help with setting up File Access Rights in Windows 2003

Archived from groups: microsoft.public.win2000.security (More info?)

I am new to Windows 2003 Server and I am trying to set up a simple
directory structure to allow a small workgroup to access data based on
their group. I come from a Novell background and I can do all the
following very simply in Novell - but I need some help from you MS
Gurus with this one please.

I am setting up the following directory structure

C:\
Data
Accounts
Sales
Marketing

etc

I need to allow access to Accounts to the Accounts Team and so on.
I set up a security group called Accts and pulled the 2 accts people
into it.
I set up Data as a shared resource on the server.
I then went to the c:\Data\Accounts Folder and removed all inherited
rights and assigned Full rights to the administrator and the Accts
Group.

BUT with this configuration, H: (mapped to the Accounts Share) from a
PC logged in with an Accts Group account cannot access the folders.
(Access Denied)

If I let the rights from C:\Data\Accounts propagate DOWNwards, it
changes nothing.

If however I allow inherited rights from above, everything works. But
it also means ALL non Accts group users also can see everything in the
folder.

I asked a few colleagues and we didn't manage to work it out. What's
the answer anyone please... Or is the answer not to use W2003 in this
way? Shall I create several shares and assign rights to shares?

The only way I got this to work is if I explicitly set the rights by
username. But I don't want to do this for obvious reasons.

Thanks in advance.

Saeed


ì
2 answers Last reply
More about help setting file access rights windows 2003
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You could give the everyone or users group read/list permissions to the data
    folder/share. Then remove inheritance from the three sub folders and give
    explicit permissions to the users/groups that you want to access each
    folder. In Windows if a user is a member of a group that has explicit deny
    permissions to a folder they will be denied access to a folder no matter
    what their other membership is. Try not to use deny permissions if at all
    possible and keep in mind that administrators are members of users and
    everyone groups. Also when testing your setup keep in mind that if creator
    owner is present in permissions, that a users that creates a file will
    receive creator owner permissions for that file. You can look in
    advanced/owner tab to see who is the owner of a file. The links below may
    help. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;301281
    http://support.microsoft.com/default.aspx?kbid=300691
    http://support.microsoft.com/?id=301195

    "iceghost" <msm0001@hotmail.com> wrote in message
    news:e00d57df.0504051023.9bf8b49@posting.google.com...
    >I am new to Windows 2003 Server and I am trying to set up a simple
    > directory structure to allow a small workgroup to access data based on
    > their group. I come from a Novell background and I can do all the
    > following very simply in Novell - but I need some help from you MS
    > Gurus with this one please.
    >
    > I am setting up the following directory structure
    >
    > C:\
    > Data
    > Accounts
    > Sales
    > Marketing
    >
    > etc
    >
    > I need to allow access to Accounts to the Accounts Team and so on.
    > I set up a security group called Accts and pulled the 2 accts people
    > into it.
    > I set up Data as a shared resource on the server.
    > I then went to the c:\Data\Accounts Folder and removed all inherited
    > rights and assigned Full rights to the administrator and the Accts
    > Group.
    >
    > BUT with this configuration, H: (mapped to the Accounts Share) from a
    > PC logged in with an Accts Group account cannot access the folders.
    > (Access Denied)
    >
    > If I let the rights from C:\Data\Accounts propagate DOWNwards, it
    > changes nothing.
    >
    > If however I allow inherited rights from above, everything works. But
    > it also means ALL non Accts group users also can see everything in the
    > folder.
    >
    > I asked a few colleagues and we didn't manage to work it out. What's
    > the answer anyone please... Or is the answer not to use W2003 in this
    > way? Shall I create several shares and assign rights to shares?
    >
    > The only way I got this to work is if I explicitly set the rights by
    > username. But I don't want to do this for obvious reasons.
    >
    > Thanks in advance.
    >
    > Saeed
    >
    >
    >
    > ì
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    iceghost wrote:
    > I am new to Windows 2003 Server and I am trying to set up a simple
    > directory structure to allow a small workgroup to access data based on
    > their group. I come from a Novell background and I can do all the
    > following very simply in Novell - but I need some help from you MS
    > Gurus with this one please.
    >
    > I am setting up the following directory structure
    >
    > C:\
    > Data
    > Accounts
    > Sales
    > Marketing
    >
    > etc
    >
    > I need to allow access to Accounts to the Accounts Team and so on.
    > I set up a security group called Accts and pulled the 2 accts people
    > into it.
    > I set up Data as a shared resource on the server.
    > I then went to the c:\Data\Accounts Folder and removed all inherited
    > rights and assigned Full rights to the administrator and the Accts
    > Group.
    >
    > BUT with this configuration, H: (mapped to the Accounts Share) from a
    > PC logged in with an Accts Group account cannot access the folders.
    > (Access Denied)
    >
    > If I let the rights from C:\Data\Accounts propagate DOWNwards, it
    > changes nothing.
    >
    > If however I allow inherited rights from above, everything works. But
    > it also means ALL non Accts group users also can see everything in the
    > folder.
    >
    > I asked a few colleagues and we didn't manage to work it out. What's
    > the answer anyone please... Or is the answer not to use W2003 in this
    > way? Shall I create several shares and assign rights to shares?
    >
    > The only way I got this to work is if I explicitly set the rights by
    > username. But I don't want to do this for obvious reasons.
    >
    > Thanks in advance.
    >
    > Saeed
    >
    >
    >
    > ì

    Have you set up both sharing and security permissions on 'accounts'? If
    nothing is inherited then I THINK (correct me if I'm wrong Steven LOL)
    then they won't see the accounts share. Inherited rights filtering in
    Windows is not the same as the inherited rights filter system on Netware
    (if only it was.........). My inclination would be to share at the level
    of accounts, sales and marketing - with permissions to suit. Rather than
    share at the level of data.
Ask a new question

Read More

Windows Server 2003 Security Windows