Windows Server 2012 Shared Folder permissions issues !!

Discussion in 'Windows Server Forums' started by openmind, Jul 5, 2015.

  1. openmind

    openmind Active Member

    Joined:
    Dec 1, 2013
    Messages:
    23
    Likes Received:
    0
    Dear All,

    We are using Windows Server 2012R2 for sharing folders on the network.

    Our requirement is :
    1. Around 8 Shared folders
    2. Depends on folder we need to give Modify permission for small group, Read+Write for another group and R+W permissions including Modify permission on some subfolder for small group.
    3. Before I used to do settings from Folder->properties->share - allowing people to Read/Write and then go to security tab, there I edit permissions accordingly.

    But don't know where I am doing wrong, may be confused with Share permissions and NTFS permissions. And having issues now that user is able change permissions on some files/folder by going to Properties !

    Was thinking to remove sharing and do it again from scratch to avoid confusion and conflict.

    Please guide me to fulfill #2 (above point ) requirements.


    Looking forward for your suggestions !
     
  2. Trouble

    Trouble Noob Whisperer

    Joined:
    Nov 30, 2009
    Messages:
    13,845
    Likes Received:
    833
    Sounds like you're doing most things correctly.
    Generally under the "Sharing Tab" you would grant full permissions to the "Everyone" group.
    Then set your granular permissions using the "Security Tab" as to how you want to manage access to a particular group member. This will help avoid overall access conflicts.
    NTFS volumes require the configuration of both "Permissions" (sharing tab) and "NTFS Permissions" (security tab) and when both are configured the most restrictive is applied.
    Two things to watch out for. Nested shares... you may have to disable (break) inheritance from the parent container to configure your settings exactly the way you want.
    AND
    Nested "Group" membership. Make sure your users are configured so that there respective access is, as you desire. This usually only comes into play when a particular user is not allowed the access you desire and he or she is a member of multiple groups, one of which is more restrictive.
     
  3. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,532
    Likes Received:
    314
    First of all congratulations on choosing a modern server, now is this real life server which has to stay working while you fiddle with it or is it just (as I'm assuming for now) a training exercise:

    1. 8 shares are fine but how many people use this system?

    There are two basic scenarios; one is 'by user' and works fine on laptops/ workstations where only a few people have to have access and the other is 'by computer/ group' and is better when there are more than 10 users or those users can change permissions eg Fred just joined the company and spends his first 3 years as a joiner, then he gets promoted to Forman for 2 years but also steps in for the boss for two weeks last month while the boss had time off to visit her mum in Canada… so Fred has files going back years and has been in several different jobs during that time (some of which he no longer is allowed to access even tho he may have made them) thus' a user share setup would be a disaster to manage in this scenario.

    Note that the default system assumes a server domain i.e. people using the share are in fact members of the server and have usernames stored within the server… if the server is a workgroup but not a domain or the computers themselves have permissions but the people using them might not be employees (a visitor information system for example) then you may need to adjust for the security issue this option creates.

    2. If you give Modify permission for a small group, then they automatically get Read+Write permissions on any subfolder for that groups share because all permissions assume any lower permissions and this opens a new option when using server12r2 but we'll come back to that later if needed.
    2a. Does this subfolder need to be permanent i.e the group user can use it but can't delete the folder itself or remove files from it that other people in the same group have made?
    2b. Does this subfolder need to be hidden from people/ groups that have permission to use the main folder but not the subfolder? (called access-based sharing)

    3. You can always use the wizard if doing it manually is getting you muddled up…

    Screenshot (5).
    … as a simplistic guide Share permissions = the folder being shared and NTFS permissions is whom can do what to whatever files are in that shared folder so in the screenshot below Share permissions allow people to see/ open the folder (called fish) and NTFS permissions set whom can access the files (called chip1-3) but the subfolder (because it is a folder) can have special conditions like the access-based scenario I mentioned in 2b or just be treated like any of the other files within the share (called fish). Note that if you make the shares and subfolder manually but don't set any special conditions then this is the default action.

    Screenshot (6).

    The main pitfall that catches people out while learning is that Microsoft servers differentiate between a local or network share and a domain share so if you make a share whilst logged in as the local admin THEN upgrade the server to a domain it can confuse the issue… this is more of a problem with older Windows (3 & 8) servers but I still recommend making any shares AFTER deciding the type of server you want and installing at least your active directly domain rolls first.

    Server12r2 also opens up the enhanced session connection option and that is a more advanced type of access-based sharing designed for remote/ virtual access scenarios but I've already made a wall of text so will stop here… sorry for the extended rant guys!:rolleyes:
     
  4. openmind

    openmind Active Member

    Joined:
    Dec 1, 2013
    Messages:
    23
    Likes Received:
    0
    Very thanks to you all.

    Having Windows Server 2012R2 and installed Active Directory but network is not in Domain but in WORKGROUP (why it's like that is different story, and working to bring it to domain). Created all users(around 80) in Active Directory and Groups according to requirement ( Grp1 - Modify permission, Grp2- R+W permission and Grp3 - R+W permission and modify permissions on some subfolder ). And saving the each users username and password for AD in their Credentials (because of Workgroup). No issue for accessing. Only issue as I mentioned, some/few users were able to change permissions on few (random) files/folders.

    For clarity on this I will post the screenshots of "Projects" folder sharing permissions. Please guide accordingly:
    Projects -1.PNG Projects-2.PNG Projects-3.PNG Projects-4.PNG Projects-5.PNG Projects-6. Projects-7.
     
  5. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,532
    Likes Received:
    314
    • So this folder is one of the ones that is having (random) people able to change permissions?
    • Is there a set thing you can do to recreate their way of buggering the subfolder settings... details?
    To be clear, these people are not the 'owner' of the files in question and/ or administrators on the 12r2 server and they don't have a hyper-v Windows 8.1 system that they log onto the network with?
     
  6. openmind

    openmind Active Member

    Joined:
    Dec 1, 2013
    Messages:
    23
    Likes Received:
    0
    Yes.
    Ahh, didn't get you :(

    I am talking about only normal user (who have just access to folders which I provide) ,but not the Owner or administrator.
     
  7. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,532
    Likes Received:
    314
    I can't really work it out from images because I would normally see what the user is doing before I can advise on a fix... sorry.

    fyi?
    [​IMG]
    This image shows your full permissions group but the setting is only on modify... is it possible one person is in the wrong group or (more likely) in two groups?

    If it was me, I would remove the two admins because they are not needed... set ownership to the full control group... or rebuilt the system from the ground up but I would need to make sure these new shares are tested before copying the files into them i.e don't deleate the old shares/ files during this setting up time.
     
  8. Trouble

    Trouble Noob Whisperer

    Joined:
    Nov 30, 2009
    Messages:
    13,845
    Likes Received:
    833
    That may chuck a lot of the more handy techniques under the bus and you may find your self setting explicit permissions (allow or deny) per individual user, per container (share).
    Something to keep in mind while you're trying to get this stuff to work. The user's access token is produced at logon so make sure when you change something with respect to access rights, you log-off and log-on that specific user.
     
    ussnorway likes this.

Share This Page

Loading...