Folder permission

[Scott]

I would like to configure a folder on Windows Standard 2003 server for the
clients to put documents inside the folder. However, they are unable to
remove or delete the documents once put into the folder. Your guidance to
configure the folder is appreciated.

Thanks and regards,

Scott

 

[Ace Fekay [MCT]]

"Scott" wrote in message
news:OuFr2dtOKHA.1860@TK2MSFTNGP05.phx.gbl...
>I would like to configure a folder on Windows Standard 2003 server for the
>clients to put documents inside the folder. However, they are unable to
>remove or delete the documents once put into the folder. Your guidance to
>configure the folder is appreciated.
>
> Thanks and regards,
>
> Scott
>


I hope the guideline below will help understanding folder permissions and
access.

==================================================================
Share Permissions and NTFS Permissions Folder Access Control & Folder
Permissions

The easiest way to do it is with groups.

Keep in mind for the following, that Share permissions allows the intial
connection. Then the NTFS permissions are combined with the Share
permissions to provide the Most Restrictive. This means that if a user has
Full Control on the Share permissions, and Read on the NTFS permissions, the
Effective (resulting) permissions is the user will only have Read.

That's why we can set higher Share permissions at the parent for the initial
access, then control the resulting or Effective permissions with NTFS. No
passwords are needed other than the user being successfully logged on to the
domain.

When a user is logged on successfully to a domain, an access token is given
the user account. The access token is compared to the ACL (Access Control
List) in the Share and NTFS (security tab) permissions to determine access.
That's why no passwords are required, and is much easier than trying to deal
with multiple passwords. The system simply uses the AD user account for
access enumeration.

Let's say you have the following structure.

Office Data
Accounting Folder
Marketing Folder
Sales Folder
Operations

Your users are as follows. They require access to their respective folders
but to no others.
Joe and Sally are accountants.
Bob and Sue are Marketing reps.
Tom and Jerry are in sales.
Wyle E and the Road Runner are in operations.

You create the following groups and add the appropriate users into those
groups.
Accounting Group
Marketing Group
Sales Group
Operations Group

Then you share the Office Data folder, but not the others below it. You set
the Share permissions and NTFS (security tab) permissions as follows:

Office Data Folder:
Sharename = Office Data
Share Permissions on the Office Data Share:
Domain Admins = FC
Authenticated Users = Change

The following are the NTFS (security tab) Permissions you will set. This is
assuming the respective users will require read/write access to their
respective folders. If they only need Read, then alter the Modify
permissions in the suggested instructions below to Read, Read + Execute.

It is important that inheritance is disabled, as stated below in each
folder, so you that can remove the default Everyone or Domain users, if they
exist. Otherwise, that will thwart security control.

Office Data Folder
Click Advanced, uncheck Inherited, click on Copy when the message pops
up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Authenticated Users = Modify

Accounting Folder:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Accounting Group = Modify (not full control)

Marketing Folder:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Marketing Group = Modify (not full control)

Sales Folder:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Sales Group = Modify (not full control)

Operations:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Operations Group = Modify (not full control)

With the permissions set as suggested, Bob in Marketing cannot access any
other folder other than Marketing, and Jerry in Sales cannot access anything
else other than Sales. They can see the other folders, but they simply can't
get into them.

If just Bob in Marketing needs Read Only access to the Sales folder, simply
create an additional group, and call it "Marketing Group Access to Sales
Folder," and place Bob in that group. Then in the NTFS (security tab)
permissions, add the "Marketing Group Access to Sales Folder" group to the
Sales Folder group, and set the permissions to Read and Read + Execute. This
way Bob has read only permissions to see the files in that folder.
==================================================================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

 

[DaveMills]

On Tue, 22 Sep 2009 00:20:41 +0800, "Scott" wrote:

>I would like to configure a folder on Windows Standard 2003 server for the
>clients to put documents inside the folder. However, they are unable to
>remove or delete the documents once put into the folder. Your guidance to
>configure the folder is appreciated.
>
>Thanks and regards,
>
>Scott
If they have RW permissions the cannot delete. However if they create the object
they will be the "owner" and owners can always change the permissions. You have
a tough problem.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

 

[Scott]

Ace,

Thanks for your detail explanation. I now understand these two tabs and
trying to set up my requirements. However, I found in Security tab there
are 7 options. Is there any detail explanation of each authority? For
example, Read & Execute, does it allow the users to open Access database
file or Lotus Notes database file that require write authority? However, it
does not allow any file to be put in and any file inside folder to be
modified.

Thanks,

Scott

"Ace Fekay [MCT]" ¦b¶l¥ó
news:uGDFgjtOKHA.5108@TK2MSFTNGP02.phx.gbl ¤¤¼¶¼g...
> "Scott" wrote in message
> news:OuFr2dtOKHA.1860@TK2MSFTNGP05.phx.gbl...
>>I would like to configure a folder on Windows Standard 2003 server for the
>>clients to put documents inside the folder. However, they are unable to
>>remove or delete the documents once put into the folder. Your guidance to
>>configure the folder is appreciated.
>>
>> Thanks and regards,
>>
>> Scott
>>
>
>
> I hope the guideline below will help understanding folder permissions and
> access.
>
> ==================================================================
> Share Permissions and NTFS Permissions Folder Access Control & Folder
> Permissions
>
> The easiest way to do it is with groups.
>
> Keep in mind for the following, that Share permissions allows the intial
> connection. Then the NTFS permissions are combined with the Share
> permissions to provide the Most Restrictive. This means that if a user has
> Full Control on the Share permissions, and Read on the NTFS permissions,
> the Effective (resulting) permissions is the user will only have Read.
>
> That's why we can set higher Share permissions at the parent for the
> initial access, then control the resulting or Effective permissions with
> NTFS. No passwords are needed other than the user being successfully
> logged on to the domain.
>
> When a user is logged on successfully to a domain, an access token is
> given the user account. The access token is compared to the ACL (Access
> Control List) in the Share and NTFS (security tab) permissions to
> determine access. That's why no passwords are required, and is much easier
> than trying to deal with multiple passwords. The system simply uses the AD
> user account for access enumeration.
>
> Let's say you have the following structure.
>
> Office Data
> Accounting Folder
> Marketing Folder
> Sales Folder
> Operations
>
> Your users are as follows. They require access to their respective folders
> but to no others.
> Joe and Sally are accountants.
> Bob and Sue are Marketing reps.
> Tom and Jerry are in sales.
> Wyle E and the Road Runner are in operations.
>
> You create the following groups and add the appropriate users into those
> groups.
> Accounting Group
> Marketing Group
> Sales Group
> Operations Group
>
> Then you share the Office Data folder, but not the others below it. You
> set the Share permissions and NTFS (security tab) permissions as follows:
>
> Office Data Folder:
> Sharename = Office Data
> Share Permissions on the Office Data Share:
> Domain Admins = FC
> Authenticated Users = Change
>
> The following are the NTFS (security tab) Permissions you will set. This
> is assuming the respective users will require read/write access to their
> respective folders. If they only need Read, then alter the Modify
> permissions in the suggested instructions below to Read, Read + Execute.
>
> It is important that inheritance is disabled, as stated below in each
> folder, so you that can remove the default Everyone or Domain users, if
> they exist. Otherwise, that will thwart security control.
>
> Office Data Folder
> Click Advanced, uncheck Inherited, click on Copy when the message
> pops up
> Remove Everyone and Domain users. Leave everything else. Add the
> following:
> Domain Admins = FC
> Authenticated Users = Modify
>
> Accounting Folder:
> Click Advanced, uncheck Inherited, click on Copy when the message
> pops up
> Remove Everyone and Domain users. Leave everything else. Add the
> following:
> Domain Admins = FC
> Accounting Group = Modify (not full control)
>
> Marketing Folder:
> Click Advanced, uncheck Inherited, click on Copy when the message
> pops up
> Remove Everyone and Domain users. Leave everything else. Add the
> following:
> Domain Admins = FC
> Marketing Group = Modify (not full control)
>
> Sales Folder:
> Click Advanced, uncheck Inherited, click on Copy when the message
> pops up
> Remove Everyone and Domain users. Leave everything else. Add the
> following:
> Domain Admins = FC
> Sales Group = Modify (not full control)
>
> Operations:
> Click Advanced, uncheck Inherited, click on Copy when the message
> pops up
> Remove Everyone and Domain users. Leave everything else. Add the
> following:
> Domain Admins = FC
> Operations Group = Modify (not full control)
>
> With the permissions set as suggested, Bob in Marketing cannot access any
> other folder other than Marketing, and Jerry in Sales cannot access
> anything else other than Sales. They can see the other folders, but they
> simply can't get into them.
>
> If just Bob in Marketing needs Read Only access to the Sales folder,
> simply create an additional group, and call it "Marketing Group Access to
> Sales Folder," and place Bob in that group. Then in the NTFS (security
> tab) permissions, add the "Marketing Group Access to Sales Folder" group
> to the Sales Folder group, and set the permissions to Read and Read +
> Execute. This way Bob has read only permissions to see the files in that
> folder.
> ==================================================================
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

 

[Scott]

Dave,

That is to say there is a hole in these options: Read + Write. Is there any
solution to avoid it?

Scott

"DaveMills" 在郵件
news:9tpfb51k9smemfuhd3q0d8gd0280t4osbd@4ax.com 中撰寫...
> On Tue, 22 Sep 2009 00:20:41 +0800, "Scott"
> wrote:
>
>>I would like to configure a folder on Windows Standard 2003 server for the
>>clients to put documents inside the folder. However, they are unable to
>>remove or delete the documents once put into the folder. Your guidance to
>>configure the folder is appreciated.
>>
>>Thanks and regards,
>>
>>Scott
> If they have RW permissions the cannot delete. However if they create the
> object
> they will be the "owner" and owners can always change the permissions. You
> have
> a tough problem.
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.

 

[Ace Fekay [MCT]]

"Scott" wrote in message
news:%232yBdmxQKHA.5940@TK2MSFTNGP05.phx.gbl...
> Ace,
>
> Thanks for your detail explanation. I now understand these two tabs and
> trying to set up my requirements. However, I found in Security tab there
> are 7 options. Is there any detail explanation of each authority? For
> example, Read & Execute, does it allow the users to open Access database
> file or Lotus Notes database file that require write authority? However,
> it does not allow any file to be put in and any file inside folder to be
> modified.
>
> Thanks,
>
> Scott
>

To modify an Access Database, the users will require Modify. No need to give
them FC, or if you do, they will be able to change permissions and take
ownership. Modify will suffice. Read allows the security principle to read
and open the file. If you didn't provide Execute permissions, and there is
an executable in the folder, they won't be able to run it. Read more
below... the second one has a good video tutorial.

How to set, view, change, or remove special permissions for files ...Folder
permissions include Full Control, Modify, Read & Execute, List Folder
Contents, Read, and Write. Each of these permissions consists of a logical
....
http://support.microsoft.com/kb/308419

"Read" vs "Read & Execute"I've just made a video to help explain to a
student the difference between NTFS read folder permission and the Read &
Execute permission. One day ...
http://it.toolbox.com/blogs/teach-it/read-...d-execute-15480

Ace

 

[Ace Fekay [MCT]]

"Scott" wrote in message
news:OfnKtnxQKHA.1232@TK2MSFTNGP05.phx.gbl...
> Dave,
>
> That is to say there is a hole in these options: Read + Write. Is there
> any solution to avoid it?
>
> Scott

It's not a hole. It's there by design. If an exe needs to be run, they will
need Execute, otherwise Read will suffice. You can view the specific
permissions set by going into Advanced to see exactly what permissions are
being provided. The ACL (the first list of permissions) are standard
pre-canned permissions. Advanced will show you specifics. You can also set
permissions in Advanced, but you must understand what they mean. If you do
it in Advanced, and hit Ok, the ACL will show "Special Permissions" because
what you set in ADvanced does not equal to any of the pre-canned
permissions. the system provides.

Ace