2

I'm trying to set permissions on particular folders within our domain (Windows 2003). NTFS permissions are set on the folder, to enable a certain group, call them Helpdesk, to change permissions. Domain Admins have permission already. Access to the folder I've checked are the following: On the server, via Explorer ie. e:\Folder\Shared-Folder through network share ie. \\servername\Shared-Folder through DFS ie. \\domain\namespace\Shared-Folder

Domain admins have access to everything, can change everything

if helpdesk log into server, and go via Explorer, they can make changes. if they connect via DFS, they can see the Security Tab, but all the "add" and "remove" buttons are greyed out. I think it's because they don't have "Delegate Authority" in DFS however if they go via the network share, they same thing happens.

I checked the Share permissions and this is where is gets a bit weird. The Share permissions are set to: Everyone - Read, Write

but if I log in as an admin account, I get full control, despite the share permissions.

can anyone help me with this odd problem? do DFS permissions trump share permissions?

squillman
  • 37,883
  • 12
  • 92
  • 146
Jonathan Houston
  • 21
  • 1

4 Answers4

1

Share permissions is different / complementary to security permissions. You know that right? That the security permissions need to be set to allow access as well as the share permissions.

Probably obvious...

me1
  • 11
  • 1
1

If you log into the server then you aren't accessing it through a share. You're just hitting the NTFS security directly, share perms have no effect.

PowerApp101
  • 2,624
  • 1
  • 20
  • 28
1

You may want to try giving the Helpdesk group share permissions directly, to see if that makes a difference. Also, the Effective Permissions tool in W2k8 is useful to see the resultant set of permissions for a given security group on the folder.

tplive
  • 444
  • 2
  • 9
0

Try full control on the share permissions?

JamesR
  • 1,061
  • 5
  • 6
  • but that doesn't explain why the domain admins are able to do everything, even when they have no access according to the share permissions. Full control on the users does seem to give them access, but I'm perplexed by the share permission inconsistencies. – Jonathan Houston Sep 08 '09 at 17:01
  • Hmmm ... difficult to troubleshoot without seeing screenshots of all the file share/NTFS security settings of the shares/files. – JamesR Sep 10 '09 at 12:08
  • Except if the Everyone RW permission somehow does not apply to the Helpdesk group, then you would see something similar. Can you elaborate on the scopes of the different groups; ie Domain Local, Global, Universal? – tplive Oct 17 '09 at 08:26