Questions

How to Assign NTFS Permissions in W2k3 for Child Folders?

+
1 Votes
Locked

How to Assign NTFS Permissions in W2k3 for Child Folders?

Dolphin111
Greetings,

NTFS permission can be a headache @ times and that's exactly what i am going through right now.
Here is the situation i am facing: We running windows server 2003 in our domain with a file server where we have a shared folder called All Employees and each user or employee has his own folder inside this All Employees folders. What we want is that every user can gain access to the All Employee??s folder but should not access another user??s folder.

So what i did was to assign List Folder Content permission to the Domain users group for the root folder in this case the All Employees, since all the Domain users are part of the Domain Users Security Group. This worked just fine, but the problem is that the permission i assigned to the parent folder (All Employees) is propagating through to all child folders enabling all users traversing to another user??s folder, even though they cannot open the files but they can see what is in other employees folders. Our aim is to restrict users from accessing a fellow employee??s folder after they gained access to the root folder (All Employees) the respective user should only be able to access his folder. By the way we have over 250 users.
  • +
    2 Votes
    patb071

    Have you unchecked apply settings to child folders? You can also set the permissions for everyone to read and write so that way a new user is able to create a folder. but you need to make sure the setting goes to that folder and not to child folders.

    +
    2 Votes
    Kenone

    If it has already propagated down through all 250+ users then you have a mess to straighten out.

    +
    2 Votes
    Dolphin111

    patb071,
    Where exactly do i unchecked apply settings to child folders, do u mean in the advanced option?

    +
    0 Votes
    patb071

    yes but as stated before you maybe in trouble now.

    your best bet maybe to delete the list content for all users this will not allow users to see the folder then you will need to re-add the read for everyone, but there should be an option in the advanced that says apply settings to child folders, you will need to uncheck that. then it should ask to remove the current settings on the child folders of keep them you will want to keep them.

    *I don't have access to a server right now so the wording is not exact*
    *I also recommend you test any changes here on out so you don't mess anything else up.

    +
    1 Votes
    puiu.chitu

    I used acess-based enumeration on five file servers from 2007 and I will reccomend you to read a goot article about this useful feature available on Windows 2003 R2 or windows 2003 with SP1 - http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
    From Technet: "Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature."
    Download: http://www.microsoft.com/download/en/details.aspx?id=17510
    "There are a few limitations of ABE:
    - You need Windows Server 2003 R2 or SP1 in order to be able to use it.
    - Users who are administrators will be able to see every file and folder in a share even with ABE enabled and even when they have Deny ACE on these items.
    - ABE does not apply to users who can log on interactively to the server, regardless of whether they are administrators or not. This means ABE isn't really suitable for Terminal Services environments.
    - You can't configure ABE so that a newly created share is automatically ABE-enabled.
    - Finally, ABE adds a few percentage points processing overhead to the file server, and this must be taken into account in heavy-load situations."

    +
    0 Votes
    Dolphin111

    I want to thank you all for your input, i finally managed to work things around, it really was a big mess as stated by Kenone, i had to follow patb071@...??s suggestion and we are finally back in business just the way we want it.
    But i still have some questions: (1) When i go to the security properties of this folder and then advanced when i click on the owners tab i see these two names in the change owner to: box, there is the administrator who is the current owner and my name, how do i remove my name from this list and leave just the administrator in that list?

    (2) puiu.chitu@... u spoke of ABE, i haven't yet tried it but it sounds like a good tool and a must have one, my question is: besides windows server 2003 R2 and SP1 can ABE run on XP SP3 just like we run Active Directory Users and Computers Snap-in? If so, please advice further.

    +
    0 Votes
    puiu.chitu

    I'm sorry but the answer is no. ABE can be installed and used only on the server side. But you can use RDP on XP SP3 and work remotely on the server.

    +
    0 Votes
    seanferd

    Administrator: I don't think you can remove that. Your account (with your name) is the administrator account. You would have to remove the account, and then you won't be able to do anything else. If you are the only person in the Administrators Group, you'd be pretty much screwed from then on.

    Note that no non-admin can see the NTFS permissions or your name.

    +
    0 Votes
    Dolphin111

    I am part of the Domain admin group and i am not the only admin, no wonder i don't want my name there. If it got there i mean there should also be a way to remove it too. Please help

  • +
    2 Votes
    patb071

    Have you unchecked apply settings to child folders? You can also set the permissions for everyone to read and write so that way a new user is able to create a folder. but you need to make sure the setting goes to that folder and not to child folders.

    +
    2 Votes
    Kenone

    If it has already propagated down through all 250+ users then you have a mess to straighten out.

    +
    2 Votes
    Dolphin111

    patb071,
    Where exactly do i unchecked apply settings to child folders, do u mean in the advanced option?

    +
    0 Votes
    patb071

    yes but as stated before you maybe in trouble now.

    your best bet maybe to delete the list content for all users this will not allow users to see the folder then you will need to re-add the read for everyone, but there should be an option in the advanced that says apply settings to child folders, you will need to uncheck that. then it should ask to remove the current settings on the child folders of keep them you will want to keep them.

    *I don't have access to a server right now so the wording is not exact*
    *I also recommend you test any changes here on out so you don't mess anything else up.

    +
    1 Votes
    puiu.chitu

    I used acess-based enumeration on five file servers from 2007 and I will reccomend you to read a goot article about this useful feature available on Windows 2003 R2 or windows 2003 with SP1 - http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
    From Technet: "Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature."
    Download: http://www.microsoft.com/download/en/details.aspx?id=17510
    "There are a few limitations of ABE:
    - You need Windows Server 2003 R2 or SP1 in order to be able to use it.
    - Users who are administrators will be able to see every file and folder in a share even with ABE enabled and even when they have Deny ACE on these items.
    - ABE does not apply to users who can log on interactively to the server, regardless of whether they are administrators or not. This means ABE isn't really suitable for Terminal Services environments.
    - You can't configure ABE so that a newly created share is automatically ABE-enabled.
    - Finally, ABE adds a few percentage points processing overhead to the file server, and this must be taken into account in heavy-load situations."

    +
    0 Votes
    Dolphin111

    I want to thank you all for your input, i finally managed to work things around, it really was a big mess as stated by Kenone, i had to follow patb071@...??s suggestion and we are finally back in business just the way we want it.
    But i still have some questions: (1) When i go to the security properties of this folder and then advanced when i click on the owners tab i see these two names in the change owner to: box, there is the administrator who is the current owner and my name, how do i remove my name from this list and leave just the administrator in that list?

    (2) puiu.chitu@... u spoke of ABE, i haven't yet tried it but it sounds like a good tool and a must have one, my question is: besides windows server 2003 R2 and SP1 can ABE run on XP SP3 just like we run Active Directory Users and Computers Snap-in? If so, please advice further.

    +
    0 Votes
    puiu.chitu

    I'm sorry but the answer is no. ABE can be installed and used only on the server side. But you can use RDP on XP SP3 and work remotely on the server.

    +
    0 Votes
    seanferd

    Administrator: I don't think you can remove that. Your account (with your name) is the administrator account. You would have to remove the account, and then you won't be able to do anything else. If you are the only person in the Administrators Group, you'd be pretty much screwed from then on.

    Note that no non-admin can see the NTFS permissions or your name.

    +
    0 Votes
    Dolphin111

    I am part of the Domain admin group and i am not the only admin, no wonder i don't want my name there. If it got there i mean there should also be a way to remove it too. Please help