Can't figure out how to set approriate permissions

  • Thread starter Thread starter Calvin Lai
  • Start date Start date
C

Calvin Lai

This is the scenario...

C:\DATA on SERVER1. SERVER1 running Win 2000 server.

DATA folder shared out as "DATA", ie \\SERVER1\DATA. When users log in,
S: is mapped to \\SERVER1\DATA.

Shared permission on the DATA folder is everyone READ, NTFS permission
is everyone FULL.

Within the DATA folder, I have DEPT1, DEPT2, etc. subfolders. I created
DEPT1, DEPT2, etc. global security groups in AD and added the
appropriate users to them.

DEPT1 subfolder has the following NTFS permission: domain admins FULL,
DEPT1 group MODIFY.

When a user in DEPT1 group goes into S:, he obviously cannot create any
folder or new files, which is fine. The user then goes into DEPT1
folder. But he CANNOT create anything new in that DEPT1 folder.

Anyone know why? What I want is users will only have read in the root
of DATA, but will be able to have modify permission in the associated
departmental subfolders in DATA.
 
I guess it's inherited permissions

Why don't you make the DEPT folders the shares? (That is, take out the
Server1 part from the loop)

Remember security is applied most restrictive to least restrictive, so a
permission of Full to a sub-folder will come out as read if read set for the
user at root

HTH

Lowland
 
Some users actually need access to more than 1 department subfolders;
that is why I don't want to have the subfolders shared out.

So there is now way to stop inheritence at the subfolder level?
 
Calvin, don't use share permissions if you can use NTFS. Share
permissions is an old assed remnant from Windows for Workgroups days
when there was no other option. The combination of share permissions +
NTFS permissions will always result in the least restrictive and since
you've set the share perms to read only, everyone will have no more than
read permissions on the entire share and any folder(s) below it no
matter the NTFS perms are set to.

- Set the share perms back to the default: Everyone - Full Control
- Set the NTFS perms on the root (DATA) to what you set the share perms
to: Authenticated Users (another no-no; don't use Everyone...ever) -
Read and Execute
- Then add write and delete NTFS perms for the appropriate groups on the
respective folders.

Should work like a charm.

hth
 
Back
Top