Re: File/directory permissions

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/14/05 

Date: Tue, 14 Jun 2005 00:40:08 -0700

Grace,

Just as an FYI, although you have Windows 2000 you may be interested
to know that Windows Server 2003 can now show the behavior you are
used to in Netware, where a user sees only what they are allowed to
access. For W2k3 Sp1 and later only
http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Grace" <yyy@yyy.com> wrote in message
news:edQ0xoFcFHA.720@TK2MSFTNGP15.phx.gbl...
>
> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> news:u%23yhrZFcFHA.1568@TK2MSFTNGP10.phx.gbl...
> > Unless I'm missing something, I don't see that this scenario as being
> > complex at all.
> >
> > When you create the root directory, I'd set the ACL to
> > builtin\administrators:F.  Don't give any users access (you'll be used
to
> > this, coming from a Netware background).  That way, any newly-created
> > projects will have the right permissions by default.
> >
> > Then, create a group corresponding to each project, and set the ACL to
> allow
> > members of the group change permissions (C).
> >
> > If you prefer to do this from the command prompt, the following command
> > would do the trick.
> >
> > cacls g:\projects\client1\94m43 /t /e /g proj94m43:C
> >
> > From what you've said, the ACL I'd use on the share would be
> > builtin\administrators:F, builtin\users:C
> >
> > Where this scenario would get complex is if you wanted certain groups of
> > users to be able to access only, for example, the calculations folders
for
> > each project they're working on.  I haven't yet seen a convincing
solution
> > to that problem.
> >
> > Regards
> >
> > Oli
> >
> >
> >
> > "Grace" <yyy@yyy.com> wrote in message
> > news:ekglsXEcFHA.3932@TK2MSFTNGP12.phx.gbl...
> > > Scenario - Windows 2000 Server SP4, name server1:
> > >
> > > Created a share on the server called shared$
> > >
> > > On users' PCs g: is mapped to \\server1\shared$
> > >
> > > directories on g:
> > >
> > > projects
> > >
> > >   client1
> > >      - 94m43
> > >               admin
> > >               estimate
> > >               calculations
> > >      - 94m44
> > >               admin
> > >               estimate
> > >               calculations
> > >
> > >   client2
> > >       - 99r33
> > >                admin
> > >                junk
> > >                 letters
> > >
> > > I know that I cannot limit what users will see at the root of g:, like
> in
> > > Netware environment
> > >
> > > I need the following file permissions:
> > >
> > > users need to have g: mapped to the "shared$"
> > >
> > > Then for example, a global group "Proj94m43" needs to be able to do
> > > anything
> > > in admin, estimate, calculation directories but it cannot create
> > > directories
> > > or files directly under 94m43.  Also, I don't want this group to be
able
> > > to
> > > open files in other projects, for example 94m44 or client2\99r33, even
> for
> > > read only.  Admins should have access everywhere, of course.
> > >
> > > Another group, "Proj99r33" will need to work client2\99r33
> subdirectories,
> > > same way as above.  There will be new groups, new project
subdirectories
> > > established when we get more work.
> > >
> > > I thought about leaving the share permissions alone (at default) and
> > > control
> > > everything thru NTFS but how exactly do I need to set it?
> > >
> > > I understand how they work together (share, ntfs), how they add up
under
> > > ntfs, but I need real world examples for complicated setups like mine.
> I
> > > am
> > > moving from Netware and permissions are turning into a nightmare.
> > >
> > > I appreciate help with the above and pointers to sites
> > > w/explanations/examples more involved than basic.
> > >
>
>
> Thanks, Oli, for your response.  Let me see if I understand it correctly:
>
> share permissions: builtin\administrators:F, builtin\users:C  (remove
> Everyone)
>
> then, ntfs permissions:
> root of g: (let's say directory name is data)
> builtin\administrators:F
>
> and for the project:
> cacls g:\projects\client1\94m43 /t /e /g proj94m43:C
>
> But won't they (Proj94m43 group) be able to create subdirectories under
> 94m43 this way?
>
> Sorry if I sound dumb, I'm trying to learn... Thanks,
>
>
>

Relevant Pages

  • RE: GSNW for folder access. Netware 5 and 6 and WIndows Server 2003
    ... Gateway Service for NetWare is included in Windows ... It is not included in the Windows Server 2003. ... Gateway Services for Netware are no longer supported on Windows ...
    (microsoft.public.windows.server.migration)
  • RE: netware 5.1 to windows server 2003 migration
    ... I am migrating from Novell Netware 5.1 to Windows Server 2003. ...
    (microsoft.public.windows.server.migration)
  • RE: Moving to Active Directory...
    ... I suggest you refer the following resource for the migration from Netware ... NetWare to Windows Server 2003 Migration Planning Guide ... Migrating from Novell NetWare to Windows Server 2003 Virtual Lab ...
    (microsoft.public.windows.server.migration)
  • RE: Adding AD Account to NT Global
    ... member server in the Windows NT domain. ... Create a group in the Windows Server 2003 domain and add the accounts to ... Windows Server 2003 domain directly to set permissions. ...
    (microsoft.public.windows.server.migration)
  • RE: Novell to 2003
    ... Do you mean the SNW 5.03 as the Microsoft Services for NetWare 5.03? ... and facilitate the migration to Windows ... Windows 2000 Service Pack 4, Windows Server 2003, Windows XP ...
    (microsoft.public.windows.server.migration)