Unsolved
This post is more than 5 years old
3 Posts
0
952
October 6th, 2016 05:00
owner cannot modify permissions though smb
Hello,
We wish to allow users to share content with other users by enabling them to change permissions on their home directories and on files they own. At the same time, on more sensitive shares, we would like to prevent users from changing permissions on files they own.
Is this even possible? the issue we currently facing is that even though the users are owners of their files and folders, they receive an 'access is denied' error while attempting to change permissions.
Our goal is to reduce help desk calls, by enabling users to allow other users to access their files, without compromising security in shares and locations that are more sensitive.
Our cluster is configured in a 'balanced' environment, and access their content mainly by SMB.
Thanks for the help.
sluetze
2 Intern
•
300 Posts
0
October 6th, 2016 23:00
i would not do that.
What you are looking for is a EFSS (Enterprise File Share & Sync) which will allow it to simple share files in seflservice
As you currently recognize ACLs are not easy to maintain. If you want to share a single file you have to allow also the path above to be accessible for the other user... this will result in a chaotic rights structure where noone knows why something works or why not.
The Problem with the "Access denied" could result in share permission limitations - to modify rights they have to have FULL Access on SHare permission (if I remember correctly)
But you wont reduce the Helpdeks calls. You will increase them.
gkman_cec29f
3 Posts
0
October 9th, 2016 01:00
fair point.
what if we choose instead to allow the help desk, or other designated users who know what their doing, to modify permissions?
as for the 'access denied', all of our shares have full access to everyone, so we can manage access with NTFS permissions only. full permissions (in NTFS) and ownership (NTFS/POSIX) are suppose to enable users to modify permissions whether we like it or not (correct me if I am wrong). as I view it the trouble we are suppose to run into is in denying users from modifying permissions, and not breaking our heads in enabling them to do so.
again, thanks for the help.
sluetze
2 Intern
•
300 Posts
0
October 9th, 2016 23:00
There are ways to block the user:
1) via GPO you can just disable the "Security" Tab in Explorer (rightclick --> Properties won't Show it anymore) which raises the "skill Limit" needed to modify the security properties enormous. (Depends on your Environment. If all your users are IT guys this won't help you a lot)
2) You could (you will kill me
) set the share-Settings for authenticated users to Read/Write and for admins/helpdesk to full this should block the "WRITE_DAC" calls from "users"
3) There is (i could not find it) a possibility to withdraw WRITE_DAC from owners (https://technet.microsoft.com/en-us/library/cc961992.aspx)
For me there is a classical concept of file services: One Folder for personal data which are personal and not to be shared (homedrive) and one (or more) folder(s) for sharing / collaboration "Groupfolder". If someone needs a new groupfolder to share data with colleagues, then he get's it. As long as the user is able to get new groupfolders and to modify the participants (NOT the ACL) he should have all he needs.
gkman_cec29f
3 Posts
0
October 12th, 2016 23:00
Thanks for the extensive reply.
However, even with full permission (share+NTFS) and ownership, users still don't have the ability to modify permissions, and this is my main obstacle at the moment.
)
(After resolving this issue, I am sure to use some of your recommendations.