Announcement

Collapse
No announcement yet.

File Server Permissions Nightmare - Help!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • File Server Permissions Nightmare - Help!

    Hi all,

    First of all, let me just say that I'm by no means an expert on permissions and setting up file serving. Been a loooooong time. That being said, I'm a department of one so it all falls on me.

    I work at a school and have by told by administration how they want our shared file structure to look. I fought it and lost... I had a setup where each user had their own "home" drive, and it worked beautifully, but they don't want it and are forcing me to change to the following structure:

    Teachers
    • K1
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • K2
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • Grade 1
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • Grade 2
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • Grade 3
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • Grade 4
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • Grade 5
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • Grade 6
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
    • Grade 7
      • Curriculum
      • Teacher 1
      • Teacher 2
      • Teacher 3
  • Grade 8
    • Curriculum
    • Teacher 1
    • Teacher 2
    • Teacher 3

So in a nutshell, what they want is for every teacher to be mapped to the root TEACHERS folder. We'll call it the "T Drive". OK, that's easy enough...

Now, here's where it gets annoying, and what I'd like is advice on the easiest way to accomplish setting the permissions they want.

They want all the teachers to have READ ONLY access to the Teachers folder. But let's take grade 1 teachers for example... There are 3 of them (as you can see). They want each teacher to have FULL rights to their individual folder inside Grade 1. But they want all other teachers at any grade level to have READ ONLY access to any other teachers folder. And they want everyone to have FULL rights to the "Curriculum" folders at each grade level.

Make sense? Hell, even I'm confused. Here's an example: Let's take Teacher 1 from Grade 1.
  1. She should have READ ONLY rights to "Teachers" (the top level folder).
  2. She should have FULL RIGHTS to the Teacher 1 and Curriculum folders inside the Grade 1 folder, but READ ONLY access to the Teacher 2 and Teacher 3 folders.
  3. She should have READ ONLY access to all the contents of the Grade 2 folder, except the Curriculum folder in there, to which she should have FULL RIGHTS. Same for Grade 3, Grade 4, Grade 5, and so on...

Does that clarify? I hope so. So, knowing all this, what is the best way to apply these permissions? My head is swimming trying to figure this out.

I'd appreciate any help and advice! Thanks!

Chris

  • #2
    Re: File Server Permissions Nightmare - Help!

    Agreed, it looks pretty but is difficult to manage
    Lets split it into two parts: shared folders first

    OK, start off with creating a group structure:
    Global groups for your teachers (Grade1, Grade2 etc)
    DL groups for your permissions (G1CurrRead, G1CurrWrite etc)

    Set a default permission of "Read" at the top of the tree and inherit it downwards. Give yourself full control at the same time
    For each curriculum folder, give GxCurrWrite modify permission (where x is the grade)

    Test that teachers have correct permissions within that.

    For the teacher folders, just add each teacher to their own folder with modify permission -- I know it breaks group membership rules, but seems to be the only way.

    Test again

    Note I have specified modify and not full contol otherwise some iD10T will change things.
    Last edited by Ossian; 26th September 2010, 08:48.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: File Server Permissions Nightmare - Help!

      OK, I'll start with that tomorrow...

      I've built this structure on the desktop of the server. If I set all the permissions and then move the whole thing to its final resting place in the file system, will the shares & permissions stay in place?

      Thanks!

      Chris

      Comment


      • #4
        Re: File Server Permissions Nightmare - Help!

        If it is in the same volume, yes
        (Move, Same, Retain, otherwise Inherit)

        You can use e.g. XCOPY and keep permissions
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: File Server Permissions Nightmare - Help!

          NOT on the same volume. Currently on my desktop as domain admin (C drive). Going onto my "E" drive (an external array). Should I move it before setting shares and permissions then?

          Thanks!

          Chris

          PS. I'm afraid I don't know what this means...
          (Move, Same, Retain, otherwise Inherit)
          Enlighten me, please?

          Comment


          • #6
            Re: File Server Permissions Nightmare - Help!

            Hi again,

            OK, this is causing me some serious headaches! Erf... Well, I did what you suggested, and I cannot get it to work. I think it might be inheritance issues... Would it make sense for me to post screenshots of my permissions at the different levels? You can probably spot what I'm doing wrong more easily than if I try to explain it.

            OR...

            Right now, all these users are listed in a folder called "Users", and they are mapped to their own individual folders. Would it make more sense to simply move them all to "Teachers" eliminate the "grade" level folders, assign RO rights to Teachers folder, and then set individual permissions (RO for teachers group and Modify for individuals) to each folder? I'd have to sell that to the powers-that-be, though...

            Chris

            Comment


            • #7
              Re: File Server Permissions Nightmare - Help!

              Yes, go ahead
              btw, "Move, Same, Retain" is the mnemonic for permissions
              If you MOVE files on the SAME volume they RETAIN existing permissions. Under all other circumstances, they INHERIT permissions from their new parent
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: File Server Permissions Nightmare - Help!

                Hi again.

                First of all, I apologize for how slow I am responding to all this. I'm a department of one and spent all over the place... THANK YOU for your patience, Tom.

                Now, before I post screenshots (which will take me a while to generate), here's a thought... I actually have a "Teachers" group that contains ALL the teachers usernames. That might be screwing everything up...

                Can you explain to me, and please feel free to do so as if I were a 5 year-old (you won't offend me), what the permissions structure would look like at each level if I were to remove the teachers group I currently have?

                Would I set RO at the top of the tree to each new group I create (grade1, grade2, etc)? And what is checked off for inheritance?

                I'm sorry... If it would be easier on you to just see the screenshots, let me know and I'll just take the time to do that.

                Again, thanks for all your patience and help!

                Chris

                Comment


                • #9
                  Re: File Server Permissions Nightmare - Help!

                  Post the shots!
                  Also have a look at effective permissions
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: File Server Permissions Nightmare - Help!

                    Hi Tom,

                    OK, I'm starting to work on the screenshots. Hopefully, I can get 'em all to you this weekend at the latest...

                    In the meantime, they've (school heads) made some changes to how they want this. Jesus Christ, this is annoying. The screenshots I'm creating are for K1 and K2 (might as well start small to test), so I thought I'd offer this for your perusal:

                    - Teachers - NO ONE has rights to add to or modify this folder in any way. Exception: A few individual users...
                    -- K1 - NO ONE can edit or add something to this folder in any way.
                    --- Curriculum - RWX for K1 Teachers, RO for everyone else.
                    --- ctaylor - RWX for ctaylor, RO for everyone else.
                    --- ecrescenzo - RWX for ecrescenzo, RO for everyone else.
                    --- kcolon - RWX for kcolon, RO for everyone else.
                    --- moneill - RWX for moneill, RO for everyone else.


                    -- K2 - NO ONE can edit or add something to this folder in any way.
                    --- Curriculum - RWX for K1 Teachers, RO for everyone else.
                    --- lboutin - RWX for lboutin, RO for everyone else.
                    --- smurray - RWX for smurray, RO for everyone else.
                    --- xtaveras - RWX for xtaveras, RO for everyone else.


                    While you wait for my screenshots, does this make life easier or harder?? God, my head is spinning...

                    THANKS!

                    Chris

                    PS. I did make a little headway. I can now at least get IN to the folders as a member of a group. LOL!

                    Comment


                    • #11
                      Re: File Server Permissions Nightmare - Help!

                      OK
                      Teachers folder:
                      Copy default permissions and remove inheritance, then modify as below:
                      Domain Admins -- FC -- sorry, but someone has to have overall permissions
                      System -- FC (default)
                      Creator Owner -- default
                      All Teachers group -- RO
                      Some Teachers group -- Modify (the "few individual users")

                      K1 Folder:
                      Copy permissions from Teachers and remove permissions inheritance, then modify:
                      Leave DAs and System as FC -- you have to trust your admins
                      Leave creator owner
                      All Teachers -- RO

                      K1 Curriculum:
                      Inherit permissions from K1 folder
                      K1 Teachers -- RWX

                      Teacher folders: as K1 curriculum but add individual teacher as RWX instead of K1 Teachers
                      (Note that I would recommend a group, allowing further teachers to be added later if the MGMT want it, but this is more work)

                      Does this help?
                      Last edited by Ossian; 2nd October 2010, 07:50.
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: File Server Permissions Nightmare - Help!

                        Good morning (probably afternoon for you by now)!

                        I will try all that when I remote into work today. I can set it all, but can't test. I do have to go in for a few hours tomorrow morning (Sunday) and can test it all then to get back to you.

                        Thanks a million!

                        Chris

                        Comment


                        • #13
                          Re: File Server Permissions Nightmare - Help!

                          Hi again, Tom...

                          OK, we're gettin' there! I am at work right now and am testing the permissions I set based on your recommendation. Seems to be about 90% functional... Since all the permissions changed based on the new criteria, I basically started over from scratch.

                          At this point, the only thing that doesn't seem to be working is the Modify access to a users individual folder... User "test", who is a member of the K1 Teachers group can get into everything, but cannot modify Teachers --> K1 --> Test

                          Nevertheless, I think I've made a mess of this... I got "Special" permissions all over the place...

                          Since taking screenshots will take forever (since I started over), lemme see if I can type out what I have for folder permissions.

                          Teachers:
                          Properties --> Sharing --> Share Button
                          Administrators - Owner
                          Domain Admins - Read/Write
                          lfdcsadmin - Read/Write

                          Properties --> Sharing --> Advanced Sharing Button
                          "Share this folder" is checked
                          Permissions Button yields:
                          Everyone - Read
                          ADMIN 1 - Full Control
                          ADMIN 2 - Full Control
                          ADMIN 3 - Full Control
                          Teachers (group) - Read
                          Domain Admins - Full Control

                          NOTE: ADMINs 1-3 above are school administrators (principal, etc) that simply want full access to these files/folders. Don't think of them as TECH admins. I'm the only "admin" in the technical sense.

                          Properties --> Security
                          SYSTEM - Full Control
                          Teachers (group) - SPECIAL permissions, not inherited, Apply to This folder only, Transverse folder / execute file, List folder / Read data, Read attributes, Read extended attributes, Read permissions
                          K1 Teachers (group) - Same as above
                          lfdcsadmin - Same as above
                          Domain Admins - Full Control
                          Administrators - Full Control


                          Teachers\K1:
                          Properties --> Sharing --> Share Button
                          Administrators - Owner
                          Domain Admins - Read/Write
                          lfdcsadmin - Read/Write
                          Teachers - Read

                          Properties --> Sharing --> Advanced Sharing Button
                          "Share this folder" is UNchecked

                          Properties --> Security
                          SYSTEM - Full Control
                          Teachers (group) - Read & Execute, List Folder Contents, Read
                          K1 Teachers (group) - SPECIAL permissions, not inherited, Apply to This folder only, Transverse folder / execute file, List folder / Read data, Read attributes, Read extended attributes, Read permissions
                          lfdcsadmin - Full Control
                          Domain Admins - Full Control
                          Administrators - Full Control


                          Teachers\K1\test:
                          Properties --> Sharing --> Share Button
                          Administrators - Owner
                          Domain Admins - Read/Write
                          lfdcsadmin - Read/Write
                          Teachers - Read
                          test - Contribute

                          Properties --> Sharing --> Advanced Sharing Button
                          "Share this folder" is UNchecked

                          Properties --> Security
                          SYSTEM - Full Control
                          Teachers (group) - Read & Execute, List Folder Contents, Read
                          test - Modify, Read & Execute, List folder contents, Read, Write
                          lfdcsadmin - Full Control
                          Domain Admins - Full Control
                          Administrators - Full Control


                          The K2 folder in Teachers has the same rights set, but with K2 users and groups... I've not touched any other folders (like Grade1, Grade2, etc...)

                          OK, so that's what I've got. Now, when logging in as the user "test", I can get into Teachers and the K1 and K2 folders, as well as the folders in those. I can open test documents I placed in them, but I cannot edit them even in the test folder, which should have modify rights. I cannot even get into the other grade-level folders (which makes sense right now).

                          In other words, it seems as though it's all right, except for not being able to modify my own data in the Teachers\K1\test folder.

                          What am I doing wrong? Am I screwing up sharing and security? Am I getting close or have I made this worse? LOL!

                          Thanks, Tom.

                          Chris

                          Comment


                          • #14
                            Re: File Server Permissions Nightmare - Help!

                            Dont bother messing with share permissions -- just give everyone "full control" at the share level and do it all through NTFS
                            You only need to share the top level "teachers" folder

                            Your permissions look OK so sharing issues is the most likely cause of the problems
                            Tom Jones
                            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                            PhD, MSc, FIAP, MIITT
                            IT Trainer / Consultant
                            Ossian Ltd
                            Scotland

                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: File Server Permissions Nightmare - Help!

                              Originally posted by Ossian View Post
                              Dont bother messing with share permissions -- just give everyone "full control" at the share level and do it all through NTFS
                              You only need to share the top level "teachers" folder

                              Your permissions look OK so sharing issues is the most likely cause of the problems
                              I'm so confused... Is it just me, or was this easier in Server 2003??!! By "NTFS" you mean the "Security" tab, right? And you mean to give everyone full control on Teachers? Then it's "Security" (meaning NTFS) permissions for all other folders in there?

                              I thought we wanted Read Only on Teachers and then we were "overriding" those on certain folders inside...?

                              Am I missing something?

                              Chris

                              Comment

                              • Working...
                                X