1

I have a domain-joined server, Windows Server 2012 R2 Standard, with a folder tree that is common to multiple users. Some users have domain accounts and some have only local Windows accounts. All users use Remote Desktop to access the server and modify files. All users have access to the entire folder tree (e.g. C:\Common).

As the various users create, delete, and modify files in the common folder and its sub-folders, the file permissions drift to where some users cannot access or modify some files any longer. Files end up being owned by the various users and not including permissions for all users.

The parent folder (C:\Common) has Full Control granted to each user. To work around the issue, whenever a user complains that they cannot access a needed file, I run these two commands from an Administrator command prompt from the C:\Common folder:

icacls * /setowner LocalCommonUsersGroup /t /c
icacls * /T /Q /C /RESET

This resets the ownership and permissions, but it takes a long while to run (20+ minutes). The LocalCommonUsersGroup is a local group and all the relevant local and domain users are members. I have tried with various owners.

How can I setup the ownership and permissions on this folder tree so that all users can create/modify/delete files and folders, and no one gets locked out of any file or folder?

What is flexible/is an option:

  • The owner. It can be a domain account, domain group, local account, or local group.
  • The way the users are granted permissions. It can be each account added individually, or a local group.

What is not flexible/is not an option:

  • The folder still needs to be secure, i.e. I cannot grant access to "Everyone".

Thanks in advance.

UPDATE:

Results of icacls C:\Common:

C:\Common MYDOMAIN\domainuser1:(OI)(CI)(F)
SERVER1\localuser1:(OI)(CI)(F)
SERVER1\localuser2:(OI)(CI)(F)
SERVER1\LocalCommonUsersGroup:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
SERVER1\LocalCommonUsersGroup:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Note: domain name and usernames changed, but otherwise the exact output.

boynoid
  • 11
  • 4
  • Welcome to Server Fault! Would you please run "icacls C:\Common" and update your question with the output? That will make it easier to answer your question. – Jay Michaud Jul 12 '17 at 03:44

0 Answers0