SBS 2003 - tidying up share permissions

I've been asked to tidy up the share permissions on an SBS 2003 server which 
has been set up by various user administrators along the way. All users have 
a shared folder mounted as a network drive on their desktops. They have 
access to all the folders and sub-folders in this share, but the permissions 
have been granted in an ad-hoc way, some via groups, some by giving 
individual permissions, and some by straight-forward inheritance. What I'd 
like to do is set up the permissions via a single group (e.g. office) which 
can be applied to the shared folder,  add all permitted users to this group 
and then remove all the previous groups and shares (excepting critical admin 
and domain rights) I'd prefer not to work through every folder by hand to 
remove the old permissions and to inherit the new permissions - is there a 
simpler way of doing this?

After I've done that, I want to exclude two folders in this share from the 
user group I added above, and then just allow a specific group to access each 
folder (e.g. only finance group have access to the finance folder and only HR 
groups have access to the personnel folder.  Users in the finance and HR 
groups will also be in the office group. Am I correct to turn off inheritance 
in the finance and HR folders and then just add the appropriate group to the 
folder permissions or do I need to add group to the share permissions too?

Thanks

Brian
Warwickshire (Shakespear's County)
UK
0
Utf
2/24/2010 12:41:01 PM
windows.server.sbs 1975 articles. 0 followers. Follow

3 Replies
905 Views

Similar Articles

[PageSpeed] 21

Hi Brian:

To provide a share where the users have the same rights to all sub folders 
and files, just go to the top level and stop inheritance from anything above 
that,  set the permissions and security you want, and tick the box to apply 
all such to the files and folders below.  Hint:  Use the Advanced button. 
 Pay close attention to both the permissions and the security, as the most 
restrictive wins.

You can then add the admins to the top level and give them different rights, 
but if they are in the group mentioned, they will still get the most restrictive.

As for folders within this tree that have different rights for other groups, 
this will drive you mad.  Better to create a new top level share and give 
them whatever rights you wish.

-
Larry
Please post the resolution to your
issue so others may benefit
-
Get Your SBS Health Check at
www.sbsbpa.com


> I've been asked to tidy up the share permissions on an SBS 2003 server
> which has been set up by various user administrators along the way.
> All users have a shared folder mounted as a network drive on their
> desktops. They have access to all the folders and sub-folders in this
> share, but the permissions have been granted in an ad-hoc way, some
> via groups, some by giving individual permissions, and some by
> straight-forward inheritance. What I'd like to do is set up the
> permissions via a single group (e.g. office) which can be applied to
> the shared folder,  add all permitted users to this group and then
> remove all the previous groups and shares (excepting critical admin
> and domain rights) I'd prefer not to work through every folder by hand
> to remove the old permissions and to inherit the new permissions - is
> there a simpler way of doing this?
> 
> After I've done that, I want to exclude two folders in this share from
> the user group I added above, and then just allow a specific group to
> access each folder (e.g. only finance group have access to the finance
> folder and only HR groups have access to the personnel folder.  Users
> in the finance and HR groups will also be in the office group. Am I
> correct to turn off inheritance in the finance and HR folders and then
> just add the appropriate group to the folder permissions or do I need
> to add group to the share permissions too?
> 
> Thanks
> 
> Brian
> Warwickshire (Shakespear's County)
> UK


0
Larry
2/24/2010 1:11:40 PM
As Larry said, there is a checkbox to copy all permissions down, effectively 
replacing any old permissions that existed.  I also agree that it is better 
for the unique shares to be separate, however if that is not possible, you 
can also use the "most restrictive" rules to some effect.  An explicit deny 
permission (which you rarely see used) will block some groups access, so 
depending on your structure, that is possible.

-Cliff


"Larry Struckmeyer[SBS-MVP]" <lstruckmeyer@mis-wizards.com> wrote in message 
news:4e683515b3108cc83402101dd39@news.microsoft.com...
> Hi Brian:
>
> To provide a share where the users have the same rights to all sub folders 
> and files, just go to the top level and stop inheritance from anything 
> above that,  set the permissions and security you want, and tick the box 
> to apply all such to the files and folders below.  Hint:  Use the Advanced 
> button. Pay close attention to both the permissions and the security, as 
> the most restrictive wins.
>
> You can then add the admins to the top level and give them different 
> rights, but if they are in the group mentioned, they will still get the 
> most restrictive.
>
> As for folders within this tree that have different rights for other 
> groups, this will drive you mad.  Better to create a new top level share 
> and give them whatever rights you wish.
>
> -
> Larry
> Please post the resolution to your
> issue so others may benefit
> -
> Get Your SBS Health Check at
> www.sbsbpa.com
>
>
>> I've been asked to tidy up the share permissions on an SBS 2003 server
>> which has been set up by various user administrators along the way.
>> All users have a shared folder mounted as a network drive on their
>> desktops. They have access to all the folders and sub-folders in this
>> share, but the permissions have been granted in an ad-hoc way, some
>> via groups, some by giving individual permissions, and some by
>> straight-forward inheritance. What I'd like to do is set up the
>> permissions via a single group (e.g. office) which can be applied to
>> the shared folder,  add all permitted users to this group and then
>> remove all the previous groups and shares (excepting critical admin
>> and domain rights) I'd prefer not to work through every folder by hand
>> to remove the old permissions and to inherit the new permissions - is
>> there a simpler way of doing this?
>>
>> After I've done that, I want to exclude two folders in this share from
>> the user group I added above, and then just allow a specific group to
>> access each folder (e.g. only finance group have access to the finance
>> folder and only HR groups have access to the personnel folder.  Users
>> in the finance and HR groups will also be in the office group. Am I
>> correct to turn off inheritance in the finance and HR folders and then
>> just add the appropriate group to the folder permissions or do I need
>> to add group to the share permissions too?
>>
>> Thanks
>>
>> Brian
>> Warwickshire (Shakespear's County)
>> UK
>
> 
0
Cliff
2/24/2010 8:05:02 PM
In article <C5832B25-8B22-4F6B-BAEE-43AFE475A1E0@microsoft.com>, 
BrianR@discussions.microsoft.com says...
> After I've done that, I want to exclude two folders in this share from the 
> user group I added above, and then just allow a specific group to access each 
> folder (e.g. only finance group have access to the finance folder and only HR 
> groups have access to the personnel folder.  Users in the finance and HR 
> groups will also be in the office group. Am I correct to turn off inheritance 
> in the finance and HR folders and then just add the appropriate group to the 
> folder permissions or do I need to add group to the share permissions too?
> 
> 

One thing you have to do:

Remove Domain Users, Everyone, and then you have to remove the TAKE 
OWNERSHIP and CHANGE PERMISSIONS rights from both groups that you create 
- if you don't remove those two then users from those groups can grant 
others the rights to see those folders/files.

If you've got a group - accounting, then do something like this:

Create a Security Group: SGP_ACCOUNTING_RW, another called 
SGP_ACCOUNTING_RO (RW = Read Write, RO = Read Only).

Create the share - ACCOUNTING, Domain User, Full Permission (on the 
share)

NTFS SGP_ACCOUNTING (Set FULL to start, then go to advanced and DENY the 
last two rights (see above)), for RO, just select the RO, then advanced 
and remove the last two rights

Now apply the SG permissions to the FOLDER, remove Everyone, Domain 
Users

If you want a folder exposed below the ACCOUNTING SHARE, well, you can 
do something like the above, but it gets messy - create another share 
and move that folder structure to a new location.

-- 
You can't trust your best friends, your five senses, only the little 
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)
0
Leythos
2/25/2010 11:25:13 AM
Reply:

Similar Artilces:

Global Address List permissions
I am running Exchange 2003 and have a problem with the permissions for editing the Global Address list. As the administrator I was able to edit information for contacts on the GAL. I tried to set a permission to let a user be able to edit the information (phone numbers addresses etc), but seem to have made a mistake. Now I am unable to edit any of it as administrator. I could use a bit of advice on how to fix this problem. On Mon, 25 Jul 2005 15:53:03 -0700, Gimbal <Gimbal@discussions.microsoft.com> hired a team of monkeys to write: >I am running Exchange 2003 and have a probl...

Right Click to Autofill cells in 2003
Hello All, In 97 to 2002 it was possible to right click when using Autofill to copy the cells down rather than continuing the sequence. in 2003 i just get a pretty red line (what purpose does this serve?). Does anyone know if I can get back the old functionality? Many thanks, Danny I have that functionality in Excel 2003 as well, maybe you have installed an add-in? In any case if you hold down ctrl while using the left click copy down it will also copy as opposed to fill a series Regards, peo sjoblom "DannyJ" wrote: > Hello All, > > In 97 to 2002 it was possi...

Outlook 2003/Lotus Notes Issue
Hi All, I have been having this outgoing problem with receiving emails from Lotus Notes. It seems to only be a problem when I got replies from a Lotus Notes system. When I open up the reply, the only think I see in Outlook 2003 is my original message and nothing else. I have tried changing the format to HTML, Rich Text, Text, etc and still get the error. Any ideas? Thanks, FF Are you using Outlook Connector for Domino? "frequent_flyer" <frequent_flyer@nowhere.com> wrote in message news:4044e78c$0$63376$9a6e19ea@news.newshosting.com... > Hi All, > > I have been...

Permissions on msIIS-FTPDir and msIIS-FTPRoot AD user attributes
We have to give the permission to read/write msIIS-FTPDir and msIIS- FTPRoot AD user attributes for all users under an OU (or to all users belonging in a security group) to a particular AD user. How can this be accomplished? I must point that Delegation wizard does not help. The properties I mentioned are not exposed and therefore cannot be given permissions onto. Regards, Drazen On Feb 25, 8:45=A0am, Drazen <delfince...@gmail.com> wrote: > We have to give the permission to read/write msIIS-FTPDir and msIIS- > FTPRoot AD user attributes for all users under an OU (or t...

Time/Date stamp in Outlook 2003 msgs.
My friend with 2003 has reported another oddity to me which is that the time & date stamp on her messages seems not to have changed with daylight savings time (i.e. they are 1 hour behind). She says the system clock did automatically change. My question--does Outlook really have anything to do with the time/date stamp or is this just a function of the mail servers involved? TIA. -- ------------------------------------------- Stephen Porter Los Angeles, CA Check calendar options "Stephen Porter" <stp@pobox.com> wrote in message news:MPG.1ae37d24b618934c98969a@m...

Outlook 2003 CRM Toolbar
When we click "New Record" on the CRM Toolbar and choose "New Contact" it takes us to our Contact form in our old Public Contact datasbase in Exchange. How can I globally change this for all our users so in brings up the CRM Contact form. Thanks. The best way to do this is to customize the ISV config file for the Outlook client and add a new button to do this. The button you are referring to can open the CRM contact web form, but you have to change each individual user's setting to do this. If you want to do this, select the CRM > Options menu. On the Syn...

FrontPage 2003 on windows 7 64 bit
Hi , FrontPage 2003 on Windows 7 , Following Issues 1. SAVE AS… error - not enough memory ( memory is there) 2. Unable to Insert IMAGE From File - FrontPage fades 3.Other sporadic issues - error messages while opening or publishing Tried the below steps : ( it works fine on Windows XP ) ( few of them are from forums) Removed temporary files, removed cmdui.prf, removed *.web Checked in Windows Safe mode removed FrontPage addins Installed latest updates for FrontPage ( Sp3) checked FrontPage server Extensions - they are fine Uninstalled and reinstalled...

Outlook 2003 Font Changes When Replying Plain Text
Outlook 2003 is exhibiting a strange behavior when replying to plain text messages. After clicking the "Reply" button, the message appears in the Arial font. In about two to three minutes, the font suddenly changes to Courier which is the correct font. Why is it taking so long for the font to change? Steve Lockridge steve@websitewarehouse.com ...

Excel Crash
I use Excel and Word 2003 using Windows NT. I've kept some files on a jump drive so I can work on them at home. I attempted to work on a Word documents which had an Excel worksheet inserted in it. I tried double clicking on the worksheet to edit it and Word and Excel shut down. Now when I attempt to open Excel at home it asks for my Office XP Professional installation cd. (I have Office XP at home with Windows XP). I'm having a hard time locating my original discs. Does anyone have any suggestions or experience anything like this? ...

Outlook 2003 -receiving multiple copies of messages
The setup. SBS2003 server, mail comes from ISP "CATCH_ALL pop box) WinXP Pro OutLook 2003 Clients (All fully service packed up) Situation. I send a message from an external source, be it hotmail or home account or even from another company to say 3 people at our company. john@mycomp.com, jim@mycomp.com, fred@mycomp.com. they all get the same message 3 times. If I try this from within the company they only get the message once. Any ideas would be very welcome. Thanx in advance of any help. John R Giddy_uk wrote: > The setup. > SBS2003 server, mail comes from ISP "CATCH_ALL...

Outlook 2003 Suggest Names feature stops working
Hello I've run into a problem with one of our Outlook 2003 installations. On this particular PC (XP SP2), the Suggest Names feature has spontaneously "forgotten" all of the email addresses in it's cache. It's like all of the email addresses are somehow deleted. The feature is still turned on in Tools, Options, Email Options, Adv Email Options. And any email addresses the user puts in after this problem occurs are remembered, but Outlook doesn't remember any from the day before or earlier. The user hasn't been mucking around with his settings, and this has hap...

Exchange 2003 MTA pooling
Is it possible to setup Exchange 2003 to perform pooling when sending messages out via X.400? So for example, if I have 4 X.400 connectors with the same address space that go to different external MTAs, can I set the cost to 1 on all the connectors and Exchange will decide which connector to use? What are you connecting to on the remote side - Routing Groups within the same Org or external MTAs to external messaging systems? If it's the former (connecting Routing Groups), no true load-balancing (assume that's what you mean by "pooling") is performed between X.400 Conne...

sbs 2008 under Updates, "change the software update settings" crashes console
Running SBS 2008 SP2, fresh install with just a couple users, I noticed that under Security, Updates, in the Tasks window there is a "Change the software update settings". When I click this link, the "Software Update Settings" window appears for a split second then the SBS Console crashes saying "Windows SBS 2008 Console has stopped working" with these details: Description: Stopped working Problem signature: Problem Event Name: CLR20r3 Problem Signature 01: console.exe Problem Signature 02: 6.0.5601.8497 Problem Signature 03: 4a612b8b...

How can you see the name of the person who has a shared document .
I deal with a lot of group folders and spreadsheets. If I try to open up a spreadsheet that is already openend by someone, a pop-up tells me that "abc123.xls is locked for editing by "xxx"." How can I get the person's name to show up instead of it being blank? Thank-you, Megan mac981, The name is the name the software is registered under (during installation). if that's not provided (left blank) during the installation, it'll show up blank. It's not too easy to change it.. you'll have to do that thru the registry. "missmac981" ...

Permissions problem
After I have created a user, that user is unable to create a profile unless they are a member of the Domain Admins group. The error that is returned is "The name could not be resolved. The bookmark is not valid." I believe the bookmark it is referring to is returned by ADO when the program is trying to access the Active Directory, but I'm not certain. I think it is a problem with the permissions, but I don't know where to look. Any help? SBS2003, Exchange2003 ...

Domino and Exchange 2003 SMTP How do you run both at the same time ?
Currently my company is migrating from Lotus Notes (ver 5.010) to Exchange 2003 Server. I had the mx record for our domain changed to add the new exchange server and the priority is set the same as the notes server. I set it up this way because I was told that e-mail would check both servers and would go to the server which the user had an e-mail account on. I was trying to make migration easier by being able to move people to the new server in small groups instead of causing mass confusion and un-controlled anger at their favorite MIS guy... What happens is the exchange server sends a bounc...

Outlook 2003 not responding when clicking on an e-mail with attachment
Hi, I am running Outlook 2003 on Microsoft XP. After reading various posts on this same problem, I figured the problem had to do with Winfax. I have Winfax 10.02 which is the updated version for Microsoft XP. The posts hint that the problem has to do with winfax but nobody posted a solution. I need both these programs on the computer. Any help would be highly appreciated. Thanks in advance - nb. See if this information helps. http://www.slipstick.com/outlook/esecup/getexe.htm "nuj baf" <nujbaf@yahoo.com> wrote in message news:d38d1b37.0404081330.17195721@posting.googl...

shared calendar issue
We are using Outlook 2007. One of our users has read/write access to her manager's calendar. When she books a meeting from her manager's calendar, she always gets a message saying "this appointment already exists in calendar server". The appointment then goes into her managers' calendar but she does not get notificationthat the appointment has been emailed to attendees (it doesn't go in her sent box). Any help appreciated, -- Michelle ...

Tidying up Office Data Files
My Office Data files are in a mess. I have discovered that I have Outlook (approx 0.8GB) and Outlook1 (approx 0.8GB) Mailbox (32KB) and Archive (0.35GB). I created Archive some time ago but have not archived recently. I don't know why I have 2 Outlook files - possibly created when I transferred data to a new laptop a few weeks ago. I would like to re-combine everything into 1 file so that I can start again and set up a proper Archive system again. How can I do this without risking losing files or creating duplicates or triplicates. As you will note the files are very big! Any h...

two companies one Exchange 2003 server
Can I set up two storage groups one for companyA and one for companyB and have an administrator at companyB administer the mailboxes in companyB while I can administer the mailboxes in companyA and companyB. Both our domains are in the same forest. We only have one exchange server and my IT director wants to separate them as much as possible with out buying another exchange 2003 server. What are some examples of what other people have done in this situation? Thank You, Chris Hi, Have a look at the following webcast, it will provide ideas how to delegate control. http://support.microsoft....

Corporate Contact Lists
Hi, Can someone give me some pointers or a how-to on setting up shared contact lists and making them visible to groups of users. In particular it would be good if I could assign them to the users at the server end rather than having to instruct the users in how to go an open them. TIA Steve "runningdog" <runningdog@reply.to.newsgroup> wrote: >Hi, > >Can someone give me some pointers or a how-to on setting up shared contact >lists and making them visible to groups of users. > >In particular it would be good if I could assign them to the users at the >...

Task Pane
How can I keep the Task Pane visable in Excel 2003. I have it set to come on at startup, But the first time I click on a workbook it disapears and I have to manually turn it on again. If you know how to use the registry editor (Start->Run "Regedit") add the Dword item "DoNotDismissFileNewTaskPane" under HKEY_CURRENT_USER\Software\Mic�rosoft\Office\11.0\Common\Gene�ral and assign it the value 1. -- Jim "Ohkathra" <Ohkathra@discussions.microsoft.com> wrote in message news:298CE343-A4BE-4B91-BDF1-5B89871089D1@microsoft.com... > How can I keep the Tas...

How do I correct Runtime error "53" in excel 2003
An error 53 is a "file not found" error. Presumably you're trying to access a disk file, and that file does not exist in the specified directory. Check your file name to ensure it actually exists. -- Cordially, Chip Pearson Microsoft MVP - Excel Pearson Software Consulting, LLC www.cpearson.com "mendip04" <mendip04@discussions.microsoft.com> wrote in message news:5D7146B5-9A1D-41A8-9E94-DC322F47C22D@microsoft.com... > ...

Backing up Exchange 2003 with NtBackup
Hello, I have been using NTbackup to backup my Exchange server. I backup the transaction logs (which are on a different drive) and the Information Store. When I review what has been backuped up, I always see "no entries found" in the Information Store backup. Is this normal? Will I recover my Exchange from the transaction logs? Is there anything else that I should be backing up? I also backup the system state and various other components on that server. Any help would be greatly appreciated! Lina In news:9EBBBAB7-711E-4134-BEB2-B1E16BDF2D5D@microsoft.com, Lina <Lina@discus...

User deleted Anonymous permission for calendar...how to get back?
I've searched and searched and cannot find any way to Add the Anoynmous permission back to their calendar. Any pointers would be greatly appreciated. TIA Download PFDAVAdmin and then run it and go to the User, Top of Information Store. Right-click Top of Information Store and choose Propagate Folder ACE's. Make sure to choose Add/Replace as the option. This will re-add Default and Anonymous to the Calendar and the other folders. PFDAVAdmin can be found at http://www.microsoft.com/downloads/details.aspx?FamilyID=635be792-d8ad-49e3-ada4-e2422c0ab424&DisplayLang=en -- Ben...