Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, May 27, 2013 11:33 AM | 1 vote
Hi guys. I have a departmental share that I need to restrict access to a couple of users. I have created a group on Active Directory. And on the file server I removed the inheritance and given access only to the group. But when the users try to access they can't see the folder. What am I maybe missing? Please assist
All replies (10)
Wednesday, May 29, 2013 2:16 PM ✅Answered
Hi,
General speaking, you should:
1. Make sure users have permission to access (Read permission) the parent folder of the subfolder. For example if a shared folder named \server\share, and you are going to share the \server\share\subfolder to specific user group, make sure they have at least Read permission on "share" folder.
2. For the \server\share\subfolder, set Everyone - Full Control in Share permission, and give the specific user at least Read permission. As a test you could firstly give them Full Control just to see if they can access the subfolder.
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected].
Monday, May 27, 2013 12:10 PM
Hi.
Remember that if you add a user to a group that user wont have that group until he gets a new kerberos ticket.. The easy way ask the user to reboot his computer (new ticket at logon)..=)
Could you dump the rights on the folders with icacls?
icacls \server\share\folder
icacls \server\share\folder\subfolder
Oscar Virot
Monday, May 27, 2013 1:04 PM
If I just need to give access without using ICACLS how do I go about it? I am still using active directory Server 2003 and I'm using active directory groups to assgn permissions to
Monday, May 27, 2013 1:06 PM
Well. You should just be able to remove inheritance and then grant the new group rights on that folder.
Have you asked a user to reboot?
I was asking for an Icacls dump so I could see how you have set up the rights right now.
Oscar Virot
Monday, May 27, 2013 1:33 PM
I have removed permission inheritance from the parent and went into the subfolder and then give access only to a group but then the users in question called saying they can't access the subfolder they can't even see it. But I hadn't changed anything on the share permissions. When I log into the file server ,the files have like a key on it
Monday, May 27, 2013 1:39 PM
If you run the two commands I said earlier we will be able to see exactly which rights have been delegated and help you faster.
If they cant see the folder, do you have Access Based Enumeration enabled on that share?
Oscar Virot
Wednesday, June 5, 2013 9:31 AM
guys sorry for responding late. i have been busy with a DR active directory server that crashed. that issue has not been resolved still. the main folder is called servername\esibaya which is shared and the sharename is isibaya. this folder everyone in the department has access to, it is the main folder. All the sub folders are sitting under it. Then there is a subfolder called minutes that has folders inside that is only supposed to be accessed by two users in the department. what i did is i went into the minute subfolder and right clicked on it go to properties and on the Sharing button i shared and gave the whole group read permissions and then i went into security under advanced i unticked include inheritable permision from the object's parent and ticked replace all child object with inheritable permisions from this object. but the user say she cannot see the folder under the Minutes folder it looks empty. what am i doing wrong here?
Wednesday, June 5, 2013 8:29 PM
guys sorry for responding late. i have been busy with a DR active directory server that crashed. that issue has not been resolved still. the main folder is called servername\esibaya which is shared and the sharename is isibaya. this folder everyone in the department has access to, it is the main folder. All the sub folders are sitting under it. Then there is a subfolder called minutes that has folders inside that is only supposed to be accessed by two users in the department. what i did is i went into the minute subfolder and right clicked on it go to properties and on the Sharing button i shared and gave the whole group read permissions and then i went into security under advanced i unticked include inheritable permision from the object's parent and ticked replace all child object with inheritable permisions from this object. but the user say she cannot see the folder under the Minutes folder it looks empty. what am i doing wrong here?
It sounds like her permissions are set to "this folder only". Change it to "this folder and all sub-folders".
Thursday, June 6, 2013 12:53 PM
to be honest it is set to apply to this folder,subfolders and files. i really dont know why they are hidden
Thursday, June 6, 2013 2:23 PM
to be honest it is set to apply to this folder,subfolders and files. i really dont know why they are hidden
This is what I would do:
- first, just as one other person recommended, always set the share permissions to FULL. I use Authenticated Users, but you can use Everyone. Don't try to control folder security at the share level. You'll only create problems for yourself. Always set it to FULL.
- At the \esibaya level, set the NTFS security to Modify or Full (your preference) for the users/groups that can see all the way down into the sub-folder structure.
- for the users with limited access, at the \esibaya leveal, give them: Traverse folder, List Folder, Read attributes, Read extended attributes and Read Permissions. Set it to This folder and Sub-folders.
- at that point the restricted two users should be able to see all folder levels
- in the Minutes folder, go to Security Tab> Advanced > Change Permissions button > uncheck include Inheritable Permissions and then choose Add. Then remove users that are not supposed to have access to that. And change for the two that can, from Traverse to Modify, and set it to This folder and Sub-folders.