Announcement

Collapse
No announcement yet.

Access Control List (ACL) settings on a network share

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Control List (ACL) settings on a network share

    Regarding SBS 2011 Access Control List (ACL) settings on a network share...

    Can anyone offer advice on the 'best-practice' or specific combinations of access control entry (ACE) to specifically prohibit drag and drop on a network shared folder?

    I have managed to stop everything else using icacls.exe, but at wits end with the drag and drop test.

  • #2
    Re: Access Control List (ACL) settings on a network share

    What is the point of sharing it if you cannot drag and drop?
    Can you explain in detail what you are trying to do? Stop users writing to a folder? or just to stop them dragging folders to the wrong place?
    TIA

    Steven Teiger [SBS-MVP(2003-2009)]
    http://www.wintra.co.il/
    sigpic
    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

    We donít stop playing because we grow old, we grow old because we stop playing.

    Comment


    • #3
      Re: Access Control List (ACL) settings on a network share

      Hi Steve,

      I'd like to stop users from dragging folders to the wrong place.

      Below is more of a description on the details of this issue (that I'm stuck on)...

      In our 'production type office', we have a folder called 'Projects' that is shared. The next set of folders is project numbers or for example '100-1', '100-2', '100-3' and so on...

      Problem: Regarding SBS 2011 shared folders, many times users pick so fast, they don't know what they are doing, and they accidentially move the 100-1 folder into the 100-2 folder.

      On the server, we get this...

      c:\proj\100-1\{many files}
      c:\proj\100-3\100-2 {many files}
      c:\proj\100-4\{many files}

      This is where someone accidentially dragged the 100-2 project folder into the 100-3 project folder. And then the users can't find the 100-2 project.

      With icacls.exe and everything else at hand, how can I make this path up to to the xxx folder read-only, and drag-proof to the users?

      c:\proj\XXX\{many files}

      And, at the {many files} level of files and folders, the users need read+write access to work on projects.

      I have tried to approach this problem from any different angles... things appear to work until the final test... drag a folder... and the ACL restrictions seem to FALL APART!!!

      I have thoroughly tried the settings on just one folder (Projects). Is this an issue where I need to go to the acl settings on each of the next level of folders? There are hundreds of project numbers... and that would be a lot of work.

      And now I'm starting to question the 'granular' control of remote accessible file control that this new OS is supposed to have... maybe I'm doing things the wrong way?

      Generally, It appears that user rights propagate through the share, regardless of any deny settings that I have set.

      Are there some kind of new rules for ACE and ACL on SBS 2011 access control, both local and remote, that I am missing?

      Any help would be greatly appreciated!!!

      Thanks!

      Comment


      • #4
        Re: Access Control List (ACL) settings on a network share

        First rule that I have: avoid "deny" at all costs. It is a joker and trumps all other ACLs.
        Secondly you have to give read/write on the share or none of teh users can do anything.
        Thirdly, I would have thought that setting the \proj folder with read and traverse rights only for THIS FOLDER ONLY would achieve what you desire.
        TIA

        Steven Teiger [SBS-MVP(2003-2009)]
        http://www.wintra.co.il/
        sigpic
        Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

        We donít stop playing because we grow old, we grow old because we stop playing.

        Comment


        • #5
          Re: Access Control List (ACL) settings on a network share

          Hi Steve,

          I used your rules 1,2 & 3, and then tested. Everything checked fine, but you could still drag a folder.

          From there, I added one more entry... to "deny" "delete" on "Subfolders" and checked the "Apply settings to this folder only", and that stopped the drag and drop (on the subfolders in this folder only.)

          Additionally, in SBS 2011, the Users security group included some of the Administrators, and things worked fine testing on the users side, but did not pass for the Administrators, and at first I thought this was an issue with propigation. To get past this new issue, I did not use Users (out of the box), nor Authenitcated Users, but defined my own security groups that are implicit to our office. Now, all the members are really Users only.

          Further, to keep from having to repeat things over and over, I used Icacls.exe and PowerShell to standardize all the ACL settings required to create, monitor and even review the files and folders in the shares. If you don't script it, you will need to repeat it over and over.

          Now I'm starting to feel safe with this OS... I can recreate almost the whole share structure by my own script, and I can monitor for files in the shares that have different settings than their parents.

          Watch out for the SBS out-of-the-box wizards and default settings. I'm not saying to not use them, they are great new tools that give you baseline settings to start with.

          Thanks Steve for your help!

          Comment

          Working...
          X