Question

Locked

How to Assign NTFS Permissions in W2k3 for Child Folders?

By Dolphin111 ·
Greetings,

NTFS permission can be a headache @ times and that's exactly what i am going through right now.
Here is the situation i am facing: We running windows server 2003 in our domain with a file server where we have a shared folder called All Employees and each user or employee has his own folder inside this All Employees folders. What we want is that every user can gain access to the All Employee??s folder but should not access another user??s folder.

So what i did was to assign List Folder Content permission to the Domain users group for the root folder in this case the All Employees, since all the Domain users are part of the Domain Users Security Group. This worked just fine, but the problem is that the permission i assigned to the parent folder (All Employees) is propagating through to all child folders enabling all users traversing to another user??s folder, even though they cannot open the files but they can see what is in other employees folders. Our aim is to restrict users from accessing a fellow employee??s folder after they gained access to the root folder (All Employees) the respective user should only be able to access his folder. By the way we have over 250 users.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

child folders

by patb071 In reply to How to Assign NTFS Permis ...

Have you unchecked apply settings to child folders? You can also set the permissions for everyone to read and write so that way a new user is able to create a folder. but you need to make sure the setting goes to that folder and not to child folders.

Collapse -

Turn off inheritance

by Kenone In reply to How to Assign NTFS Permis ...

If it has already propagated down through all 250+ users then you have a mess to straighten out.

Collapse -

Unchecked apply settings to child folders

by Dolphin111 In reply to How to Assign NTFS Permis ...

patb071,
Where exactly do i unchecked apply settings to child folders, do u mean in the advanced option?

Collapse -

Reponse To Answer

by patb071 In reply to Unchecked apply settings ...

yes but as stated before you maybe in trouble now.

your best bet maybe to delete the list content for all users this will not allow users to see the folder then you will need to re-add the read for everyone, but there should be an option in the advanced that says apply settings to child folders, you will need to uncheck that. then it should ask to remove the current settings on the child folders of keep them you will want to keep them.

*I don't have access to a server right now so the wording is not exact*
*I also recommend you test any changes here on out so you don't mess anything else up.

Collapse -

Access-based enumeration

by puiu.chitu In reply to How to Assign NTFS Permis ...

I used acess-based enumeration on five file servers from 2007 and I will reccomend you to read a goot article about this useful feature available on Windows 2003 R2 or windows 2003 with SP1 - http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
From Technet: "Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature."
Download: http://www.microsoft.com/download/en/details.aspx?id=17510
"There are a few limitations of ABE:
- You need Windows Server 2003 R2 or SP1 in order to be able to use it.
- Users who are administrators will be able to see every file and folder in a share even with ABE enabled and even when they have Deny ACE on these items.
- ABE does not apply to users who can log on interactively to the server, regardless of whether they are administrators or not. This means ABE isn't really suitable for Terminal Services environments.
- You can't configure ABE so that a newly created share is automatically ABE-enabled.
- Finally, ABE adds a few percentage points processing overhead to the file server, and this must be taken into account in heavy-load situations."

Collapse -

Finally Solved

by Dolphin111 In reply to How to Assign NTFS Permis ...

I want to thank you all for your input, i finally managed to work things around, it really was a big mess as stated by Kenone, i had to follow patb071@...??s suggestion and we are finally back in business just the way we want it.
But i still have some questions: (1) When i go to the security properties of this folder and then advanced when i click on the owners tab i see these two names in the change owner to: box, there is the administrator who is the current owner and my name, how do i remove my name from this list and leave just the administrator in that list?

(2) puiu.chitu@... u spoke of ABE, i haven't yet tried it but it sounds like a good tool and a must have one, my question is: besides windows server 2003 R2 and SP1 can ABE run on XP SP3 just like we run Active Directory Users and Computers Snap-in? If so, please advice further.

Collapse -

Reponse To Answer

by puiu.chitu In reply to Finally Solved

I'm sorry but the answer is no. ABE can be installed and used only on the server side. But you can use RDP on XP SP3 and work remotely on the server.

Collapse -

Reponse To Answer

by seanferd In reply to Finally Solved

Administrator: I don't think you can remove that. Your account (with your name) is the administrator account. You would have to remove the account, and then you won't be able to do anything else. If you are the only person in the Administrators Group, you'd be pretty much screwed from then on.

Note that no non-admin can see the NTFS permissions or your name.

Collapse -

Removing My name from the Ownership Tab

by Dolphin111 In reply to How to Assign NTFS Permis ...

I am part of the Domain admin group and i am not the only admin, no wonder i don't want my name there. If it got there i mean there should also be a way to remove it too. Please help

Back to Networks Forum
10 total posts (Page 1 of 1)  

Hardware Forums