Share permisisons in Server 08

I have shared folder permissions in server 2003 for users to not delete
files, however when I attempt to set this up in server 08 I am not successful.

Can someone please tell me step by step how I get to set this up and how?
Also is there an option someplace that would disable the ability to attach
these shared files to email and send them? I have disabled the Send to right
click option but that does not disable the ability to attache via outlook or
send to within word or excel.

Thanks,

 

Hello Kim,

Please describe the settings you are using on 2003, share permissions and
NTFS permissions, and the same for 2008. Also what errors you get when trying
to configure.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have shared folder permissions in server 2003 for users to not
> delete files, however when I attempt to set this up in server 08 I am
> not successful.
>
> Can someone please tell me step by step how I get to set this up and
> how? Also is there an option someplace that would disable the ability
> to attach these shared files to email and send them? I have disabled
> the Send to right click option but that does not disable the ability
> to attache via outlook or send to within word or excel.
>
> Thanks,
>

 

"Kim K" <KimK@discussions.microsoft.com> wrote in message
news:A183ABBF-09B8-4914-A230-B41D01CC07EA@microsoft.com...
>I have shared folder permissions in server 2003 for users to not delete
> files, however when I attempt to set this up in server 08 I am not
> successful.
>
> Can someone please tell me step by step how I get to set this up and how?
> Also is there an option someplace that would disable the ability to attach
> these shared files to email and send them? I have disabled the Send to
> right
> click option but that does not disable the ability to attache via outlook
> or
> send to within word or excel.
>
> Thanks,
>
>

In 2008, when you right-click on a folder to share it, do not select Share,
rather select Properties, then go into the Share tab, and choose Advanced.
This mimics 2003's way of doing it. Set permissions appropriately. Keep in
mind, the Share permissions and NTFS Security tab permissions are combined
to give the most restrictive. So usually we just share it with

Auth Users = Change
Domain Admins = FC

Then under the Security tab, you would lock it down specifically. The
overall results with this method becomes whatever you set in the Security
tab.

If the described method is not working for you, or whatever method you are
using, as Meinolf asked, what errors are you seeing?

As for attachments, as long as users have access to a file, they can attach
it. Maybe a 3rd party SMTP gateway to control/restrict attachment types may
be what you are looking for.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

 

Hi Ace,

IN 2003 I do the following:

I right click the folder and select share folder with Everyone having Full
control
Under the security tab - I add and give the folowing control, Administrators
- FC, Domain Admins, FC Add user and click advanced for special permissions
and allow the user read, write Deny Delete and Delete Sub folders and Files.

In 2008 I tried to follow along the same lines and can access the server so
I will tell you exact steps:

Right Click folder and selct Properties
Select Advanced Sharing - Share tab
Click the Share this folder box, click the permissions button and select
full control for everyone, apply and ok
Under security tab select Edit and add Domain admins as FC, and user as
everything but FC
Select Advanced and Edit, then add user and select everything but full
control and delete subfolders and Delete, select ok
Add user again and select Delete and delete Sub Folders and files and say ok
Apply ad say yes to message, ok, ok close

Should work right?

I think perhaps it wa snot working because I had used the step of sharing as
you said to skip straight off in your post and go to properties. I think
maybe one overrode the other in permissions.

PLease let me know if my steps are correct.

Also thanks fo rthe heads up with the 3rd party SMTP thing, I will look into
that as well.



"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Kim K" <KimK@discussions.microsoft.com> wrote in message
> news:A183ABBF-09B8-4914-A230-B41D01CC07EA@microsoft.com...
> >I have shared folder permissions in server 2003 for users to not delete
> > files, however when I attempt to set this up in server 08 I am not
> > successful.
> >
> > Can someone please tell me step by step how I get to set this up and how?
> > Also is there an option someplace that would disable the ability to attach
> > these shared files to email and send them? I have disabled the Send to
> > right
> > click option but that does not disable the ability to attache via outlook
> > or
> > send to within word or excel.
> >
> > Thanks,
> >
> >
>
> In 2008, when you right-click on a folder to share it, do not select Share,
> rather select Properties, then go into the Share tab, and choose Advanced.
> This mimics 2003's way of doing it. Set permissions appropriately. Keep in
> mind, the Share permissions and NTFS Security tab permissions are combined
> to give the most restrictive. So usually we just share it with
>
> Auth Users = Change
> Domain Admins = FC
>
> Then under the Security tab, you would lock it down specifically. The
> overall results with this method becomes whatever you set in the Security
> tab.
>
> If the described method is not working for you, or whatever method you are
> using, as Meinolf asked, what errors are you seeing?
>
> As for attachments, as long as users have access to a file, they can attach
> it. Maybe a 3rd party SMTP gateway to control/restrict attachment types may
> be what you are looking for.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

 

"Kim K" <KimK@discussions.microsoft.com> wrote in message
news:A2A087C6-B593-4678-AC8C-CC97BCE04204@microsoft.com...
> Hi Ace,
>
> IN 2003 I do the following:
>
> I right click the folder and select share folder with Everyone having Full
> control
> Under the security tab - I add and give the folowing control,
> Administrators
> - FC, Domain Admins, FC Add user and click advanced for special
> permissions
> and allow the user read, write Deny Delete and Delete Sub folders and
> Files.
>
> In 2008 I tried to follow along the same lines and can access the server
> so
> I will tell you exact steps:
>
> Right Click folder and selct Properties
> Select Advanced Sharing - Share tab
> Click the Share this folder box, click the permissions button and select
> full control for everyone, apply and ok
> Under security tab select Edit and add Domain admins as FC, and user as
> everything but FC

You added the user above.

> Select Advanced and Edit, then add user and select everything but full
> control and delete subfolders and Delete, select ok
> Add user again and select Delete and delete Sub Folders and files and say
> ok
> Apply ad say yes to message, ok, ok close

So the user is in the ACL multiple times? Keep in mind that if a user is in
the ACL more than once, and there is no specific DENIAL on any specific
permissions, then the user gets the Least Restrictive permissions, meaning
they all add up.

>
> Should work right?

Not sure, is that what you want, the Least Restrictive?

>
> I think perhaps it wa snot working because I had used the step of sharing
> as
> you said to skip straight off in your post and go to properties. I think
> maybe one overrode the other in permissions.
>
> PLease let me know if my steps are correct.

The way the system enumerates the overall resultant permissions is:
It checks Share permissions. It figures out the resultant effective Share
permissions. If the account is in the ACL more than once (by name and a
group it is in), it gives it the Least Restrictive

Then it checks the Security tab. Same thing applies, it enumerates the Least
Restricticve for the account.

Then it COMBINES both the Share and Security permissions, but combinging
them, it will enumerates the Most Restrictive. So if the user has FC in the
share, but only has Read in the Security tab (combined with all groups it
belongs to including Domain Users, Everyone etc), the user will only have
Read.


> Also thanks fo rthe heads up with the 3rd party SMTP thing, I will look
> into
> that as well.

No problem. There are many out there, and features depend on price.


I hope that helps!

Ace

 

My ultimate goal is to disallow any deletion of files or folders.

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Kim K" <KimK@discussions.microsoft.com> wrote in message
> news:A2A087C6-B593-4678-AC8C-CC97BCE04204@microsoft.com...
> > Hi Ace,
> >
> > IN 2003 I do the following:
> >
> > I right click the folder and select share folder with Everyone having Full
> > control
> > Under the security tab - I add and give the folowing control,
> > Administrators
> > - FC, Domain Admins, FC Add user and click advanced for special
> > permissions
> > and allow the user read, write Deny Delete and Delete Sub folders and
> > Files.
> >
> > In 2008 I tried to follow along the same lines and can access the server
> > so
> > I will tell you exact steps:
> >
> > Right Click folder and selct Properties
> > Select Advanced Sharing - Share tab
> > Click the Share this folder box, click the permissions button and select
> > full control for everyone, apply and ok
> > Under security tab select Edit and add Domain admins as FC, and user as
> > everything but FC
>
> You added the user above.
>
> > Select Advanced and Edit, then add user and select everything but full
> > control and delete subfolders and Delete, select ok
> > Add user again and select Delete and delete Sub Folders and files and say
> > ok
> > Apply ad say yes to message, ok, ok close
>
> So the user is in the ACL multiple times? Keep in mind that if a user is in
> the ACL more than once, and there is no specific DENIAL on any specific
> permissions, then the user gets the Least Restrictive permissions, meaning
> they all add up.
>
> >
> > Should work right?
>
> Not sure, is that what you want, the Least Restrictive?
>
> >
> > I think perhaps it wa snot working because I had used the step of sharing
> > as
> > you said to skip straight off in your post and go to properties. I think
> > maybe one overrode the other in permissions.
> >
> > PLease let me know if my steps are correct.
>
> The way the system enumerates the overall resultant permissions is:
> It checks Share permissions. It figures out the resultant effective Share
> permissions. If the account is in the ACL more than once (by name and a
> group it is in), it gives it the Least Restrictive
>
> Then it checks the Security tab. Same thing applies, it enumerates the Least
> Restricticve for the account.
>
> Then it COMBINES both the Share and Security permissions, but combinging
> them, it will enumerates the Most Restrictive. So if the user has FC in the
> share, but only has Read in the Security tab (combined with all groups it
> belongs to including Domain Users, Everyone etc), the user will only have
> Read.
>
>
> > Also thanks fo rthe heads up with the 3rd party SMTP thing, I will look
> > into
> > that as well.
>
> No problem. There are many out there, and features depend on price.
>
>
> I hope that helps!
>
> Ace
>
>

 

"Kim K" <KimK@discussions.microsoft.com> wrote in message
news:5A4CB08E-D4C4-43E2-90FB-C22F799EF8AA@microsoft.com...
> My ultimate goal is to disallow any deletion of files or folders.

If that is the case, under the Sec tab, add Domain Admins and System = FC,
but do not add the user acount in there. Instead, click on Advanced, then
add the user in this screen and specify the permissions you want to add.
After clicking ok a couple of times, the user account's permission will show
up with the radio button "Special Permissions" checked.

Ace