Folder Access Permissions

I'm going to admit that I'm new to setting up a Windows 2003 server as a
file server, and in particular assigning permissions so that users can
access one set of folders but not another. I've been working with Novell for
years and have not been running into the issues I'm seeing with Windows.

First this server is part of a domain. On the server, in it's G drive, I
create a folder namded Projects. Under that folder I create a series of
project folders. eg. 12345, 23456, 34567

In a Novell world I would create a group named PROJECT_PEOPLE, assign in to
the Projects folder with rights just to read and list all files and folders
under the Projects folder. Then for each project sub-folder I would create a
group with a name identical to the Project sub-folder. eg. I would create
group 12345, and assign it to folder 12345 with full control rights to the
folder and it's sub folders.

The idea is that, users who are working on project 12345 would be added to
that group, and would therefore have rights to see all files and folders
under the Projects folder, but would only be able to work in the 12345
folder.

I tried doing the same in my Windows AD environment and it didn't work. I
created AD security groups, added users to them as appropriate, and assigned
the groups to the folders with the same types of permissions as in my Novell
system. However, it appears that if user, say, Bob, assigned to both groups
Project_People and 12345, goes to the 12345 folder, he is unable to do
anything in said folder but list files. The AD members of the groups don't
appear to be having their group based permissions accepted.

To get Bob to be able to work in folder 12345, I have to go into the
Properties - Security tab for said folder, and specifically assign full
rights to DOMAIN\BOB. This assumes that permissions assigned at the Projects
folder level don't interfere.

Before anyone asks, when I add users to the groups, I'm specifying AD user
names, not local user names.

My questions are:
1) Is the above normal for Windows in an AD file server environment? The
groups I create are Global Scope:Global, and Group Type: security
2) If not, should I be using something other than AD security groups for
controlling access rights. eg. should I be using a Distribution Group Type
instead?
3) Anything else I should look into?

I look forward to your response.

 

Hello Phillip,

The behavior you are experiencing is normal. This is because Folder Project
have the Project_People with permissions read and list all files and folders
and if you don't disable inherritance, then all subfolders will inherit
those permisions, which I am thinking is what is happening here. If Bob is
assigned to both groups, the Project_People will take precedence because of
inheritance. You can disable inheritance on the main share or G drive from
propagating to subfolders/files and see if this fix the issue. To do that,
go to folder properties, advanced tab and uncheck the inherritance box.

Normally, this is how I will configure permissions if I were in your
environment:

Main folder "Project"
Share Permission: Auhtenticated Users (Full) and remove everyone
else.
Security (NTFS) Permission: Administrator (Full) (Do this only if
you want Administrators to access share)
System (Full)
Owner (Full)
Authenticated
Users (Read & Execute, List Folder contents, Read)
Remove everything
else
Disable Inherritance
inherritance from propagating to subfolders/files

Sub Folder "12345" etc
Security (NTFS) Permission:
Administrator (Full) (Do this only if you want Administrators to access
share)
System (Full)
Owner (Full)
SecurityGroup_12345:
(Assigned permissions as needed)
Remove everything
else
Do not disable
inherritance from propagating to subfolders/files



Isaac Oben [MCTIP:EA, MCSE]


"Phillip Armitage" <armitagep@wzmh.com> wrote in message
news:eiWE3tCxJHA.1304@TK2MSFTNGP05.phx.gbl...
> I'm going to admit that I'm new to setting up a Windows 2003 server as a
> file server, and in particular assigning permissions so that users can
> access one set of folders but not another. I've been working with Novell
> for years and have not been running into the issues I'm seeing with
> Windows.
>
> First this server is part of a domain. On the server, in it's G drive, I
> create a folder namded Projects. Under that folder I create a series of
> project folders. eg. 12345, 23456, 34567
>
> In a Novell world I would create a group named PROJECT_PEOPLE, assign in
> to the Projects folder with rights just to read and list all files and
> folders under the Projects folder. Then for each project sub-folder I
> would create a group with a name identical to the Project sub-folder. eg.
> I would create group 12345, and assign it to folder 12345 with full
> control rights to the folder and it's sub folders.
>
> The idea is that, users who are working on project 12345 would be added to
> that group, and would therefore have rights to see all files and folders
> under the Projects folder, but would only be able to work in the 12345
> folder.
>
> I tried doing the same in my Windows AD environment and it didn't work. I
> created AD security groups, added users to them as appropriate, and
> assigned the groups to the folders with the same types of permissions as
> in my Novell system. However, it appears that if user, say, Bob, assigned
> to both groups Project_People and 12345, goes to the 12345 folder, he is
> unable to do anything in said folder but list files. The AD members of the
> groups don't appear to be having their group based permissions accepted.
>
> To get Bob to be able to work in folder 12345, I have to go into the
> Properties - Security tab for said folder, and specifically assign full
> rights to DOMAIN\BOB. This assumes that permissions assigned at the
> Projects folder level don't interfere.
>
> Before anyone asks, when I add users to the groups, I'm specifying AD user
> names, not local user names.
>
> My questions are:
> 1) Is the above normal for Windows in an AD file server environment? The
> groups I create are Global Scope:Global, and Group Type: security
> 2) If not, should I be using something other than AD security groups for
> controlling access rights. eg. should I be using a Distribution Group Type
> instead?
> 3) Anything else I should look into?
>
> I look forward to your response.
>
>