the other users/groups in the security tab, but leave the administrator with full control.
In a nutshell, without getting too involved, that will do what you want.
Post if you have more questions and we can get more involved if need be.
posted by a3matrix at 12:54 PM on May 21, 2008
Best answer: You need to set both Share and Security (NTFS) permissions. Both are tabs when you right click-->properties on a file or folder object. The Share security is so people can have given permissions at that share level and I usually set this at FC- everyone (lock down in NTFS permission). For instance, if you have a share at //server/office and I have full control NTFS permissions but no share permissions, I can't access anything. Same is true the other way- I can have all the share permissions I want, but without NTFS permissions, I can't do a whole lot.
For NTFS (security) permissions, I use 3 different groups:
servername-sharename-control level
I use 3 levels of control- FC, modify, read, giving me three different groups for each share. For the office folder, you can add all 3 groups to NTFS permissions and add users to the groups as needed. No need to ever go back to that folder for permissions again- just work through AD.
Also keep in mind that security permissions propagate to all child objects by default.
Use groups (usually domain local for assigning security). It may seem simpler to assign user rights individually right now, but using groups makes life easier in the long run.
Also, most restrictive permission always wins.
posted by jmd82 at 1:00 PM on May 21, 2008
For NTFS (security) permissions, I use 3 different groups:
servername-sharename-control level
I use 3 levels of control- FC, modify, read, giving me three different groups for each share. For the office folder, you can add all 3 groups to NTFS permissions and add users to the groups as needed. No need to ever go back to that folder for permissions again- just work through AD.
Also keep in mind that security permissions propagate to all child objects by default.
Use groups (usually domain local for assigning security). It may seem simpler to assign user rights individually right now, but using groups makes life easier in the long run.
Also, most restrictive permission always wins.
posted by jmd82 at 1:00 PM on May 21, 2008
Response by poster: Thanks for the advice so far. Sorry about my terminology. I'm sure it's part of the problem. There is a folder on the server called "office". It has sharing turned on and the sharing permissions are set to allow read/write to Everyone.
Within "office" is a folder called "personnel"; I would like to restrict access so only people in the Personnel security group can access it, its contents, and its subfolders. If a user in the Personnel group moves a file into this folder I would like it to inherit the restrictions; if it is moved back out I would like it to return to being unrestricted—so basically I want folder-level control.
I actually have a couple of security groups and a couple of folders I need to do this to but I'm simplifying by only talking about one.
a3matrix: I can't delete the folder and start over as it has 7 years of files and folders in it :)
posted by bcwinters at 1:05 PM on May 21, 2008
Within "office" is a folder called "personnel"; I would like to restrict access so only people in the Personnel security group can access it, its contents, and its subfolders. If a user in the Personnel group moves a file into this folder I would like it to inherit the restrictions; if it is moved back out I would like it to return to being unrestricted—so basically I want folder-level control.
I actually have a couple of security groups and a couple of folders I need to do this to but I'm simplifying by only talking about one.
a3matrix: I can't delete the folder and start over as it has 7 years of files and folders in it :)
posted by bcwinters at 1:05 PM on May 21, 2008
Response by poster: (And by the way I'm trying out the advice so far to see if I can reset things back to the beginning, I will report back!)
posted by bcwinters at 1:07 PM on May 21, 2008
posted by bcwinters at 1:07 PM on May 21, 2008
Best answer: In that case, for the personal folder, you'll want to go into your security tab, click advanced, and turn off the checkmark "inherit from parent permission..."
Otherwise, all users in groups assigned permissions for the office folder will propogate to the child folders- in this case, personal, giving people access who shouldn't (that is assuming you're assigning any security restrictions at the office folder level).
Other than that, you should be able to just add the proper group with users to the personal folder security settings. Also make sure users log off before they try accessing the folders.
posted by jmd82 at 1:34 PM on May 21, 2008
Otherwise, all users in groups assigned permissions for the office folder will propogate to the child folders- in this case, personal, giving people access who shouldn't (that is assuming you're assigning any security restrictions at the office folder level).
Other than that, you should be able to just add the proper group with users to the personal folder security settings. Also make sure users log off before they try accessing the folders.
posted by jmd82 at 1:34 PM on May 21, 2008
Remove anything listed in the permissions entries, then immediately click Add and enter SYSTEM as the username, give that full control. Also add your Administrators group as full control.
Technically speaking, if you're not running any services from the folders (ie, they're a bunch of excel and word files), SYSTEM doesn't need to be added.
posted by jmd82 at 2:55 PM on May 21, 2008
Technically speaking, if you're not running any services from the folders (ie, they're a bunch of excel and word files), SYSTEM doesn't need to be added.
posted by jmd82 at 2:55 PM on May 21, 2008
Best answer: @jmd82
I *think* some antivirus suites use the system account, so it's best to leave it.
odinstream has it right. To reiterate what he said:
1. Leave the Share permissions at Authenticated Users - Full Control. The file system permissions control access to the files and folders.
2. On the Personnel folder, uncheck the Inherit Permissions from Parent box.
3. Add Administrators - Full Control, System - Full Control and Personnel - Modify permissions to the Personnel folder.
4. You may need to propagate the new Personnel permissions to all files and folders inside Personnel, so you're sure they all have the same permissions.
As far as retaining permissions go, read this article, which basically says that moved or copied files are given the permissions of the target directory, except when you move or copy files on the same volume (drive). In other words, anything you move or copy into Personnel will have the permissions you assign to Personnel, with one exception. Anything you move or copy from anywhere on the D:\ drive into Personnel will keep its original permissions.
posted by cnc at 10:05 PM on May 21, 2008
I *think* some antivirus suites use the system account, so it's best to leave it.
odinstream has it right. To reiterate what he said:
1. Leave the Share permissions at Authenticated Users - Full Control. The file system permissions control access to the files and folders.
2. On the Personnel folder, uncheck the Inherit Permissions from Parent box.
3. Add Administrators - Full Control, System - Full Control and Personnel - Modify permissions to the Personnel folder.
4. You may need to propagate the new Personnel permissions to all files and folders inside Personnel, so you're sure they all have the same permissions.
As far as retaining permissions go, read this article, which basically says that moved or copied files are given the permissions of the target directory, except when you move or copy files on the same volume (drive). In other words, anything you move or copy into Personnel will have the permissions you assign to Personnel, with one exception. Anything you move or copy from anywhere on the D:\ drive into Personnel will keep its original permissions.
posted by cnc at 10:05 PM on May 21, 2008
Response by poster: Sorry for the delay in returning to this question, I didn't mean to leave you all hanging. The way the "advanced" dialog boxes and checkmarks for inheritance interact seems needlessly confusing to me. But I have now successfully set these folders the way we'll need them!
Thank you all for your help. I'm marking a bunch of these as best answer as I kind of combined bits and bobs from all of you.
posted by bcwinters at 11:44 AM on June 2, 2008
Thank you all for your help. I'm marking a bunch of these as best answer as I kind of combined bits and bobs from all of you.
posted by bcwinters at 11:44 AM on June 2, 2008
This thread is closed to new comments.
Anyway, as far as resetting permssions so that they inherit from the parent object...select the Properties of a folder, Security tab, click Advanced, and find the checkbox for "Allow inheritable permissions to propagate..." If it's unchecked, just check it and hit apply, and you should be back to normal. If it's already checked, I think you can uncheck it, choose "Copy", and then check it again, and hit Apply. You should be back to normal, I think.
Setting granular permissions should just be a matter of clicking the right permissions on the check boxes in the Security tab. If the right boxes are checked (read and modify, I presume), it should just work. One factor might be if you are in fact defining a share in addition to folder permissions. Windows will enforce the more restrictive of the two sets of permissions, so if you have both, make sure permssions are set appropriately on each.
If you still can't get it working, can you clarify about the share / folder thing?
posted by molybdenum at 12:53 PM on May 21, 2008