Re: File/directory permissions

From: Grace (yyy_at_yyy.com)
Date: 06/13/05 

Date: Mon, 13 Jun 2005 15:55:01 -0500

"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:u%23yhrZFcFHA.1568@TK2MSFTNGP10.phx.gbl...
> Unless I'm missing something, I don't see that this scenario as being
> complex at all.
>
> When you create the root directory, I'd set the ACL to
> builtin\administrators:F. Don't give any users access (you'll be used to
> this, coming from a Netware background). That way, any newly-created
> projects will have the right permissions by default.
>
> Then, create a group corresponding to each project, and set the ACL to
allow
> members of the group change permissions (C).
>
> If you prefer to do this from the command prompt, the following command
> would do the trick.
>
> cacls g:\projects\client1\94m43 /t /e /g proj94m43:C
>
> From what you've said, the ACL I'd use on the share would be
> builtin\administrators:F, builtin\users:C
>
> Where this scenario would get complex is if you wanted certain groups of
> users to be able to access only, for example, the calculations folders for
> each project they're working on. I haven't yet seen a convincing solution
> to that problem.
>
> Regards
>
> Oli
>
>
>
> "Grace" <yyy@yyy.com> wrote in message
> news:ekglsXEcFHA.3932@TK2MSFTNGP12.phx.gbl...
> > Scenario - Windows 2000 Server SP4, name server1:
> >
> > Created a share on the server called shared$
> >
> > On users' PCs g: is mapped to \\server1\shared$
> >
> > directories on g:
> >
> > projects
> >
> > client1
> > - 94m43
> > admin
> > estimate
> > calculations
> > - 94m44
> > admin
> > estimate
> > calculations
> >
> > client2
> > - 99r33
> > admin
> > junk
> > letters
> >
> > I know that I cannot limit what users will see at the root of g:, like
in
> > Netware environment
> >
> > I need the following file permissions:
> >
> > users need to have g: mapped to the "shared$"
> >
> > Then for example, a global group "Proj94m43" needs to be able to do
> > anything
> > in admin, estimate, calculation directories but it cannot create
> > directories
> > or files directly under 94m43. Also, I don't want this group to be able
> > to
> > open files in other projects, for example 94m44 or client2\99r33, even
for
> > read only. Admins should have access everywhere, of course.
> >
> > Another group, "Proj99r33" will need to work client2\99r33
subdirectories,
> > same way as above. There will be new groups, new project subdirectories
> > established when we get more work.
> >
> > I thought about leaving the share permissions alone (at default) and
> > control
> > everything thru NTFS but how exactly do I need to set it?
> >
> > I understand how they work together (share, ntfs), how they add up under
> > ntfs, but I need real world examples for complicated setups like mine.
I
> > am
> > moving from Netware and permissions are turning into a nightmare.
> >
> > I appreciate help with the above and pointers to sites
> > w/explanations/examples more involved than basic.
> >

Thanks, Oli, for your response. Let me see if I understand it correctly:

share permissions: builtin\administrators:F, builtin\users:C (remove
Everyone)

then, ntfs permissions:
root of g: (let's say directory name is data)
builtin\administrators:F

and for the project:
cacls g:\projects\client1\94m43 /t /e /g proj94m43:C

But won't they (Proj94m43 group) be able to create subdirectories under
94m43 this way?

Sorry if I sound dumb, I'm trying to learn... Thanks,

Relevant Pages

  • Re: File/directory permissions
    ... I don't see that this scenario as being ... When you create the root directory, ... projects will have the right permissions by default. ... Then, create a group corresponding to each project, and set the ACL to allow ...
    (microsoft.public.win2000.security)
  • Re: FTP control
    ... > I would like to use NTFS security settings to control who ... I would suggest getting a third party FTP server, ... if you set quota and these permissions for that group you can ... Information Server (IIS) Web site, ...
    (microsoft.public.win2000.security)
  • RE: Any way to remove ADMIN$ only?
    ... Mixing the share permissions and the NTFS permissions generally cause ... which means more groups/people access the same shares. ... Along comes another admin that creates a share at a higher level in the ...
    (Focus-Microsoft)
  • Re: W2k and Front Page Security
    ... >> up now using subweb and setting permissions throgh ... >> with NTFS permissions contolling folders.When I set ... >FrontPage managed content areas you do really need to ... >authorship of every groupX subweb in addition ...
    (microsoft.public.win2000.security)
  • Re: Removing "File and Folder tasks"
    ... You can put the computers you want to enforce the NTFS permissions on into ... create a Group Policy to enforce the NTFS ... folder and user profile folders because if you incorrectly apply NTFS ...
    (microsoft.public.windowsxp.security_admin)