Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Setting different permissions for a particular folder


  • Please log in to reply
13 replies to this topic

#1 Micallen

Micallen

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 23 March 2016 - 06:40 PM

Here's a server (really a permissions) question. I added a user (Reggie) to a particular folder's permissions, and made him read only. I tried to check the DENY box for Full Control and Change, but with the DENY boxes, you have to have all 3 checked.

Anyway, this doesn't really change his permissions. I even added my self and had just READ ONLY checked. I rebooted my computer and still had full read/write/delete access.

Why? Does the EVERYONE group having full control supersede a user ?? If so, does that mean I will have to make a user for each person and set permissions accordingly?

 

 


________________

Micallen


BC AdBot (Login to Remove)

 


#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,083 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:00 AM

Posted 23 March 2016 - 06:48 PM

Hi,
 

Why? Does the EVERYONE group having full control supersede a user ??


Yes.
 

If so, does that mean I will have to make a user for each person and set permissions accordingly?

 

The recommended way to do it is by creating Groups and give permissions to the groups then add the users to that group. This avoid the need of changing the permissions in every folder if you need to give the same permissions to another user or remove the permissions from some user.


Edited by SleepyDude, 23 March 2016 - 06:49 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 23 March 2016 - 07:06 PM

Hi,
 

Why? Does the EVERYONE group having full control supersede a user ??

Yes.
 

If so, does that mean I will have to make a user for each person and set permissions accordingly?

 
The recommended way to do it is by creating Groups and give permissions to the groups then add the users to that group. This avoid the need of changing the permissions in every folder if you need to give the same permissions to another user or remove the permissions from some user.

That is along the lines of what I started thinking. Thank you.

Edited by Micallen, 23 March 2016 - 07:07 PM.

________________

Micallen


#4 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:04:00 AM

Posted 24 March 2016 - 02:05 AM

A few tips.

 

Do NOT use DENY in the routine use of permissions - it is useful in particular complex scenarios only.

 

As Micallen sys - use groups to make permissions easier to manage. In your scenario - let's say the folder is called "Marketing", you could create groups "Marketing-RW" and "Marketing RO"

 

Permissions are set in two ways... On there Files/Folders themselves and on the Share. A particular user has the greatest access afforded by any of his groups or his personlally assigned for the Share access (just getting into the share, but not neccessarily to the data within), and similary the greatest access afforded by any of his groups or his personally assigned permissions for the file/folder access. However a particular element (read or modify) - they need access in BOTH Share and file/folder permissions to be able to leverage that right.

 

Limit users to Modify (r/w) or Read (r/o) permissions. No need for anything more complex for what you are doing. Only Administrators should have Full control.

 

You could set:

Admins (or domain admins) - full control

"Marketing-RW" - modify

"Marketing-RO" - read

 

On both the Share permissions, and on the file/folder being shared.

Do NOT remove the "SYSTEM - Full control" file/folder permission from any folder permissions that you set.  System does not need to be in the share permissions.

 

x64


Edited by x64, 24 March 2016 - 02:07 AM.


#5 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 24 March 2016 - 06:19 AM

A few tips.

 

Do NOT use DENY in the routine use of permissions - it is useful in particular complex scenarios only.

 

As Micallen sys - use groups to make permissions easier to manage. In your scenario - let's say the folder is called "Marketing", you could create groups "Marketing-RW" and "Marketing RO"

 

Permissions are set in two ways... On there Files/Folders themselves and on the Share. A particular user has the greatest access afforded by any of his groups or his personlally assigned for the Share access (just getting into the share, but not neccessarily to the data within), and similary the greatest access afforded by any of his groups or his personally assigned permissions for the file/folder access. However a particular element (read or modify) - they need access in BOTH Share and file/folder permissions to be able to leverage that right.

 

Limit users to Modify (r/w) or Read (r/o) permissions. No need for anything more complex for what you are doing. Only Administrators should have Full control.

 

You could set:

Admins (or domain admins) - full control

"Marketing-RW" - modify

"Marketing-RO" - read

 

On both the Share permissions, and on the file/folder being shared.

Do NOT remove the "SYSTEM - Full control" file/folder permission from any folder permissions that you set.  System does not need to be in the share permissions.

 

x64

Thank you as well.  I've taken this info, and found some more online (now knowing WHAT to look for.)  I should be able to set things the way I need to.


________________

Micallen


#6 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 24 March 2016 - 08:42 AM

NEW PROBLEM !!

 

I was playing with permissions.  I set up 3 groups and added users to the 3 groups as needed.  When I applied permissions, a box came up and started applying settings to each individual older/file, etc.  It looked like it was going to take forever, and I cancelled it (thinking I need to do this on a weekend.

 

As a result, all the subfolders and files are un-accessable.  The HD permissions are OK.  The main folder that contains all the sub-folders, the permissions are OK.  But all the sub-folders and files, the permissions are grayed out.  Nothing I have tried has corrected it.  And I have everyone locked out of all our projects.

 

Any ideas ???  Help !!!!!


________________

Micallen


#7 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:04:00 AM

Posted 24 March 2016 - 03:11 PM

If the folders are still availble to Admins, goto the root folder of the share, ensure that the file/folder permissions there are as you want them. Stay in the security tab of the folder properties and click the "Advanced" button. Ensure "Replace all chilld object permissions with inheritable permission entries that derive from this object" is ticked, Click apply and wait for it to complete.

 

By Grey- do you mean the ticks against each permission are grey?  That is normal and merely says the permission is inherited from the parent folder (rather being actively adjusted at this folder level)

 

x64



#8 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 28 March 2016 - 08:34 AM

If the folders are still availble to Admins, goto the root folder of the share, ensure that the file/folder permissions there are as you want them. Stay in the security tab of the folder properties and click the "Advanced" button. Ensure "Replace all chilld object permissions with inheritable permission entries that derive from this object" is ticked, Click apply and wait for it to complete.

 

By Grey- do you mean the ticks against each permission are grey?  That is normal and merely says the permission is inherited from the parent folder (rather being actively adjusted at this folder level)

 

x64

I did this to no avail.  I've put in a call to the folks that installed our server Thursday, but meanwhile, we are severely limited at work.

As admin to the server, I can access files, so as needed, I've been copying things to a thumb drive for people.


________________

Micallen


#9 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 28 March 2016 - 08:55 AM

I just figured it out!  Under Shared Folders and websites, I looked under Shared Folder Permissions for the drive in question.  "Everyone" has been removed by some previous action I did Thursday.  I added Everyone back, and premissions were restored.


________________

Micallen


#10 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 28 March 2016 - 09:48 AM

NOW, that I have fixed the problem, I have set up a separate top-level folder called TEST to practice permission and sharing on - to be able to set things up the way I want.  At first EVERYONE had permissions, so I mapped a network drive on a computer that I DON'T want to have access (Brian).  Once I removed Everyone, Brian could not access.

 

Then I did the following:

USERS AND GROUPS:  added the group "Engineering" (added 4 users to this group - BRIAN not included)

 

Shared Folders and Web Sites:  Rt Click on TEST, Properties, Security:  Edit, Add, (added Engineering, removed Everyone)

Then under Engineering:  Edit, Allow (all but Full control - then eventually I checked F.C. as well).

Also showing are System and Administrator.

 

BUT, "Chris" who is in the Engineering group and should now have permissions, can't even map the drive, because he "doesn't have permissions."

 

What am I missing ?


Edited by Micallen, 28 March 2016 - 09:58 AM.

________________

Micallen


#11 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:04:00 AM

Posted 28 March 2016 - 11:26 AM

Has Chris logged on since you added him to Engineering? If not he will not have picked up the permissions yet.

 

Also go back to my first post and re-read it in conjuction with the extre information below.

 

There are TWO places where permissions need to be assigned - on the share itself (The front door), and to the files/folders inside. I'm not sure which tool you are manipulating the share with but it might not be too clear on the differentiation between the two types of permision through it.

 

In order to staraighten things out, use windows Explorer. Navigate to the shared folder right click it and choose properties.

 

The Folder share permissions are on the "Sharing" tab, behind  the "Advanced Sharing" button, and the "Permissions" button.

The file/folder permissions are those on the "Security" tab.

 

x64



#12 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 28 March 2016 - 11:44 AM

Has Chris logged on since you added him to Engineering? If not he will not have picked up the permissions yet.

 

Also go back to my first post and re-read it in conjuction with the extre information below.

 

There are TWO places where permissions need to be assigned - on the share itself (The front door), and to the files/folders inside. I'm not sure which tool you are manipulating the share with but it might not be too clear on the differentiation between the two types of permision through it.

 

In order to staraighten things out, use windows Explorer. Navigate to the shared folder right click it and choose properties.

 

The Folder share permissions are on the "Sharing" tab, behind  the "Advanced Sharing" button, and the "Permissions" button.

The file/folder permissions are those on the "Security" tab.

 

x64

Your first sentence may have answered the question.  He was already logged in.  I did not have him log out, and back in... but I will now.


________________

Micallen


#13 Micallen

Micallen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S. C.
  • Local time:11:00 PM

Posted 28 March 2016 - 12:09 PM

With "Brian's" computer. I tested adding Brian to the Engineering Group, removing him, adding him again - each time logging out, and back in. and it worked as it should.

 

Thank you @x64 for all the help !!


________________

Micallen


#14 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 28 March 2016 - 06:41 PM

Set yourself up a test computer/server to practice on.  Do not use the real time server for this!!! if this isn't an option then set up a test folder with subfolders and other test logins so you can test nondestructively.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users