- Posts: 301
- Thank you received: 3
Active Directory
18 years 5 months ago #14811
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Active Directory was created by Bublitz
Im having some problems with setting file permissions on our File Server. We have to give users direct access to files or folders. If we give a group access to files or folders and a person is apart of that group it will NOT work.
SO here is what I did for testing purposes.
Loged on as Local Admin (not domain admin) and created a folder on our files server name "permissions_test" and then make a directory under "permissions_test" called "test". Then I made 2 documents under "test" called "test.doc" and "test.xls"
Permissions_Test
..+
..+-->Test
.............+
.............+-->test.doc
....................test.xls
So I share the folder "permissions_test" and give "everyone" read only access (share level security). Then I went into folder level security and added "Local admin" "modify" access. I then also added a group to "permissions_test" folder called "IS_Server_admin" and gave "Full control" access.
I am apart of "IS_Server_admin" so I should have access. I can access the "test.doc" and "text.xls" but ONLY read only. If I log on to the file server I check the folder level permissions for those 2 documents "IS_Server_admin" has "full control" I've never run into this before.
Then to test a bit more I added "Modify" to "IS_Server_admin" to SHARE level permissions. When I did that I was able to access "test.doc" and add changes to it.
So it seems it's Ignoring the folder level persmissions im adding...is this a possible domain policy? I thought folder level permissions had higher authority than share level permissions?
SO here is what I did for testing purposes.
Loged on as Local Admin (not domain admin) and created a folder on our files server name "permissions_test" and then make a directory under "permissions_test" called "test". Then I made 2 documents under "test" called "test.doc" and "test.xls"
Permissions_Test
..+
..+-->Test
.............+
.............+-->test.doc
....................test.xls
So I share the folder "permissions_test" and give "everyone" read only access (share level security). Then I went into folder level security and added "Local admin" "modify" access. I then also added a group to "permissions_test" folder called "IS_Server_admin" and gave "Full control" access.
I am apart of "IS_Server_admin" so I should have access. I can access the "test.doc" and "text.xls" but ONLY read only. If I log on to the file server I check the folder level permissions for those 2 documents "IS_Server_admin" has "full control" I've never run into this before.
Then to test a bit more I added "Modify" to "IS_Server_admin" to SHARE level permissions. When I did that I was able to access "test.doc" and add changes to it.
So it seems it's Ignoring the folder level persmissions im adding...is this a possible domain policy? I thought folder level permissions had higher authority than share level permissions?
The Bublitz
Systems Admin
Hospice of the Red River Valley
18 years 5 months ago #14813
by DaLight
Replied by DaLight on topic Re: Active Directory
Share-level permissions control remote access to your files i.e. access via the Share names. Only after that do file-level permissions come into play. Of course, if you log in locally, then share-level permissions won't matter if you've got the appropriate file-level permissions.
18 years 5 months ago #14815
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Active Directory
So what if then.
you have a folder
test<----shared
..folder
..folder
..folder
..folder
.......test2 <--- Shared (permissions?)
Would the permissions start over at test2 or flow down from test.
IMO Share level security sucks way less options. Is there a policy that can be set that using a shared resource with a propber AD user account they are logged on locally?
you have a folder
test<----shared
..folder
..folder
..folder
..folder
.......test2 <--- Shared (permissions?)
Would the permissions start over at test2 or flow down from test.
IMO Share level security sucks way less options. Is there a policy that can be set that using a shared resource with a propber AD user account they are logged on locally?
The Bublitz
Systems Admin
Hospice of the Red River Valley
18 years 5 months ago #14827
by alx
Replied by alx on topic Re: Active Directory
the more restrictive permissions will be taken. if shareperm are more restrictive than folderperm, shareperm will be taken and vice versa. so if you want to limit permissions for subfolders differently, i think it's best to give full control to the share and then set the effective permissions at folder level.
example you have this structure and want the following
- test
+
subtest1 <---- group 'A' shall write
+
subtest2 <---- group 'A' shall only read
+
file.doc <---- group 'A' shall only read
then you share test with full control, set folder permissions for test to read only for group 'A' and then for folder subtest you set folder permissions to write for group 'A'.
when speaking of folder permissions i mean the NTFS permissions.
does this help?
.alx
example you have this structure and want the following
- test
+
subtest1 <---- group 'A' shall write
+
subtest2 <---- group 'A' shall only read
+
file.doc <---- group 'A' shall only read
then you share test with full control, set folder permissions for test to read only for group 'A' and then for folder subtest you set folder permissions to write for group 'A'.
when speaking of folder permissions i mean the NTFS permissions.
does this help?
.alx
18 years 5 months ago #14834
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Active Directory
Yes im going to test this out. So I as thinking of giving the Everyone group full access share permissionn. Then give them read only folder permissions. Then add the group I want to have write permissions on the folder permissions. Damn if it was 1 or the other this would be alot easier.
The Bublitz
Systems Admin
Hospice of the Red River Valley
18 years 5 months ago #14837
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Active Directory
Awesome alx your right. Ive used folder permissions in the past it has always worked now I know WHY it worked.
ON test folder I added domain users full control(share permissions). Then folder access domain users read only. Then deptatment group modify access.
User: Test99 Domain user - He only had read access
User: Test89 Domain user and dept group - Had Modify Access
My account: had full access and could edit permissions.
SO with this kind of setup shared permissions are ignored totally. This is exactly what I was going for. Thanks for the help guys!
ON test folder I added domain users full control(share permissions). Then folder access domain users read only. Then deptatment group modify access.
User: Test99 Domain user - He only had read access
User: Test89 Domain user and dept group - Had Modify Access
My account: had full access and could edit permissions.
SO with this kind of setup shared permissions are ignored totally. This is exactly what I was going for. Thanks for the help guys!
The Bublitz
Systems Admin
Hospice of the Red River Valley
Time to create page: 0.128 seconds