This post is more than 5 years old
60 Posts
0
16843
How to set CIFS share permissions.
Need help to setup share permissions in a CIFS share. we did the following...
from MMC permissions are set for the CIFS share named 'moldata'
1.In share permission - everyone - change ,read
2.In share security- Evryone -full control.
we have many subfolders under moldata.each subfolder is for different users/groups.Permissions are set for these folders as requested by the users.
Our problem is each user is able to rename other folder under 'moldata' but they can't see the contents or not even able to delete.Could any one help me
how we can stop even changing/modifying the other folders which they don't have access.
Any Help???
Thanks
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
February 25th, 2013 10:00
you gave everyone full control at the root of the share, if those permissions are inherited by subfolders then everyone can do anything they want.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
February 25th, 2013 10:00
so you are saying that anybody who is not one of those two users or Domain admin can rename that directory ?
Rainer_EMC
8.6K Posts
0
February 25th, 2013 10:00
Hi,
dont confuse share permissions with folder permissions – they are two separate independent things.
See http://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx
My recommendation:
- don’t use share permissions or only in a general way if you want to deny specific permissions for a complete share
- before putting data on the systems create a suitable inherited default permission – like allow full control for the creater/owner and deny access or write for others
- best to do this on a sub-directory like a treequota and not directly at the root of the file system.
Rainer
Raju_auh
60 Posts
0
February 25th, 2013 10:00
Thanks Dynamox,in CIFS share security- Evryone -full control.None of the subfolders are inhering permissions from the parent folder.Please have a look at the attached file.Still we wonder how the users are able to change other folders!!
Raju_auh
60 Posts
0
February 25th, 2013 10:00
yes, we noticed it after getting complaints from few users.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
February 25th, 2013 11:00
who is the owner of those subdirectories ?
Rainer_EMC
8.6K Posts
1
February 25th, 2013 11:00
I would first fix the folder ACL’s to do what you want before removing share permissions.
They are both evaluated – so it doesn’t hurt if you allow Everyone full control in the share permission and restrict it in the folder permissions
If you want to try without causing impact to production users – replicate the file system and use the replica as a test.
Or a writable checkpoint or a simulator
Rainer
Raju_auh
60 Posts
0
February 25th, 2013 11:00
Thanks Rainer,is there a way to solve our current issue? if i remove everyone full control from root(moldomain)- mmc cifs security, will it affect any subfolder access rights?
Raju_auh
60 Posts
0
February 25th, 2013 11:00
we ,domain admins are the owner of the subdirs.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
February 25th, 2013 11:00
you don't have "everyone" or "authenticated users" part of Domain Admins group ?
Raju_auh
60 Posts
0
February 25th, 2013 20:00
we have authenticated users part of domain admins. Theses folders can be accessed by domain admins and authenticated users.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
February 25th, 2013 21:00
There is your answer.. if authenticated users are part of domain admin group then they can do anything they want. Authenticated users shouldn't be members of domain admin groups
Rainer_EMC
8.6K Posts
1
February 26th, 2013 04:00
Wow – why bother with ACLs at all if everyone is domain admin ?
Raju_auh
60 Posts
0
February 26th, 2013 05:00
Rainer I didn't say that everyone is in admin group.
Raju_auh
60 Posts
0
February 26th, 2013 05:00
The problem is solved by removing everyone from security.Thanks for the support.