Permissions

[sanity1977]

Hi

I'm am new to Windows 2003 Server AD and I have set up a domain server "server1", client "client1" and two basic users "user1" and "user2". On the server I have created a share "c:\users" and created two user folders inside of this "c:\users\user1" and "c:\users\user2".

Now the share permissions of "c:\users" is set to Allow Everyone to Change and Read. "c:\users\user1" has permissions set to Allow Administrators and User1 to Full Control. "c:\users\user2" has persmissions set to Allow Administrators and User2 to Full Control.

This works quite well. In each user profile I have selected to map drive "H:" to "\\server1\users\%username%" and when the user logs on and goes to "H:" it shows the contents of their shared folder from the server and they are able to have full control over that folder and it's contents. It also works the way I planned in that if the user is smart enough to go to "\\server1\users" they can see the list of user folders including the "user1" and "user2" folders but if "user1" is logged on he/she will only have access to the "user1" folder. Trying to access the "user2" folder results in access denied. Excellent was very happy with that.

However, if either user goes to "\\server1\users" they are able to create a folder or file of whatever they want. In order for the administrator to keep things neat I don't want users to be able to do this. Is this the method people would generally use to set up this situation or am I on the completely wrong track?

Thanks in advance for any help. Remember, I'm new ... be gentle

[cluberti]

For reference, it is actually easiest to set "Share" permissions to Everyone/Full Control, and then lock down the folders via NTFS permissions - you would set Administrators/Full Control and UserX/Change on each folder (where X is the user number), and then set UserX/Deny on the folder for the other user. This will allow access for the correct user and deny for any others. Then, on all folders up the tree from the two user folders, you can simply give the users Read permissions, and they won't be able to do anything but read.

Share permissions are a bad way to secure a resource - use NTFS permissions instead whenever possible.

Edited May 25, 2006 by cluberti

[playsafe]

It is much better to manage user rights through group membership.

Still in your case, I would share C:\Users and use default EveryOne -> Full rights. Then through NTFS permissions give full rights to Administrators Group and give Read and List Folders right to the Users Group.

Then for every userX (X being the number 1, 2, ... in ur case) go to UserX folder's NTFS permissions and add UserX to have full permission. But remember to UnCheck "Allow inheritable permission to propogate.. " for the folder UserX and clicking the "Copy" button when a security dialog appears. By choosing the button copy it would keep the parent folder permissions to start with and u dont have to add administrator group again.

For me Denying the folder permissions is not the requirement.

[JuMz]

Share permissions are a bad way to secure a resource - use NTFS permissions instead whenever possible.

Sorry to interject, but I think I am confused. What is the difference between "Share Permissions" and "NTFS Permissions"...when I right click on a folder and click the security tab...are those SHARE or NTFS permissions that I see...

[Zartach]

Those are NTFS permissions, the share permissions can be viewed via the share tab andd pressing the button permissions on that tab.

Zar

[playsafe]

Share permissions are a bad way to secure a resource - use NTFS permissions instead whenever possible.

Sorry to interject, but I think I am confused. What is the difference between "Share Permissions" and "NTFS Permissions"...when I right click on a folder and click the security tab...are those SHARE or NTFS permissions that I see...

Yes, the Security tab contains NTFS permissions. NTFS permissions are more detailed. And that is where most permissions should be managed.

On same window under Sharing Tab, if you select the Radio button to Share the folder then Permissions Button there contains Sharing Permissions.

Hope that helps.

[sanity1977]

Excellent ... Thanks heaps for all your help guys