Long ago, I learned that setting permissions on Shared Folders in Windows is a bad idea. The issue isn’t in restricting access to data, but in the way Windows handles the permissions.
I work in an Active Directory environment, with thousands of accounts in my region alone. We also rely heavily on file servers. When I first set up our file server years ago, I set all of the permissions on the share rather than on the individual files and folders.
Here’s why that’s a bad idea: When you have to move the shared folder to another drive, RAID array, or even server, you have to redo all of the permissions on the share because they don’t get copied with the folder. If you set the permissions on the shared folder and any subfolders/files, when you copy them to a new drive, those NTFS file permissions follow the data to the new location.
Here’s how I configure my file shares now. First, I create the folder I want to share. Then, right click the folder and choose Properties. Click the Sharing tab, select “Share this folder” and give the share a name. Now, click Permissions and check off Full Control, so everyone connecting to the share has full control. Click OK. These steps are illustrated below.
Now, click on Security tab. Here’s where you’ll set the permissions of the actual folder. First, click the Advanced button and uncheck the box labeled “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.” You will be presented with a box asking if you’d like to copy the permissions, remove them, or cancel. Choose copy, then click OK.
I want everyone to be able to access the root of this folder and the files inside it, so I’m going to click on Everyone in the top pane and ensure “Full Control” is checked. Click OK to save your changes. Now open up your shared folder and move any data you want into it. I have two folders in mine, called Subfolder 1 and Subfolder 2.
I want to restrict access to Subfolder 1 to myself and Administrators of the server only only, so I will right click the folder and choose Properties. In the Security tab, select Everyone in the top pane and click remove. You can leave “CREATOR OWNER”, “SYSTEM”, and “Administrators” there. Now, I will add my user account and assign Full Control to myself. See below, but note I have obscured my Active Directory Domain name and the server name.
Click OK on the window here and your permissions change will be saved. I will leave Subfolder 2 with Full Control for Everyone. Now, any users that connect to the share that aren’t Administrators of the server will receive an “Access is Denied” message if they attempt to open Subfolder1.
You can also restrict access to the whole share by assigning any permissions you want in the Security tab of the main shared folder, removing the entry for “Everyone”. This way, anyone attempting to connect to the share will be able to “Map a drive” to the share, but will receive an “Access is Denied” message whenever attempting to open it.
Using the methods above, you can safely move the shared folder to any other NTFS formatted volume on the server or even another server without worrying about having to recreate all of your permissions when you’ve moved it. All you have to do to once it’s moved is share the folder again and assign Full Control to Everyone.
Technorati Tags: Permissions, Sharing, Windows
Related Posts
