Sign in with
Sign up | Sign in
Your question

help with setting up File Access Rights in Windows 2003

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
April 5, 2005 3:23:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am new to Windows 2003 Server and I am trying to set up a simple
directory structure to allow a small workgroup to access data based on
their group. I come from a Novell background and I can do all the
following very simply in Novell - but I need some help from you MS
Gurus with this one please.

I am setting up the following directory structure

C:\
Data
Accounts
Sales
Marketing

etc

I need to allow access to Accounts to the Accounts Team and so on.
I set up a security group called Accts and pulled the 2 accts people
into it.
I set up Data as a shared resource on the server.
I then went to the c:\Data\Accounts Folder and removed all inherited
rights and assigned Full rights to the administrator and the Accts
Group.

BUT with this configuration, H: (mapped to the Accounts Share) from a
PC logged in with an Accts Group account cannot access the folders.
(Access Denied)

If I let the rights from C:\Data\Accounts propagate DOWNwards, it
changes nothing.

If however I allow inherited rights from above, everything works. But
it also means ALL non Accts group users also can see everything in the
folder.

I asked a few colleagues and we didn't manage to work it out. What's
the answer anyone please... Or is the answer not to use W2003 in this
way? Shall I create several shares and assign rights to shares?

The only way I got this to work is if I explicitly set the rights by
username. But I don't want to do this for obvious reasons.

Thanks in advance.

Saeed



ì
Anonymous
a b 8 Security
April 5, 2005 7:04:49 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You could give the everyone or users group read/list permissions to the data
folder/share. Then remove inheritance from the three sub folders and give
explicit permissions to the users/groups that you want to access each
folder. In Windows if a user is a member of a group that has explicit deny
permissions to a folder they will be denied access to a folder no matter
what their other membership is. Try not to use deny permissions if at all
possible and keep in mind that administrators are members of users and
everyone groups. Also when testing your setup keep in mind that if creator
owner is present in permissions, that a users that creates a file will
receive creator owner permissions for that file. You can look in
advanced/owner tab to see who is the owner of a file. The links below may
help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301281
http://support.microsoft.com/default.aspx?kbid=300691
http://support.microsoft.com/?id=301195

"iceghost" <msm0001@hotmail.com> wrote in message
news:e00d57df.0504051023.9bf8b49@posting.google.com...
>I am new to Windows 2003 Server and I am trying to set up a simple
> directory structure to allow a small workgroup to access data based on
> their group. I come from a Novell background and I can do all the
> following very simply in Novell - but I need some help from you MS
> Gurus with this one please.
>
> I am setting up the following directory structure
>
> C:\
> Data
> Accounts
> Sales
> Marketing
>
> etc
>
> I need to allow access to Accounts to the Accounts Team and so on.
> I set up a security group called Accts and pulled the 2 accts people
> into it.
> I set up Data as a shared resource on the server.
> I then went to the c:\Data\Accounts Folder and removed all inherited
> rights and assigned Full rights to the administrator and the Accts
> Group.
>
> BUT with this configuration, H: (mapped to the Accounts Share) from a
> PC logged in with an Accts Group account cannot access the folders.
> (Access Denied)
>
> If I let the rights from C:\Data\Accounts propagate DOWNwards, it
> changes nothing.
>
> If however I allow inherited rights from above, everything works. But
> it also means ALL non Accts group users also can see everything in the
> folder.
>
> I asked a few colleagues and we didn't manage to work it out. What's
> the answer anyone please... Or is the answer not to use W2003 in this
> way? Shall I create several shares and assign rights to shares?
>
> The only way I got this to work is if I explicitly set the rights by
> username. But I don't want to do this for obvious reasons.
>
> Thanks in advance.
>
> Saeed
>
>
>
> ì
Anonymous
a b 8 Security
April 6, 2005 12:56:17 PM

Archived from groups: microsoft.public.win2000.security (More info?)

iceghost wrote:
> I am new to Windows 2003 Server and I am trying to set up a simple
> directory structure to allow a small workgroup to access data based on
> their group. I come from a Novell background and I can do all the
> following very simply in Novell - but I need some help from you MS
> Gurus with this one please.
>
> I am setting up the following directory structure
>
> C:\
> Data
> Accounts
> Sales
> Marketing
>
> etc
>
> I need to allow access to Accounts to the Accounts Team and so on.
> I set up a security group called Accts and pulled the 2 accts people
> into it.
> I set up Data as a shared resource on the server.
> I then went to the c:\Data\Accounts Folder and removed all inherited
> rights and assigned Full rights to the administrator and the Accts
> Group.
>
> BUT with this configuration, H: (mapped to the Accounts Share) from a
> PC logged in with an Accts Group account cannot access the folders.
> (Access Denied)
>
> If I let the rights from C:\Data\Accounts propagate DOWNwards, it
> changes nothing.
>
> If however I allow inherited rights from above, everything works. But
> it also means ALL non Accts group users also can see everything in the
> folder.
>
> I asked a few colleagues and we didn't manage to work it out. What's
> the answer anyone please... Or is the answer not to use W2003 in this
> way? Shall I create several shares and assign rights to shares?
>
> The only way I got this to work is if I explicitly set the rights by
> username. But I don't want to do this for obvious reasons.
>
> Thanks in advance.
>
> Saeed
>
>
>
> ì

Have you set up both sharing and security permissions on 'accounts'? If
nothing is inherited then I THINK (correct me if I'm wrong Steven LOL)
then they won't see the accounts share. Inherited rights filtering in
Windows is not the same as the inherited rights filter system on Netware
(if only it was.........). My inclination would be to share at the level
of accounts, sales and marketing - with permissions to suit. Rather than
share at the level of data.
!