news:…
>I would like to configure a folder on Windows Standard 2003 server for the
>clients to put documents inside the folder. However, they are unable to
>remove or delete the documents once put into the folder. Your guidance to
>configure the folder is appreciated.
>
> Thanks and regards,
>
> Scott
>
I hope the guideline below will help understanding folder permissions and
access.
================================================== ================
Share Permissions and NTFS Permissions Folder Access Control & Folder
Permissions
The easiest way to do it is with groups.
Keep in mind for the following, that Share permissions allows the intial
connection. Then the NTFS permissions are combined with the Share
permissions to provide the Most Restrictive. This means that if a user has
Full Control on the Share permissions, and Read on the NTFS permissions, the
Effective (resulting) permissions is the user will only have Read.
That’s why we can set higher Share permissions at the parent for the initial
access, then control the resulting or Effective permissions with NTFS. No
passwords are needed other than the user being successfully logged on to the
domain.
When a user is logged on successfully to a domain, an access token is given
the user account. The access token is compared to the ACL (Access Control
List) in the Share and NTFS (security tab) permissions to determine access.
That’s why no passwords are required, and is much easier than trying to deal
with multiple passwords. The system simply uses the AD user account for
access enumeration.
Let’s say you have the following structure.
Office Data
Accounting Folder
Marketing Folder
Sales Folder
Operations
Your users are as follows. They require access to their respective folders
but to no others.
Joe and Sally are accountants.
Bob and Sue are Marketing reps.
Tom and Jerry are in sales.
Wyle E and the Road Runner are in operations.
You create the following groups and add the appropriate users into those
groups.
Accounting Group
Marketing Group
Sales Group
Operations Group
Then you share the Office Data folder, but not the others below it. You set
the Share permissions and NTFS (security tab) permissions as follows:
Office Data Folder:
Sharename = Office Data
Share Permissions on the Office Data Share:
Domain Admins = FC
Authenticated Users = Change
The following are the NTFS (security tab) Permissions you will set. This is
assuming the respective users will require read/write access to their
respective folders. If they only need Read, then alter the Modify
permissions in the suggested instructions below to Read, Read + Execute.
It is important that inheritance is disabled, as stated below in each
folder, so you that can remove the default Everyone or Domain users, if they
exist. Otherwise, that will thwart security control.
Office Data Folder
Click Advanced, uncheck Inherited, click on Copy when the message pops
up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Authenticated Users = Modify
Accounting Folder:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Accounting Group = Modify (not full control)
Marketing Folder:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Marketing Group = Modify (not full control)
Sales Folder:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Sales Group = Modify (not full control)
Operations:
Click Advanced, uncheck Inherited, click on Copy when the message
pops up
Remove Everyone and Domain users. Leave everything else. Add the
following:
Domain Admins = FC
Operations Group = Modify (not full control)
With the permissions set as suggested, Bob in Marketing cannot access any
other folder other than Marketing, and Jerry in Sales cannot access anything
else other than Sales. They can see the other folders, but they simply can’t
get into them.
If just Bob in Marketing needs Read Only access to the Sales folder, simply
create an additional group, and call it "Marketing Group Access to Sales
Folder," and place Bob in that group. Then in the NTFS (security tab)
permissions, add the "Marketing Group Access to Sales Folder" group to the
Sales Folder group, and set the permissions to Read and Read + Execute. This
way Bob has read only permissions to see the files in that folder.
================================================== ================
—
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
