Share Permissions RRS feed

  • General discussion

  • This may sound like a ridiculous question however, I am on this project and the file shares and SG placements just seem out of the norm to me. 

    First off, they've created a "High Level" security group which can access all the folders within the share then, added security groups designed to only access certain folders within this share to the High Level security group, and proceeded to modify permissions on each folder within that share to restrict user access. When these users assigned to the security groups other than the High Level SG login, they are presented with all the folders found within the share. Example:


    Within Shares we have Folders A, B, C, D, E to which SG1 has only access to A, B, C and SG2 access to D, E and of course SG1 (which I am calling the High Level SG) has access to all the shares. Doing so, the "techs" behind this design, removed Administrator as owner to all the shared folder causing anyone with Admin level rights being forced to take ownership before they can work with inside the shared folders.

    So when a user from SG1 logs in, the network drives map automatically via script (Let's call this S Drive") all the users see all the folders within the Share and claim by adjusting the NT file permissions on each individual folder is "locking down" the share allowing access to the specified folders the end user is to have rights to.

    This seems quite a bit drastic to me since, now the end users can see all the shares.

    Now all users login script for the "S Drive" point to \\someserver\D\shares$.

    Wouldn't the safer way to do this is simply apply SG1, and SG2 to the associated folders within the share the user needs access to so that, when the user of a given SG logs in they only see either Folders A, B, C for SG1 or Folders D, E for SG2 but not all folders belonging to SG's they shouldn't have access to. Isn't this correct?

    Meanwhile, Admins logging into the File Server/or Mapped Drive, remember the last scenario does not include removing "Administrator" from the folders within the share would have access to A, B, C, D, E without having to take individual ownership of each folder to provide access for assistance as an example..

    What this group is saying without applying their High Level procedure as explained in the beginning of this question each end user would have to be mapped to separate drives to access each of the shares they have permissions to...

    I hope this makes sense as, it really doesn't to me, I have always applied security groups to a share to the folders they needed access to and that's it and when the end user logged in and the share gets mapped (S drive for this example) not only do they have visibility and access of folders their SG is assigned to but, the others will not be visible hence, locking down the share. I mean why show someone something they aren't supposed to have access to in the first place... has something changed?

    Saturday, October 26, 2019 2:34 PM

All replies

  • I'm sorry, but your question is very confusing to me.  It appears that you use the word "share" quite liberally and I am having trouble understanding which folders are shared. 

    So let's start with the example that you gave: \\someserver\D\shares$

    Typically, the "$" indicates a hidden share. So normally it would be written as \\someserver\hiddenshare$\somefolder.

    Is "D" the share name? Is it the entire D drive? What folder does it point to?

    In my experience, sharing out the entire drive is not a good idea (if that's what was done).  On a server I would take the D drive and for the security permissions I would put "Administrators:full,system:full". Then I would create subdirectories in the root of D and would share those out.


    In the above example, the Data folder would be shared out and accessed as \\someserver\Data. D:\AnotherShare could be accessed by any name like \\someserver\TechTeamStuff. 

    On the share permissions for Data, I would give "Everyone:full" or "Everyone:modify", and then control access via file permissions. 

    On the file permissions for the 3 subfolders, I would grant full control to the appropriate security group that managed access for each department. If the Payroll team wants their data secured, then inherited permissions would be removed and only the Payroll user group would have access.  

    In order for end users to access their subfolders, one method is to grant "Everyone:list" on D:\Data.

    If you chose to share out the department folders (\\someserver\Accounting, \\someserver\Payroll, \\someserver\Sales) then I would remove the share at the Data folder so that there are not 2 different shares pointing to the same folders. In that case if a user needed access to both Accounting and Sales, then yes, they would need to map 2 drives to the same server. That's neither right nor wrong, it's just a question of how your organization wants to manage data.

    Did that help?  


    • Edited by MotoX80 Sunday, October 27, 2019 8:18 PM
    Sunday, October 27, 2019 4:35 PM
  • Well after talking about this to my manager and CIO, they are in agreement that, they way this was set-up was incorrect... and yes, they did share D$ which I left out... it is all very confusing but, I was able to explain this well enough that as I said, those that matter are in agreement with me... Feel sorry for the group that took on those contractors... they may be well educated but know little to nothing of either AD or Windows NT shares/permissions... 
    Thursday, November 14, 2019 8:16 PM