1

Ok,

I have a new 2008 R2 file server and i need to setup some permissions for shares. So far it is not that annoying with the exception of one case.

We have what we refer to Home folders. Basically small folders for personal or temporary storage off local machines.

Here is the tricky part. Everyone can have ready write access to each others home folders. That is easy to do. What i need to do however is find a not too involved way to allow all users to write and delete files inside each individual home folder but never be able to delete the actual home folder it self.

Example:

c:\Home is the root folder and is shared

c:\Home\Test1 this folder should only be allowed to be delete by domain admins

c:\Home\Test1\something this folder if fair game for anyone to delete rename, etc.

Any ideas?

2 Spice ups
2

Just don’t give them Modify or Full Control to the home folders.

3

Share permissions and NTFS permissions can conflict, so best method (as I was taught) is to give share permissions “Everyone Full control” and restrict access using security groups in NTFS

Set up a companystaff group

Assign read permissions to c:\home\test1 for companystaff

Assign modify permissions to c:\home\test1\something for companystaff ensuring that any other subfolders inherit permissions from parent.

If it is on a server already and the server belongs to a domain, then domain admins should already have full control on c:\home\ and all subfolders

Cheers

Tino

4

Tino Todino wrote:

Share permissions and NTFS permissions can conflict, so best method (as I was taught) is to give share permissions “Everyone Full control” and restrict access using security groups in NTFS

Set up a companystaff group

Assign read permissions to c:\home\test1 for companystaff

Assign modify permissions to c:\home\test1\something for companystaff ensuring that any other subfolders inherit permissions from parent.

If it is on a server already and the server belongs to a domain, then domain admins should already have full control on c:\home\ and all subfolders

Cheers

Tino

The server will enforce the most restrictive permissions. I always set the share permissions to “Everyone” full control, and then restrict folder access with the NTFS Security.

5

Indeed! :slight_smile:

6

We have a similar setup that we call the Shared folders. On each “username” folder, I set the following permissions:

Domain Users - Modify, apply to Subfolders and Files only

Domain Users - Create files & Create folders, apply to This folder only

This prevents the “username” folders being removed accidentally.

On the topic of share permissions, I disagree - I prefer the defense in depth approach - control access at each point you can rather than relying on only one point to control access. I set Read, Modify, or Full Control for the specific groups that should have access through each share.

Tip: Use the Authenticated Users group for shares that the System accounts on your domain computers need to access.

7

Yeah got it thanks for the help.

Took me a while to get the special permisions working but after much hitting of my head on the table it finally works.

Thanks guys you helped me a ton