0

We have a 2008 R2 server hosting most of our network shares. Lately we have been locking down the permissions in the folders to give only certain users and groups access to certain folders, but we are finding that we are extremely limited in how far down in the hierarchy we can set permissions and have them actually work.

For instance, if I have a network share named 'Public', I can create a folder on it named 'Marketing' and set permissions on it without any problems. However, permissions that I set on any folders or files beneath that will result in 'Access Denied' for the specified users/groups unless they also have the same permissions set on the 'Marketing' folder that they reside in.

What are we doing wrong? Is this by design? Is there a better approach?

Thank you for your help.

Chad
  • 3
  • 1

1 Answers1

1

Sounds like the.Windows privilege "Bypass traverse checking" may be disabled. When accessing a file or directory, the parent directory permissions are usually bypassed due to that privilege, which is enabled by default.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Oddly enough that seems to have fixed the problem for folders, but not individual files. Any ideas? – Chad Sep 05 '13 at 20:45
  • Do the files have different permissions from the parent or not inheriting? If so, you may need to reset the permissions so they inherit from the parent. – Greg Askew Sep 06 '13 at 01:26
  • Permissions are inheriting from the parent just fine, but we need to give write permissions to a file without giving them to the folder that it resides in. Doing so results in "Access denied" when attempting to write to the file unless we give the same permissions to the entire folder. – Chad Sep 06 '13 at 16:17
  • Ultimately, the files that need to be modified need to have an access control entry. That ACE can either be applied directly to the specific files, or you can create the appropriate ACE on the folder that applies to "Files Only". – Greg Askew Sep 06 '13 at 16:55
  • I finally found the last wrench in the works. In the share permissions the Domain Users group was only set to have read access, overriding the NTFS permissions. I really should have caught that sooner since I had looked at the share permissions before. Thanks for all your help. – Chad Sep 09 '13 at 18:42