Sunday, December 30, 2012 1:43 AM
Hi, I'm a long time os x server admin who needs some assistance setting up file/folder permissions. I just moved our data from an os x server to a windows network share. Our campus windows admins created the share and gave me full access to it. Now I'm ready to set the file/folder permissions for the share.
On my os x server network share everyone in my dept has read only and can see all the folders on root of the network share. No one can add files or folders to the share root. Then for each folder off the share root, a security group is given read/write access to that folder.
So, the share root looks something like this:
-Advocacy (the advocacy group has read/write to contents of this folder)
-Development (the research group has read/write to contents of this folder)
-Research (the research group has read/write to contents of this folder)
-User HomeDirs (everyone has read only to see all the folders in the list, but each person has full access to their own user folder)
I've been reading through some of the windows file and folder permissions and I'm confused about how to do this without totally screwing up the permissions. Can I get the same or similar settings that I had in os x?
Sunday, December 30, 2012 4:20 AM
- We set permission to share folders first then to home folders (will be discussed in point 2).
Create a default share first with default settings (including Access Based Enumeration(ABE) option).Then inside share create individual folders with the name Advocacy, Development, Research and set NTFS permissions to 3 folders with respective group names.
First and foremost thing is set proper NTFS permissions, which plays vital/major role in accessing share folder.Below snap-shot is just example how to set NTFS permission to development folder to add development group.
- 2. I suggest you check below blog link which will help you to create user home directories along with permissions.
Thank you and please write here again if you need any other help.
Regards, Ravikumar P
Sunday, December 30, 2012 7:38 AM
check this article for step by step verification
Monday, December 31, 2012 9:18 AMModerator
Add to Ravikumar, we can also refer to the following documents:
Hope this helps.
TechNet Community Support
Monday, December 31, 2012 1:41 PM
Thank you for your reply. The links were very helpful, especially the one to the ABE information. I wasn't aware there was a way to make visible only the folders a person has access to. Nice feature.
Monday, December 31, 2012 1:44 PMThank you for these reference links Jeremy. I will definitely need to refer to them frequently since setting windows permissions seem to be more complicated than setting MacOS permissions.
Thursday, January 03, 2013 3:11 AMModerator
Friday, January 18, 2013 3:16 PM
First, thank you for the follow up. As far as an update goes. I'm still struggling w/ all of the different file and folder permissions. I've tried a few different combinations, but it's still not quite right. I understand where to go to set the basic and advanced permissions of the files and folders. What I still don't understand is the correct combination of permissions to achieve the results I'm looking for. I'm not sure at what level to remove the inherited permissions.
For example, I am pretty sure the basic permissions that are set on the share root give the users too many permissions. These were the defaults that were set up for me by my campus domain administrators. What's currently set is as follows:
Authenticated Users: Read/execute, list folder contents, read
MyDeptAdminGroup: Full control, modify, read/execute, list folder contents, read, write
MyAccount: same permissions as MyAdminGroup
Since I am the admin for our share, MyAccount is set like I want it with full access. I only want my dept users to see the folder list in the share root and that's it. They should *not* be able to open, view files or folder list inside any folders off the root (Development, Research, etc) *unless* they are a member of group that has full permissions to that folder. So everyone should be able to see the Development folder itself, but only the development group has full control of what's inside the Development folder.