none
Restrict and Grant Domain Users Permission in Select Folders on Server in Windows Server 2008 R2

    Question

  • Hi,


    I'm working with Windows Server 2008 R2 and have some questions regarding restricting and granting specific users access to certain folders on the server.


    Within the D: on the server, there is a folder which we share among our computers on the network. Everyone has basic access to this folder but I am wanting to restrict access to only a few users on the network.


    For example:


    UserA is part of GroupA and I would like to grant him (and everyone else in GroupA) exclusive access to FolderA. I want to restrict UserB, who is not part of GroupA, from being able to access FolderA. FolderA is intended to be strictly for only those who belong to GroupA.


    When I try to restrict UserB from accessing FolderA, it does restrict him, but it also restricts UserA as well as the Administrators.


    Upon going into Properties>Security, here are the following groups listed as default:

    Authenticated Users

    SYSTEM

    Domain Users (DOMAIN_NAME\Domain Users)

    Administrators (DOMAIN_NAME\Administrators)

    Users (DOMAIN_NAME\Users)


    I assume that UserA belongs to one of these groups by default and this is causing the confusion in Windows.

    Tuesday, May 24, 2016 10:47 PM

Answers

  • Hi,
    Permissions on a shared resource, such as a folder or volume, are determined by the local NTFS permissions for that resource and by the protocol used to access the shared resource.
    Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow. The following list describes the effects of applying permissions.
    •Multiple Permissions Combine. A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. When you assign permission to a user for a shared folder, and that user is a member of a group to which you assigned a different permission, the user's effective permissions are the combination of the user and group permissions.
    •Denying Permissions Overrides Other Permissions. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny a shared folder permission to a user, the user won't have that permission, even if you allow the permission for a group of which the user is a member.
    •NTFS Permissions Are Required on NTFS Volumes. Shared folder permissions are sufficient to gain access to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they have permissions, as well as all of the folder's contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access.
    •Copied or Moved Shared Folders Are No Longer Shared. When you copy a shared folder, the original shared folder is still shared, but the copy is not shared. When you move a shared folder, it is no longer shared.
    Please see details from: https://msdn.microsoft.com/en-us/library/bb727040.aspx
    Best Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, May 25, 2016 9:23 AM
    Moderator