Im having some problems with setting file permissions on our File Server. We have to give users direct access to files or folders. If we give a group access to files or folders and a person is apart of that group it will NOT work.
SO here is what I did for testing purposes.
Loged on as Local Admin (not domain admin) and created a folder on our files server name "permissions_test" and then make a directory under "permissions_test" called "test". Then I made 2 documents under "test" called "test.doc" and "test.xls"
So I share the folder "permissions_test" and give "everyone" read only access (share level security). Then I went into folder level security and added "Local admin" "modify" access. I then also added a group to "permissions_test" folder called "IS_Server_admin" and gave "Full control" access.
I am apart of "IS_Server_admin" so I should have access. I can access the "test.doc" and "text.xls" but ONLY read only. If I log on to the file server I check the folder level permissions for those 2 documents "IS_Server_admin" has "full control" I've never run into this before.
Then to test a bit more I added "Modify" to "IS_Server_admin" to SHARE level permissions. When I did that I was able to access "test.doc" and add changes to it.
So it seems it's Ignoring the folder level persmissions im adding...is this a possible domain policy? I thought folder level permissions had higher authority than share level permissions?
Share-level permissions control remote access to your files i.e. access via the Share names. Only after that do file-level permissions come into play. Of course, if you log in locally, then share-level permissions won't matter if you've got the appropriate file-level permissions.
the more restrictive permissions will be taken. if shareperm are more restrictive than folderperm, shareperm will be taken and vice versa. so if you want to limit permissions for subfolders differently, i think it's best to give full control to the share and then set the effective permissions at folder level.
example you have this structure and want the following
subtest1 <---- group 'A' shall write
subtest2 <---- group 'A' shall only read
file.doc <---- group 'A' shall only read
then you share test with full control, set folder permissions for test to read only for group 'A' and then for folder subtest you set folder permissions to write for group 'A'.
when speaking of folder permissions i mean the NTFS permissions.
Yes im going to test this out. So I as thinking of giving the Everyone group full access share permissionn. Then give them read only folder permissions. Then add the group I want to have write permissions on the folder permissions. Damn if it was 1 or the other this would be alot easier.