|
Question : Shares and Subfolder Permissions
|
|
This will be a no brainier for most of you but I've worked on it too long and am completely confused now. I think I could get it if I had more time but the deadline is closing in.
I need our domain users to access subfolders in shares on a Windows 2003 file server however I need to limit which users access which subfolders.
Say Share1 has Subfolder1, subfolder2, subfolder3... so on. Only user1 should have access to all the subfolders, user2 should only have access to subfolder2 and user3 access to subfolders 1 & 3.
If I have to give them all read, change access in the share, how do I limit the subfolder access? When I put read/change on the share then each user has that access to each subfolder no matter how I set the folder permissions. I've been experimenting but nothing works so far.
Thanks
|
Answer : Shares and Subfolder Permissions
|
|
Do yourself a favor: Always give the Everyone group full *share* permissions (Properties--Share--Permissions). Then use NTFS rights to secure the folder itself and/or the subfolders in there. As for handling those NTFS rights: Don't ever give access to a folder on a "per user" basis. That will finally turn out into your administrative nightmare. Follow the golden AGLP rule (except for home directories): *A*ccounts go into *G*lobal groups, global groups go into *L*ocal groups, *P*ermissions are applied to local groups. For each folder that you want to apply permissions to, (on the machine which hosts the folder) create a (domain) local group with a proper naming scheme (for example LNTFSFolderName-F: members of this group will have *F*ull access to the folder FolderName; LNTFSFolderName-R: members will have *R*ead access to this folder). If you don't have already matching global groups with the users in it, create new ones (for example GNTFSFolderName-F; but you might just use an existing group for a department share). Make the global groups member of the according local groups. From then on, access to folders can granted/revoked by simply adding/removing users from global groups, without having to edit ACLs. If you have a W2k domain (or higher) running in native mode, you can/should use domain local groups instead of "real" local groups.
|
|
|
|