Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Active Directory

Active Directory 10 years 6 months ago #14811

  • Bublitz
  • Bublitz's Avatar
  • Offline
  • Senior Member
  • Posts: 301
  • Thank you received: 3
  • Karma: 2
Im having some problems with setting file permissions on our File Server. We have to give users direct access to files or folders. If we give a group access to files or folders and a person is apart of that group it will NOT work.

SO here is what I did for testing purposes.
Loged on as Local Admin (not domain admin) and created a folder on our files server name "permissions_test" and then make a directory under "permissions_test" called "test". Then I made 2 documents under "test" called "test.doc" and "test.xls"

Permissions_Test
..+
..+-->Test
.............+
.............+-->test.doc
....................test.xls

So I share the folder "permissions_test" and give "everyone" read only access (share level security). Then I went into folder level security and added "Local admin" "modify" access. I then also added a group to "permissions_test" folder called "IS_Server_admin" and gave "Full control" access.

I am apart of "IS_Server_admin" so I should have access. I can access the "test.doc" and "text.xls" but ONLY read only. If I log on to the file server I check the folder level permissions for those 2 documents "IS_Server_admin" has "full control" I've never run into this before.

Then to test a bit more I added "Modify" to "IS_Server_admin" to SHARE level permissions. When I did that I was able to access "test.doc" and add changes to it.

So it seems it's Ignoring the folder level persmissions im adding...is this a possible domain policy? I thought folder level permissions had higher authority than share level permissions?
The Bublitz
Systems Admin
Hospice of the Red River Valley
The administrator has disabled public write access.

Re: Active Directory 10 years 6 months ago #14813

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
Share-level permissions control remote access to your files i.e. access via the Share names. Only after that do file-level permissions come into play. Of course, if you log in locally, then share-level permissions won't matter if you've got the appropriate file-level permissions.
The administrator has disabled public write access.

Re: Active Directory 10 years 6 months ago #14815

  • Bublitz
  • Bublitz's Avatar
  • Offline
  • Senior Member
  • Posts: 301
  • Thank you received: 3
  • Karma: 2
So what if then.

you have a folder

test<----shared
..folder
..folder
..folder
..folder
.......test2 <--- Shared (permissions?)

Would the permissions start over at test2 or flow down from test.

IMO Share level security sucks way less options. Is there a policy that can be set that using a shared resource with a propber AD user account they are logged on locally?
The Bublitz
Systems Admin
Hospice of the Red River Valley
The administrator has disabled public write access.

Re: Active Directory 10 years 6 months ago #14827

  • alx
  • alx's Avatar
  • Offline
  • New Member
  • Posts: 18
  • Karma: 0
the more restrictive permissions will be taken. if shareperm are more restrictive than folderperm, shareperm will be taken and vice versa. so if you want to limit permissions for subfolders differently, i think it's best to give full control to the share and then set the effective permissions at folder level.
example you have this structure and want the following
- test
+
subtest1 <---- group 'A' shall write
+
subtest2 <---- group 'A' shall only read
+
file.doc <---- group 'A' shall only read

then you share test with full control, set folder permissions for test to read only for group 'A' and then for folder subtest you set folder permissions to write for group 'A'.

when speaking of folder permissions i mean the NTFS permissions.


does this help?

.alx
The administrator has disabled public write access.

Re: Active Directory 10 years 6 months ago #14834

  • Bublitz
  • Bublitz's Avatar
  • Offline
  • Senior Member
  • Posts: 301
  • Thank you received: 3
  • Karma: 2
Yes im going to test this out. So I as thinking of giving the Everyone group full access share permissionn. Then give them read only folder permissions. Then add the group I want to have write permissions on the folder permissions. Damn if it was 1 or the other this would be alot easier.
The Bublitz
Systems Admin
Hospice of the Red River Valley
The administrator has disabled public write access.

Re: Active Directory 10 years 6 months ago #14837

  • Bublitz
  • Bublitz's Avatar
  • Offline
  • Senior Member
  • Posts: 301
  • Thank you received: 3
  • Karma: 2
Awesome alx your right. Ive used folder permissions in the past it has always worked now I know WHY it worked.

ON test folder I added domain users full control(share permissions). Then folder access domain users read only. Then deptatment group modify access.

User: Test99 Domain user - He only had read access
User: Test89 Domain user and dept group - Had Modify Access
My account: had full access and could edit permissions.

SO with this kind of setup shared permissions are ignored totally. This is exactly what I was going for. Thanks for the help guys!
The Bublitz
Systems Admin
Hospice of the Red River Valley
The administrator has disabled public write access.
Time to create page: 0.080 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup