Windows Server 2003: Proper permissions for a shared folder?

By barth.travis ·

I have a file server on a domain on which is stored individual shares for each user. I have a coworker who changes the permissions and adds, what I believe to be, unnecessary users and groups to the security list.

I need a 'best practices' answer on what the security settings should be for the shares.

There is one folder which contains all of the individual shares. One of the first things he does is share that root folder which I think is completely unnecessary, and all the subfolders, the actual shares, inherret all the crap from this.

For each individual share, he shares the folder with the following permissions:

The domain user name in question
Authenticated Users

The following are in the security list from him entering it manually and from the aforementioned root security settings:

Domain Administrators
Local machine administrators
Creator Owner
Domain Admins
Domain Users
Local machine users

This seems like a bloated, unsecured, shotgun approach to me.

My thoughts are as follows...

The share permissions:

The domain user name in question.

The security list, I would think, should take care of itself? The problem is that it inherits all the crap he has on the unnecessary root share, so I need to clean that up first.

Thanks in advance,


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

very confusing explanation

by Kenone In reply to Windows Server 2003: Prop ...

I think you're saying that he shares out the folder to Authenticated Users and adds each individual user. Not necessary, Authenticated Users covers it. Then for each file security is set to allow that list: Domain Administrators
Local machine administrators
Creator Owner
Domain Admins
Domain Users
Local machine users
Don't need to add the locals, and with "Domain Users" allowed that covers it - don't need to add individual users. Not secure though. should remove "Domain Users" and add each individual user as needed. Don't mess with the "System " account.

Collapse -

I think I get what you're saying....

by tmalo627 In reply to Windows Server 2003: Prop ...

Best practices are to only grant permission to those who need it. There is a big list you provided of people who are listed there. However, you didn't say what level of access they have or should have. If what you want is one directory to host individual network shares for each user, we need to determine if the other users should have Read access but not Write or Modify, or no access at all. What are you trying to accomplish?

Collapse -

Here's some info

by Screen Gems In reply to Windows Server 2003: Prop ...

Here are two Microsoft Technet articles on "Best Practices" for shared folders.

The use of security groups and Global Groups in an Active Directory environment for assigning shared folder or file access is the best way because of how permissions are processed. The most restrictive settings always apply, therefore you might grant a user access, but if there is another configuration such as a group being denied access and that user is a member of that group, that user would be denied. It's easier to track groups than individual users. It's also easier to add and remove users from groups than try and set permissions and rights individually.

Collapse -

Thanks for the input!

by barth.travis In reply to Windows Server 2003: Prop ...

I did in fact forget to explain what the desired end result is:

The specific domain user should have full access, and no other domain user should have any access at all other than the domain admins.

I would think that if the root is not shared (I can't imagine why it is) and a new subdir is created and shared to a specific domain user, the security would be set automatically and correctly. Does that sound right?

Collapse -

If it's for the Users Home directory

by Jacky Howe In reply to Windows Server 2003: Prop ...

you can use xcacls to set the permissions.

You will need two batch files chperm.bat and addperm.bat. Modify chperm.bat to suit your needs. addperm.bat is populated with the users Logon ID.


echo y| xcacls d:\Server\usrhome\%1 /T /G "Administrators":F %1:F


call c:\chperm.bat user1
call c:\chperm.bat user2
call c:\chperm.bat user3
call c:\chperm.bat user4

and so on.....

Related Discussions

Related Forums