![]() With these settings in place I can confirm that users with membership to the restricted group cannot change, create, or move files or folders within this folder, while users that are members of the unrestricted group have full control. Select: Apply to: This folder, subfolder and files ![]() Make sure Apply these permissions to objects and/or containers within this container only is UNCHECKEDġ3. Select: Apply to: Subfolders and files onlyġ0. Add the Domain Users or similar group that encompasses both restricted and unrestricted users Check: Apply these permissions to objects and/or containers within this container onlyĩ. Select: Apply to: This folder and subfoldersģ. (If your going to try this I would suggest you first test in a non-production environment!!!)įrom Windows: Right Click Root Folder -> Properties -> Security Tab -> Advanced -> Change Permissions -> Add. Note: I refer to the root directory as the one we want to lock down, this doesnt have to be root of the share or mapped drive. So there may be some idiosyncrasies related to underlying ext4 file system vs NTFS. Note: I am using a Synology NAS with SMB to share a huge repository of project folders (File system is ext4 with Windows ACL enabled on the share). Personally, I hate registry hacks and similar workarounds as they tend to add complexity. I tried ALL of the solutions mentioned prior to my posting this, with the exception of the various workarounds, and they did NOT work for me (YMMV). ![]() Sloppy clicks would end up moving folders into adjacent folders accidentally on a weekly basis. This was a huge issue here for a while until I finally found a solution. We haven't gotten to making the full switch over yet. Probably a totally different problem I need to deal with.įunctional level of the Domain is Windows 2003.įile server (is only file server) and is Windows 2008 server. I have tried adding a songle hidden folder, with no rights whatsoever on it for anyone, figuring it should promot me a message saying, denied, but it doesn't even do that. The folders are on a SAN - network share. Is there an item in the registry that would allow for this?ĭoes anyone know, how I can prevent users (all of them) from moving folders accidentally from one location to another? I.E. So when the subject item is dragged the only way for it to get moved is to pause on the destination folder for the set amount of seconds before you can release the mouse button for it to be moved. Mac OS X has implemented this since a while back. Microsoft should, by default, add a time delay upon pausing the cursor on the destination folder before the move executes, say 3 secs. you are in a tight spot and have to live with this I guess Ofcourse, when you throw a non AD mac(hine) into the mix. Managers and the archivers had some more access, but we did not see this problem after these changes. and when all other folders was denied on the top level, they could only modify stuff in folder #2 or lower, we pretty much got rid of this. so if they did this they had to drag the file or folder they had access to into another they had modify access to. Http:/ Opens a new window / Software/ GroupMan/ Info.htmlĬombined with access based enumeration we would ensure that only members of the project had any access to the folders.Īnd they also did not have modify rights to any of the preset folders. And the tool is simple enough to give to dummies. ![]() This tool allows the group manager to update his own project groups with members from AD. It would then add the manager as manager of the group and the only member. The tool would then set up an AD group with the name of the project. Basicly they would create a project with a project number. Would set up all the folders and shares with the correct NTFS accesses allready set. We solved it by giving project managers some tools. Since you have to give them access there is not much you can do about this. Then you are up a less than clean creek without a padle. (I know, I know, but that's how upper management wants it, I have argued and argued for years, but there is no circumventing that one). To make matters worse, these files are accessed by MACs that are not in the AD. I know, it's not an easy question to answer.
0 Comments
Leave a Reply. |