Problems giving permissions to folders... they don't work!

Discussion in 'Windows Server Systems' started by Punkrulz, Mar 26, 2007.

  1. Punkrulz

    Punkrulz Somewhat eXPerienced

    Messages:
    790
    Location:
    Woodbury, NJ
    Hey guys,

    I have been having trouble lately giving users' permissions to various directories. I'll start with the example.

    First, I wanted to make a directory a user's home directory. It was a directory where there was mapping data. I made it his home directory, and made sure that himself, and someone else has full control privileges over it. Well there were other directories inside of the one that I made him full control. Unfortunately, he couldn't list what was in those directories, he could only rename or delete the folder. I had to give him privileges to every single folder in there just so he could even list the contents... even when he had list access it didn't work. Since he had Full Control at the Root of that directory, shouldn't the permissions trickle down? I know it's setup that way.

    Also, for example I created a directory within that one directory that was having issues. Now there is E:\GIS\PREB (PReb being the users directory). I gave this other user FULL CONTROL over the PREB directory, and yet every time he even tries to go and adds a directory, it complains that access is denied... but he's got full control privileges!

    What else can I check? I don't need to share these directories, right? That only means if you share something, it becomes public... right?
     
  2. Mooz

    Mooz Moozically Con~foozed

    Messages:
    126
    Location:
    UK
    a good test for sanity is to ensure that the folder is not inheriting permissions first off ... set that and apply

    next grant the user concerned full priveledges on that folder and subfolders ... apply

    next go to advanced and select the check box for apply settings selected above ... apply..

    this will give you a default set of permissions for that user.

    if this works ... re allow the folder to inherit and apply your additional settings on to it.

    if the above works you are all done, if not then there must be an implicit deny in the inherited permissions.

    the other thing to bare in mind is that for some redirected folders (mapped using gpo) you will need to ensure that the user is the folder owner.

    there is loads of info on this on the microsoft websites ... if the above doesnt resolve your issues please pm me and i will assist further.

    D
     
  3. Punkrulz

    Punkrulz Somewhat eXPerienced

    Messages:
    790
    Location:
    Woodbury, NJ
    Mooz, I'm going through your steps now, because the user will be here shortly and I will be able to help them. One of the things I noticed is that when I went to the drive and saw the share folder, for some reason it's checkbox for readonly was checked, and greyed out. I unchecked it. I then went into the folder, and saw the GIS Share Folder (which contains the user folder we're having trouble with) and that too had the grey readonly checkbox... Unchecked that.

    I also saw that the users folder had the grey checkbox too, I unchecked that, but it went back to being checked. Is there a reason?
     
  4. Punkrulz

    Punkrulz Somewhat eXPerienced

    Messages:
    790
    Location:
    Woodbury, NJ
    Ok, I do have a question about this. I seemed to have gotten permissions squared away with this issue, but coincidentally on the other side of the building some permissions issues have cropped up there.

    We have been attempting to fine tweak some permissions on accounts regarding images on the server. The images are used to store photos of people who were booked in the system. We have 2 computers (and 2) user accounts that access it from booking area, and 1 in the main area. We want to setup so that (3) accounts have the ability to write photos, but all other users can only list contents and view pictures.

    We ran into some issues involving ownership, and even having administrator rights but being unable to view... I think this was an issue involving changing permissions so much but they weren't spreading to all of the folders... that was fixed. We were attempting to tweak the folder permissions specifically, but it wouldn't work.

    Question: Is it possible to make it so that the (3) user accounts can CREATE folders, however I do NOT want them to be able to DELETE or MODIFY Folders & their contents? You should be able to just create the folder for the date, but once it's there, that's it. I attempted working with Special Permissions, however it was either all or nothing, and it mostly revolved around the "Modify" section of the permissions.
     
  5. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    1) what OS are you doing this on?
    2) Are you looking at share permissions or NTFS permissions?
    3) You should have able to grant access to allow them to create new files/folders but not delete - but it will allow them to modify existing files as well.
    4) you can apply the special permissions to just the parent folder and/or just the sub folders, or to both - go learn the differences.
    5) Are these users in a group (please say they are...) and are you applying permissions based on the group? Is it domain based group?


    edit:
    what exactly did you look at? (see screencap)

    edit2:
    BTW - for your "grey" box on the read only attribute for the folder: this is by design as windows usually ignores the read-only attribute on the folder level.
    http://support.microsoft.com/?id=326549 (for xp/win2k3)
    http://support.microsoft.com/kb/256614/EN-US/ (for win2k and NT)
     

    Attached Files:

    • test.png
      test.png
      File size:
      13.1 KB
      Views:
      211
    Last edited: Apr 3, 2007
  6. Dublex

    Dublex Quazatron R6 droid

    Messages:
    624
    Location:
    Hertfordshire, UK
    If you can access Active Directory Services (ADS) I would control it though this and group permissions - that way you can set up one main group say as photo admin and another as photo user, give those the permissions on the relevant directories and then add the required users to either of the two groups.

    In the end it creates far less hassle, as if you want to modify the rights you just need to make a change to the ADS group and not all the individual accounts themselves.
     
    Last edited: Apr 3, 2007
  7. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    didn't I just say to use groups? Man.. I feel like LordOfLA
     
  8. Dublex

    Dublex Quazatron R6 droid

    Messages:
    624
    Location:
    Hertfordshire, UK
    Sorry fitz, I was suffering from Userfaze (TM) you know - the look some users get when your trying to explain something semi-complicated in a sequence and they get a detatched look on their face.

    you said groups, but did you mention ADS groups specifically? :p
     
  9. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    yes

    :p