Active Directory

Im having some problems with setting file permissions on our File Server. We have to give users direct access to files or folders. If we give a group access to files or folders and a person is apart of that group it will NOT work.

SO here is what I did for testing purposes.
Loged on as Local Admin (not domain admin) and created a folder on our files server name "permissions_test" and then make a directory under "permissions_test" called "test". Then I made 2 documents under "test" called "test.doc" and "test.xls"

Permissions_Test
..+
..+-->Test
.............+
.............+-->test.doc
....................test.xls

So I share the folder "permissions_test" and give "everyone" read only access (share level security). Then I went into folder level security and added "Local admin" "modify" access. I then also added a group to "permissions_test" folder called "IS_Server_admin" and gave "Full control" access.

I am apart of "IS_Server_admin" so I should have access. I can access the "test.doc" and "text.xls" but ONLY read only. If I log on to the file server I check the folder level permissions for those 2 documents "IS_Server_admin" has "full control" I've never run into this before.

Then to test a bit more I added "Modify" to "IS_Server_admin" to SHARE level permissions. When I did that I was able to access "test.doc" and add changes to it.

So it seems it's Ignoring the folder level persmissions im adding...is this a possible domain policy? I thought folder level permissions had higher authority than share level permissions?

Share-level permissions control remote access to your files i.e. access via the Share names. Only after that do file-level permissions come into play. Of course, if you log in locally, then share-level permissions won't matter if you've got the appropriate file-level permissions.

So what if then.

you have a folder

test<----shared
..folder
..folder
..folder
..folder
.......test2 <--- Shared (permissions?)

Would the permissions start over at test2 or flow down from test.

IMO Share level security sucks way less options. Is there a policy that can be set that using a shared resource with a propber AD user account they are logged on locally?

the more restrictive permissions will be taken. if shareperm are more restrictive than folderperm, shareperm will be taken and vice versa. so if you want to limit permissions for subfolders differently, i think it's best to give full control to the share and then set the effective permissions at folder level.
example you have this structure and want the following
- test
+

---

subtest1 <---- group 'A' shall write
+

---

subtest2 <---- group 'A' shall only read
+

---

file.doc <---- group 'A' shall only read

then you share test with full control, set folder permissions for test to read only for group 'A' and then for folder subtest you set folder permissions to write for group 'A'.

when speaking of folder permissions i mean the NTFS permissions.


does this help?

.alx

Yes im going to test this out. So I as thinking of giving the Everyone group full access share permissionn. Then give them read only folder permissions. Then add the group I want to have write permissions on the folder permissions. Damn if it was 1 or the other this would be alot easier.

Awesome alx your right. Ive used folder permissions in the past it has always worked now I know WHY it worked.

ON test folder I added domain users full control(share permissions). Then folder access domain users read only. Then deptatment group modify access.

User: Test99 Domain user - He only had read access
User: Test89 Domain user and dept group - Had Modify Access
My account: had full access and could edit permissions.

SO with this kind of setup shared permissions are ignored totally. This is exactly what I was going for. Thanks for the help guys!