Setting different permissions for a particular folder

Here's a server (really a permissions) question. I added a user (Reggie) to a particular folder's permissions, and made him read only. I tried to check the DENY box for Full Control and Change, but with the DENY boxes, you have to have all 3 checked.

Anyway, this doesn't really change his permissions. I even added my self and had just READ ONLY checked. I rebooted my computer and still had full read/write/delete access.

Why? Does the EVERYONE group having full control supersede a user ?? If so, does that mean I will have to make a user for each person and set permissions accordingly?

Hi,
 

Why? Does the EVERYONE group having full control supersede a user ??

Yes.
 

If so, does that mean I will have to make a user for each person and set permissions accordingly?

The recommended way to do it is by creating Groups and give permissions to the groups then add the users to that group. This avoid the need of changing the permissions in every folder if you need to give the same permissions to another user or remove the permissions from some user.

Edited by SleepyDude, 23 March 2016 - 06:49 PM.

Hi,
 

Why? Does the EVERYONE group having full control supersede a user ??

Yes.
 

If so, does that mean I will have to make a user for each person and set permissions accordingly?

 
The recommended way to do it is by creating Groups and give permissions to the groups then add the users to that group. This avoid the need of changing the permissions in every folder if you need to give the same permissions to another user or remove the permissions from some user.

Edited by Micallen, 23 March 2016 - 07:07 PM.

A few tips.

Do NOT use DENY in the routine use of permissions - it is useful in particular complex scenarios only.

As Micallen sys - use groups to make permissions easier to manage. In your scenario - let's say the folder is called "Marketing", you could create groups "Marketing-RW" and "Marketing RO"

Permissions are set in two ways... On there Files/Folders themselves and on the Share. A particular user has the greatest access afforded by any of his groups or his personlally assigned for the Share access (just getting into the share, but not neccessarily to the data within), and similary the greatest access afforded by any of his groups or his personally assigned permissions for the file/folder access. However a particular element (read or modify) - they need access in BOTH Share and file/folder permissions to be able to leverage that right.

Limit users to Modify (r/w) or Read (r/o) permissions. No need for anything more complex for what you are doing. Only Administrators should have Full control.

You could set:

Admins (or domain admins) - full control

"Marketing-RW" - modify

"Marketing-RO" - read

On both the Share permissions, and on the file/folder being shared.

Do NOT remove the "SYSTEM - Full control" file/folder permission from any folder permissions that you set.  System does not need to be in the share permissions.

x64

Edited by x64, 24 March 2016 - 02:07 AM.

A few tips.

 

Do NOT use DENY in the routine use of permissions - it is useful in particular complex scenarios only.

 

As Micallen sys - use groups to make permissions easier to manage. In your scenario - let's say the folder is called "Marketing", you could create groups "Marketing-RW" and "Marketing RO"

 

Permissions are set in two ways... On there Files/Folders themselves and on the Share. A particular user has the greatest access afforded by any of his groups or his personlally assigned for the Share access (just getting into the share, but not neccessarily to the data within), and similary the greatest access afforded by any of his groups or his personally assigned permissions for the file/folder access. However a particular element (read or modify) - they need access in BOTH Share and file/folder permissions to be able to leverage that right.

 

Limit users to Modify (r/w) or Read (r/o) permissions. No need for anything more complex for what you are doing. Only Administrators should have Full control.

 

You could set:

Admins (or domain admins) - full control

"Marketing-RW" - modify

"Marketing-RO" - read

 

On both the Share permissions, and on the file/folder being shared.

Do NOT remove the "SYSTEM - Full control" file/folder permission from any folder permissions that you set.  System does not need to be in the share permissions.

 

x64

Thank you as well.  I've taken this info, and found some more online (now knowing WHAT to look for.)  I should be able to set things the way I need to.

NEW PROBLEM !!

I was playing with permissions.  I set up 3 groups and added users to the 3 groups as needed.  When I applied permissions, a box came up and started applying settings to each individual older/file, etc.  It looked like it was going to take forever, and I cancelled it (thinking I need to do this on a weekend.

As a result, all the subfolders and files are un-accessable.  The HD permissions are OK.  The main folder that contains all the sub-folders, the permissions are OK.  But all the sub-folders and files, the permissions are grayed out.  Nothing I have tried has corrected it.  And I have everyone locked out of all our projects.

Any ideas ???  Help !!!!!

If the folders are still availble to Admins, goto the root folder of the share, ensure that the file/folder permissions there are as you want them. Stay in the security tab of the folder properties and click the "Advanced" button. Ensure "Replace all chilld object permissions with inheritable permission entries that derive from this object" is ticked, Click apply and wait for it to complete.

By Grey- do you mean the ticks against each permission are grey?  That is normal and merely says the permission is inherited from the parent folder (rather being actively adjusted at this folder level)

x64

If the folders are still availble to Admins, goto the root folder of the share, ensure that the file/folder permissions there are as you want them. Stay in the security tab of the folder properties and click the "Advanced" button. Ensure "Replace all chilld object permissions with inheritable permission entries that derive from this object" is ticked, Click apply and wait for it to complete.

 

By Grey- do you mean the ticks against each permission are grey?  That is normal and merely says the permission is inherited from the parent folder (rather being actively adjusted at this folder level)

 

x64

I did this to no avail.  I've put in a call to the folks that installed our server Thursday, but meanwhile, we are severely limited at work.

As admin to the server, I can access files, so as needed, I've been copying things to a thumb drive for people.

I just figured it out!  Under Shared Folders and websites, I looked under Shared Folder Permissions for the drive in question.  "Everyone" has been removed by some previous action I did Thursday.  I added Everyone back, and premissions were restored.

NOW, that I have fixed the problem, I have set up a separate top-level folder called TEST to practice permission and sharing on - to be able to set things up the way I want.  At first EVERYONE had permissions, so I mapped a network drive on a computer that I DON'T want to have access (Brian).  Once I removed Everyone, Brian could not access.

Then I did the following:

USERS AND GROUPS:  added the group "Engineering" (added 4 users to this group - BRIAN not included)

Shared Folders and Web Sites:  Rt Click on TEST, Properties, Security:  Edit, Add, (added Engineering, removed Everyone)

Then under Engineering:  Edit, Allow (all but Full control - then eventually I checked F.C. as well).

Also showing are System and Administrator.

BUT, "Chris" who is in the Engineering group and should now have permissions, can't even map the drive, because he "doesn't have permissions."

What am I missing ?

Edited by Micallen, 28 March 2016 - 09:58 AM.

Has Chris logged on since you added him to Engineering? If not he will not have picked up the permissions yet.

Also go back to my first post and re-read it in conjuction with the extre information below.

There are TWO places where permissions need to be assigned - on the share itself (The front door), and to the files/folders inside. I'm not sure which tool you are manipulating the share with but it might not be too clear on the differentiation between the two types of permision through it.

In order to staraighten things out, use windows Explorer. Navigate to the shared folder right click it and choose properties.

The Folder share permissions are on the "Sharing" tab, behind  the "Advanced Sharing" button, and the "Permissions" button.

The file/folder permissions are those on the "Security" tab.

x64

Has Chris logged on since you added him to Engineering? If not he will not have picked up the permissions yet.

 

Also go back to my first post and re-read it in conjuction with the extre information below.

 

There are TWO places where permissions need to be assigned - on the share itself (The front door), and to the files/folders inside. I'm not sure which tool you are manipulating the share with but it might not be too clear on the differentiation between the two types of permision through it.

 

In order to staraighten things out, use windows Explorer. Navigate to the shared folder right click it and choose properties.

 

The Folder share permissions are on the "Sharing" tab, behind  the "Advanced Sharing" button, and the "Permissions" button.

The file/folder permissions are those on the "Security" tab.

 

x64

Your first sentence may have answered the question.  He was already logged in.  I did not have him log out, and back in... but I will now.

With "Brian's" computer. I tested adding Brian to the Engineering Group, removing him, adding him again - each time logging out, and back in. and it worked as it should.

Thank you @x64 for all the help !!

Set yourself up a test computer/server to practice on.  Do not use the real time server for this!!! if this isn't an option then set up a test folder with subfolders and other test logins so you can test nondestructively.