Jump to content
RESET Forums (homeservershow.com)

Shared folders


marky9074
 Share

Recommended Posts

I have to admit to being thoroughly confused on what I thought was a very basic action. I created a new user group called 'Sage Users' and added all users that are going to use Sage (best practices and all that...) 

 

I then created a new share and added the 'Sage Users' group with full permissions, and removed the 'Users' group. As I was a member of the Sage Users I tested the folder.... no access... :wacko:

 

I logged in remotely using web access to see what folders were viewable externally...seems only the user folder. I then went round and round in circles playing with groups and permissions to no avail. Then I went through the user options in dashboard, and found the server shares tab. I changed these to read only on all the shares and checked again and had access. On further inspection it had added the individual user to each folder share (this is not good practice?)....

 

So am I missing something? What has happened to the normal application of group management on shares? :rolleyes:

Edited by marky9074
Link to comment
Share on other sites

Set the share permissions to Everyone/Full Access. Then use the Security permissions to restrict access to only those users you want to have access.

Link to comment
Share on other sites

I might have over simplified everything in my description above, but I am fully aware of share/NTFS permissions and it falling to the most restrictive permissions. If I configure the permissions for the share to be only 'Users' with full access (and remove the 'everyone' group), then add only the 'Sage Users', 'System' and 'Administrators' to the NTFS security it should work... but it fails unless the domain admin user is added (who is already part of 'Sage Users' group).....

 

I have a workaround, but I am not sure why it is being fussy about having a specific user defined when they are already contained within a group.



Set the share permissions to Everyone/Full Access. Then use the Security permissions to restrict access to only those users you want to have access.

 

Sorry I had already written the above before you replied :) That is how it was originally (and didn't work), the only difference being that they are part of the group 'Sage Users'...

Edited by marky9074
Link to comment
Share on other sites

I've used the method I described for years, so I know for sure it does work. I recommend starting over; restore everything back to how it was originally and redo the permissions & security. BTW. on the client, make sure you log off and back so the client picks up the new settings.

Link to comment
Share on other sites

For sure it works if you add individual users... it is when I add a group (of the same users) it doesn't work...

 

This is what I did as a test:

 

Create folder, right click properties, sharing share/share, checked 'Share permissions' = everyone and administrators ~ full permissions

Checked NTFS permissions (Security tab) = SYSTEM, sysadmin (my domain admin user) and Administrators ~ full permissions

 

sysadmin is a member of 'Domain Admins' which is a member of 'Administrators'

If I remove sysadmin I loose permissions on the share (even though sysadmin is a member of 'Domain Admins' and therefore 'Administrators')

 

If I add 'Domain Admins' and remove sysadmin I loose permissions too (even though 'Domain Admins' is a member of 'Administrators')....

 

Changing ownership from sysadmin to SYSTEM does not make any difference.

 

(I think the 'Sage User' group was a red herring now I think about it)

 

I think it is clearer now, though doesn't make sense to me. There must be a user with permissions regardless of if there is a group that contains that user (with the same permissions). The only exception I see to that is if I add 'Domain Users' which works ok. But if I create a group with exactly the same members as 'Domain Users' it will loose permissions as soon as the sysadmin user is removed....

Edited by marky9074
Link to comment
Share on other sites

Hmm maybe this is all a moot point as still when you log in remotely using 'Remote Web Access' you need to have individual users assigned to the NTFS permission for the shares to show up....

 

This goes totally against good practice of keeping users in groups..   :angry:

Link to comment
Share on other sites

Why are you changing "Ownerships"?  Share Permissions.  When you put Everyone in the Share Permissions...that meant every everyone including Admins.

Use Groups whenever possible.  You might have created a different Admin Group from Domain admins so verify that too.

Link to comment
Share on other sites

I promise you, groups do work. Many thousands of Windows Server administrators use them every day. Something else is going on here.

Link to comment
Share on other sites

Domain Admins and Administrators are two different Groups.  Domain Admins have more rights than just "Administrators".  By way of best practices, I would not be using the Domain Admin account for everyday work.  If that account gets compromised, so does the Domain.

Link to comment
Share on other sites

Why are you changing "Ownerships"?  Share Permissions.  When you put Everyone in the Share Permissions...that meant every everyone including Admins.

Use Groups whenever possible.  You might have created a different Admin Group from Domain admins so verify that too.

 

I changed the ownership of the folder because the creater (owner) was the domain admin account I was logged in as.. it was just as a test to see if it made any difference..

 

I promise you, groups do work. Many thousands of Windows Server administrators use them every day. Something else is going on here.

 

I know... it's odd. I have a sort of workaround, that on paper gives me the permissions I want on the share... but then it is still not visible remotely using Remote Web Access...

 

Domain Admins and Administrators are two different Groups.  Domain Admins have more rights than just "Administrators".  By way of best practices, I would not be using the Domain Admin account for everyday work.  If that account gets compromised, so does the Domain.

 

Yes they are two different groups, but the account created on install is a domain admin, and the domain admin group is part of the administrators group. I am not using the domain admin account for everyday work. This i a production server and I am trying to set up all the Server shares so that they're visible both inside the LAN and externally via Remote Web Access.

Edited by marky9074
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...