Markus

Afternoon all,
Here's the situation, I've got a Windows 2003 Enterprise server, acting as a DC. I am going to connect from a Mac (running OS X 10.4.10) via SMB to a share called authgroups on this server.

I have four users in AD:

alpha, bravo, charlie, and delta

I have created two groups in AD:

ab, and cd

alpha and bravo are members of group ab, and charlie and delta are members of group cd.

I've shared authgroups as a windows share. The security settings on the root of authgroups has been changed to add the groups ab and cd with the default permissons.

The sub-folders of the share have had their permissions changed so that only the ab group has access to the ab folder, and the cd group only has access to the cd folder (when I say only, I mean that the Administrator, creator owner and System users/groups are there)

In the Sharing option of Properties it's set to Everyone + Read, which is the default I believe.

The theory behind all this is that, for example, user delta should be able to connect to authgroups and should only be able to access the cd folder on the share. I'm not too bothered if they see the ab folder, but they should not be able to access it.

If I share the folder for Mac and connect, I get exactly this behaviour, however, this does NOT happen when I connect via SMB. In the example above, delta has access to both the ab and cd folders, obviously not what I want.

So, what exactly am I doing incorrectly here? I presume it must be possible to configure the settings in such a way so as to provide the access I want. My current though is that it's something to do with the Sharing permissions, as opposed to the Security Permissions. It looks as though whatever is set on the Sharing permissions page is inherited throughout the share.

Any advice on what to change is greatly appreciated.

Deano_P1

It may well be the case that whatever permissions you have set on the share have got inherited on the folders within the share.

Within the permissions tab there should be a little tick box which says something like 'Allow child objects to inherit permissions'. If you untick this then you can grant different permissions on the other folders within the share

Hope that helps

Markus

I had to disable the inherit permissions option to allow me to explictly change the permissions on the ab and cd folders within the share. When I did uncheck that option I was asked if I wanted to cancel, copy or remove the existing ownership, I said copy, and then removed the user/groups I did not want, which were Users group and either ab or cd group, depending on the folder.

I've double-checked and the sub-folders are not inheriting the permissions from the parent.

mike1210

What I do for shares is for the share permissions

give group ab and cd read and change in sharing permissions of the share, then full control for admins, domain admins etc so share permissions are

domain admins = full control
ab = change and read
cd = change and read

then with ntfs permissions the permissions i would set would be (for the root share folder)

domain admins = full control
ab = List folder contents, nothing else ticked
cd = List Folder contents, nothing else ticked

assuming there is nothing in the root above the 2 folders ab and cd.

ab folder I would take off the object inherit permissions thing and give

Domain admins = full control
ab security grouop = either list, read and execute or modify depending if they need to write and change

then i would replicate those permissions down, cd folder:

Domain admins = full control all ticked
cd security group = either read, list and execute or modify depending on requirements, then replicate those permissions down