We're currently running Windows SBS 2000 but creating (rather than migrating) to a new Windows 2008 Enterprise domain.
In our current setup we have created user groups (e.g. _Map_G_Accounting) that map to shared drives in the logon script according to membership and then other user groups (e.g. _RW_Accounting) that allocate permissions to the files and directories in the share.
This has worked well for us as we know that if somebody is not in the group that maps a drive (e.g. _Map_G_Accounting) then they will have no access to the Accounting directory structure regardless of whether we messed up the permissions within it. It's
a very comforting backstop.
I'm trying to achieve the same in our new Windows 2008 Enterprise domain but the changes in shares/permissions seem to make this more difficult.
If I give RW access to _Map_G_Accounting so that I can map the drive this seems to descend down the directory tree as a RW file/directory permission. In effect it seems that if a user is in the _Map_G_Accounting group they get RW access to all the directories
in the tree regardless of their membership of other security groups.
This isn't what I want because I want some users to have RW access to some directories and other to have R access only; others still to have Create Directory permissions only.
I don't know if I'm missing something very obvious here but any help would be very much appreciated!
In the Permission Entry for folder, we can configure "Apply to" option to "This folder only". Right-click the shared folder, choose Properties, switch to Security tab, click Advanced, click Add, type the User name, in the Permission Entry for .. window,
change the "Apply to" accordingly.
Can we solve the problem now? If not, please help to collect the following information for research.
Run "icacls path\sharefolder >>share.txt", paste the share.txt here for research.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.