I have a Windows 2008 R2 Fileserver serving Win and Mac (SMB) clients. I have say 5 folders: Happy Sad Lonely Stinky and Grumpy. All of the folders should be public to domain users except Happy and Sad, which should be restricted to the Happy and Sad security groups (Active Directory). I want everyone with access to be able to create folders and files, but not be able to delete the root shares. They should be able to delete files and folders within the shares though. Also, I want the creator owner of the files and folders to be able to change permissions so that they can restrict a folder they create to a person or group. Inheritance of permissions seems to make this task difficult. Please assist.
Asked
Active
Viewed 275 times
1 Answers
4
What you're looking for is quite possible, but usability is quite a challenge. It can all be done through command line calls (on Windows, your Mac users are going to be out of luck), with varying complexity, but the GUI is entirely in the realm of "Advanced".
Give creator-owner the ability to do whatever they want with created files and directories but not do anything to the top level directory:
icacls grumpy /grant *S-1-5-11:(Rx) # Authenticated Users: RO top
icacls grumpy /grant *S-1-5-11:(io)(M) # Grant Auth users Modify to subs
icacls grumpy /grant *S-1-3-0:(io)(oi)(ci)(f) # Creator-Owner for new objs
That'll create a Grumpy directory where Authenticated Users won't be able to delete Grumpy, but will be able to do almost anything below it, and ANYTHING to anything they actually create.
The restricted group versions are very similar:
icacls happy /grant happy-people:(Rx)
icacls happy /grant happy-people:(io)(M)
icacls happy /grant *S-1-3-0:(io)(oi)(ci)(f)
The (F) right gives users the ability to do anything, including modify access lists.
As for the rest of your request, this is where the crappy user-factors come into play. As I said, it can be done but training your users to do it right will be a continual challenge (and the Mac users will be out of luck).
A user deciding to lock down a certain folder they created to just the right people:
icacls grumpy\Newsbits /inheritance:d
icacls grumpy\Newsbits /remove *S-1-5-11
icacls grumpy\Newsbits /grant grumpy-news:(oi)(ci)(M)
First step is to block inheritance.
Second step is to remove the right that grants everyone else access.
Third step is to grant the rights to the extra group.
Where it gets really really bad is when you try to do this in one of the restricted directories.
icacls happy\mystuff\Newsbits /inheritance:d
icacls happy\mystuff\Newsbits /remove happy-people
icacls happy\mystuff\Newsbits /grant happy-news:(oi)(ci)(M)
Same workflow, but your users have a problem: They can't start at "happy" and browse down. They have to access the happy\mystuff\Newsbits directory directly. As it happens, you CAN make it work, but it involves modifying the ACL on the mystuff directory to permit passing through.
icacls happy\mystuff /grant happy-news:(rd)
All of this can be done through the Windows GUI, but icacls makes documenting it much easier.
As I said, can be done. But not what you'd call useable.
sysadmin1138
- 133,124
- 18
- 176
- 300
-
Bravo. Despite the unavoidably ugly solution, very elegantly answered. – Ryan Bolger Jan 10 '13 at 22:56