Windows Server 2003 Permissions\Group

By ottawarcolombi ·
I have a folder structure that allows the owner\creator of a file full permission to their work and everyone else just rights to view. This person works in a group and wants the group to have full permission to each other?s work and only their work.

A creates a file, B & C have full rights to A, B & Cs work. Everyone else in the office only has view rights and A, B & C only have full permission for any work created by either A, B or C.

Is this possible?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

It seems simple...

by Brenton Keegan In reply to Windows Server 2003 Permi ...

Maybe I'm missing something, but why can't you just set the permissions you need?

Are A B and C people or groups? From your language they seem to be people. If so, put them in a group and give that group permissions on the folder where these files are stored/created.

Create a second group that contains all employees and give this group read access to this folder.

Maybe I'm misunderstanding something but it seems that what you are asking is pretty straightforward.

Collapse -

in AD environment the most restrictive applies

by CG IT In reply to It seems simple...

so if members of one group have read/write and if members of that group are members of another group that have only read, read will apply [most restrictive].

Collapse -

You are absolutely correct.

by Brenton Keegan In reply to in AD environment the mos ...

and I don't know how I made such a foolish error.

Collapse -

that's in an Active Directory environment which he did not

by CG IT In reply to You are absolutely correc ...

specify whether his network was AD or not.

Just wanted to throw that in there.

Workgroups are another matter.

Collapse -

Yes, in a active directory

by ottawarcolombi In reply to It seems simple...

I am talking about a folder with sub folders and files. Everyone publishes to the folders (according to the files numbers). People that create the files have full access to their files alone but can read anyone else's files. The permissions are set at the file level and not for the folder.
When the user A creates a document, it is filed accordingly. That person then has full rights. That person works with two other people (B&C). They are not owners of that file and as such only have read rights. What I want is to have those three people to have full rights for their group So A & B and C will have full rights for documents created by A, B or C but only read for everyone else.

Collapse -

Some Reference material.

by CG IT In reply to Yes, in a active director ...

The article below is a primer on security groups and distribution groups eg domain local, global, universal.

here is a primer on NTFS permissions

Finally, here is a primer on using security groups to control access:

Using Security Groups makes tracking and administrating access easier because the group has the permission, not an individual. However, the draw back is that users typically belong to multiple groups. These groups can give less access than intended noting that the most restrictive permissions apply.

Collapse -

if you feel like scripting...

by Brenton Keegan In reply to Windows Server 2003 Permi ...

Then I can think of a couple options for you. You could write a script that queries the AD database for users within a specific OU and changes the security descriptors on a folder based on a group membership (or lack of group membership). It will look ugly when you look at the permissions, but it would still be managed via group.

Alternately you could have 2 separate groups with permissions set on that folder. Have a scheduled script to run and put users in the group that only had read permissions that aren't in the group with write permissions.

Related Discussions

Related Forums