Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Granting permissions to sub folders


  • Please log in to reply
7 replies to this topic

#1 searchingpaths

searchingpaths

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 26 January 2017 - 01:07 PM

As an administrator I can create and grant permissions to folders with no problem.  I have one folder on my system which has several sub folders.  Each sub folder is unique to an individual users and that user is granted full rights to that sub folder, but not the parent folder. 

There is a manager within the company who would like to be able to create sub folders, and with full permissions already, can do that.  However the manager would then like to be able to assign full rights to that folder to a specific individual, such as a folder for a new hire.  I can do it, but would like to delegate this authority to that manager.  I have gone to the delegation of control wizard in the AD but do not see that permission.  I thought that giving full control of the parent folder to the individual would permit that but it does not. 



BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:06 PM

Posted 26 January 2017 - 10:18 PM

With issues like this i always do mine like so.

1. (Root folder)  Add System (Full), Authenticated Users (Read), Administrators (Full) to the root folder NTFS permissions and share permissions.

2. Any subfolder here on in, always untick the inherited permissions (Under advanced permissions and when it asks always click the Add button because you can untick authenticated users from here)) and only allow those who need write access whether its by a security group in AD or by single user.

 

This means that from the root folder authenticated users can view the shares and read the ntfs permissions on each folder and subfolder unless they have the %username% permissions on their own folder.

Normally this type of folder tree would be for people to have a home drive mapped at logon.


Edited by JohnnyJammer, 26 January 2017 - 10:19 PM.


#3 searchingpaths

searchingpaths
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 27 January 2017 - 10:55 AM

Hello JohnnyJammer,

I understand how to give permissions to various folders.  My issue is that it generally needs an administrator or super user to be able to give those permissions.  I would like to delegate that responsibility to an individual manager without making that manager an administrator.  I do not see anything about this in the Delegation of Control Wizard in the Active Directory.  I am doing this on a Windows 2008 R2 server.  I know it is generally not a good idea to do something like this but the user is someone i trust to not abuse the privilege. 


Edited by searchingpaths, 27 January 2017 - 10:56 AM.


#4 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:06 PM

Posted 27 January 2017 - 09:24 PM

Then just give the manager modify permissions mate.



#5 searchingpaths

searchingpaths
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 27 January 2017 - 09:46 PM

I wish the answer were that simple.  The manager does have full permission to the parent folder.  He can create a sub folder with no problem.  But he cannot give permission to a specific user to have have access to that folder.  It takes an administrator to grant permissions to a specific user.  I have tried that numerous times and it just has not worked. The message I get is "An error occurred while applying security information to (new folder name)".  Then it tells me "Access is Denied."


Edited by searchingpaths, 27 January 2017 - 09:48 PM.


#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 29 January 2017 - 10:37 AM

When you say he has "full permissions", do you mean he has the "full control" permission? That's what he would need in order to do what you are suggesting; the subfolders would also need to inherit permissions from the main folder. The question now is, do you want to give a non-administrator full control permissions over a folder?

 

The Delegation of Control wizard is for granting permissions in AD -- you can't use it to delegate NTFS permissions.



#7 searchingpaths

searchingpaths
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 29 January 2017 - 07:01 PM

Okay, I will try to explain this again.  This is a windows 2008 network.  I have a drive mapped for users to have their own personal folders.  When I look at properties of the folder and go to Security.I look for user Anna and she has Full Control, including Modify, Read & Execute, etc. for that folder.  Anna is able to create sub folders with no problem.  We have a new user, Bob, who just started and Bob needs his own sub folder, so Anna can create it and name it Bob.  When she opens the Bob folder she wants to grant Bob full control of that folder, but not of the other sub folders in the parent folder.  When she goes to Bob's folder and checks properties and tries to add Bob to the list of users for that folder she sees a message "An error occurred while applying security information to Z:\Bob   Access is denied"  This access denied is why i was looking at AD and delegation, but I do not see that permission there.  What can I do to give Anna permission to give Bob access to the folder.  As administrator I can do it, but I do not want to elevate Anna to an administrator. 



#8 sflatechguy

sflatechguy

  • BC Advisor
  • 2,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 30 January 2017 - 09:01 AM

Giving the user Full Control should give them the "Change Permissions" permission: https://technet.microsoft.com/en-us/library/cc732880(v=ws.11).aspx

 

If that's not the case, you can click the Advanced button on the Security tab, select the user, click the Edit button, and make sure the "Change Permissions" box is ticked. You may have to click the Show Advanced Permissions link in the upper right corner of the dialog box.

 

If neither of these works, then you'll have to make her an administrator.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users