Announcement

Collapse
No announcement yet.

Server 2008 and folder permissions.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2008 and folder permissions.

    Hi,
    I've several questions and I'll apologise in advance if they are obvious.
    I'm intending to install this on a new server and I'd like to have some things sorted out in my head before I do.

    Folder permissions.
    Does 2008 get smarter with permissions and users? Can users see folders that they have no rights too? I'd like to just use one drive for data but I don't want users to keep being hit with "you don't have permission to access this folder" messages.

    Software deployment.
    Can local machines belong to more than one OU? I sometimes want a specific type of machine to have software but not others within a GPO. At the moment I shuffle machines from one OU to another depending on what I want them to get. WSUS allows machines to exist in other groups and I'm hoping 2008 has this as well.

    XP pro
    Does 2008 play nicely with xp pro? Does 2008 allow WDS for XP pro?

    2003 Scripts for 2008
    I've got some scripts I quite like, one of which I use to add multiplke users to specific OU's. Will these scripts still work?

    Well, thats my most pressing questions that are annoying me.
    If you've read this far, thanks for your time
    Matt

  • #2
    Re: Server 2008 and folder permissions.

    I'll answer the ones I know about, inidicating clearly where I'm not sure...
    Originally posted by mattgnik View Post
    Folder permissions.
    Does 2008 get smarter with permissions and users? Can users see folders that they have no rights too? I'd like to just use one drive for data but I don't want users to keep being hit with "you don't have permission to access this folder" messages.
    You're right, users only see the folders they have permissions on. So if you have a "Users" shared foilder and underneath that you have many users' folders, and if each user has exculsive access to his folder, then any user will only be able to see thier own. They will not see other users' folders and so they can't even click on them to get "Access Denied".

    Originally posted by mattgnik View Post
    Software deployment.
    Can local machines belong to more than one OU? I sometimes want a specific type of machine to have software but not others within a GPO. At the moment I shuffle machines from one OU to another depending on what I want them to get. WSUS allows machines to exist in other groups and I'm hoping 2008 has this as well.
    I don't think they can be in more than one OU. Does anyone else know any better? However, rather than shuffling them, can you filter the GPO as appropriate or give us more detail on the scenario where a machine "changes it's needs" so that perhaps a better model can be suggested. i.e. why does a computer change it's software requirements from one day to the next?

    Originally posted by mattgnik View Post
    XP pro
    Does 2008 play nicely with xp pro? Does 2008 allow WDS for XP pro?
    XP Pro plays very nicely with 2k8 and I think you can use WDS but I have never tried it.

    Originally posted by mattgnik View Post
    2003 Scripts for 2008
    I've got some scripts I quite like, one of which I use to add multiplke users to specific OU's. Will these scripts still work?
    Yes I think they will but it may depend on what the script does - does it use LDIFDE or CSVDE or something like that?
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: Server 2008 and folder permissions.

      can you filter the GPO as appropriate or give us more detail on the scenario where a machine "changes it's needs" so that perhaps a better model can be suggested. i.e. why does a computer change it's software requirements from one day to the next?

      The worksite is a school with Smartboards.
      The computers that I have to shuffle have specific software assigned to them to work with the smartboards. However, they are also part of a classroom and need a script to run to sort out the printer.
      Thats why sometimes they are in one group, sometimes in another.

      By the way, thanks for your answers so far.

      Comment


      • #4
        Re: Server 2008 and folder permissions.

        OK, so you could have them work with smartboards AND printers.

        Or if you really want to change them as they move, can the users who logon be part of a security group - the group determines their "requirements".

        Then, filter the GPO by security group.

        Depending on which group logs onto the computer, they'll get a different GPO.
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: Server 2008 and folder permissions.

          I'll answer the ones I know about, inidicating clearly where I'm not sure...

          You're right, users only see the folders they have permissions on. So if you have a "Users" shared foilder and underneath that you have many users' folders, and if each user has exculsive access to his folder, then any user will only be able to see thier own. They will not see other users' folders and so they can't even click on them to get "Access Denied".
          Not by default, you need to enable ABE on each share. ABE has been around since Server 2003.

          Comment


          • #6
            Re: Server 2008 and folder permissions.

            I have just installed a Server 2008 and I didn't deviate from default in particular but folders underneath shared folders were invisible (if the user didn't have permissions on them).

            So I am puzzled when you say "Not by default" - are you referring to shared folders and their visibility or to folders within shares and their visibility?

            (edit: Oh by the way, for people interested in ABE here is a useful link: http://www.cyberciti.biz/tips/hiding...-2003-sp1.html
            Last edited by PaulH; 14th August 2008, 12:30.
            Best wishes,
            PaulH.
            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

            Comment


            • #7
              Re: Server 2008 and folder permissions.

              Originally posted by PaulH View Post
              I have just installed a Server 2008 and I didn't deviate from default in particular but folders underneath shared folders were invisible (if the user didn't have permissions on them).

              So I am puzzled when you say "Not by default" - are you referring to shared folders and their visibility or to folders within shares and their visibility?

              (edit: Oh by the way, for people interested in ABE here is a useful link: http://www.cyberciti.biz/tips/hiding...-2003-sp1.html
              Well that's interesting because when you create a Share under 2008 the "Enable access-based enumeration" check box is unselected by default.

              Comment


              • #8
                Re: Server 2008 and folder permissions.

                Access Based Enumeration (ABE):

                Thank you Meekrobe for that observation and it made me look into ABE on Server 2008 a bit more also to help mattgnik. So it's OK I got it now.

                Here's what I found on Server 2008:

                (Method 1) If you go to Server manager > Roles > File Services > Share & Storage Management then you click on Provision Share you are taken through a detailed wizard which says ABE is Disabled and you can click Advanced to enable ABE.

                (Method 2) If you run MMC and add the Shared Folders snap in, you can create a share in a simpler wizard and that also disables ABE by default.

                BUT !

                (Method 3) If you browse to a folder using Explorer, right click it and select Share... then you are asked to add which users have access to the share and then if you complete that wizard, and then check the new share's properties in the Roles > File Services, you will see that ABE is in fact enabled !!!

                So, Meekrobe, you are absolutely right and by doing it the third way, I managed to enable ABE without doing anything other than the default, and it seems that there is a way you can enable ABE without deviating from the default is only method (3).

                I do hope mattgnik does not think I have hijacked his thread - this is simply interesting additional detail to his question about folders being visible if users have not got permissions on them. It also clears up the puzzlement of Meekrobe's and mine.

                (By the way, to get ABE working on Server 2003 you need SP1 and this link on how to download the extension: http://technet.microsoft.com/en-us/l.../cc784710.aspx )
                Last edited by PaulH; 14th August 2008, 22:37. Reason: spelling
                Best wishes,
                PaulH.
                MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                Comment

                Working...
                X