Home > MTS > Sharing a folder on a windows server. Permissions on a file server in a domain environment

Sharing a folder on a windows server. Permissions on a file server in a domain environment

Attention! All actions take place on the server itself running the operating system Windows Server 2003. Also, everything can be done on the server using the server management terminal service.

All of the following will only work on file system NTFS. If you still have FAT32 (16), then convert your file system to NTFS. This can be done easily standard means. On the command line just type convert [drive] /fs:NTFS. For example: convert c: /fs:NTFS.

  • It is not possible to convert back to the FAT system.
  • Ori conversion system disk There will be warnings about the loss of descriptors, agree. This does not result in data loss.
  • Reboot.

Opening access

To open access to use a folder as a network folder for a user, you need to do the following:

Launch Conductor

Right-click on the desired folder and select " Properties»

In the window that appears, move the checkbox to “ Open general access to this folder».

Give a name to the shared resource. As a rule, the default value is the folder name.

Leave it as default " User limit" to the value " Maximum possible»

After the above steps, click on the button “ Permissions»

Adding a user

When you press the button " Add» select from the list the desired user

After adding, we set the appropriate rights for it Full access , Change, Reading. Rights are set at the discretion of the administrator, that is, you.

To select the desired user you need to do the following:

After pressing the button " Add"a window will appear where you can select both a group and any user individually

Enter your username manually (if you remember it by heart, of course), or click the " Additionally» and use the search to select from the proposed list of users.

After you have written everything that is required in the folder " Access"go to folder" Safety” and rejoice, “Oh my God,” how many rights there are here.

Additional rights

We select the desired user and begin to administer justice: This is possible and this is not possible.

When you press the button Additionally“An even more extensive list of rights will appear there, what the user will be able to do and what not.

Also in the section " Additional» rights, select the desired user:

Uncheck the box " Allows inheritance..." - If this is not done, then all your actions will be in vain, and all internal folders will inherit rights from a higher level. As a rule, from the disk (and there is read-only for everyone).

Check the box " Replace permissions».

Click " Apply"and the process of allocating rights to the current user will begin. This process may take several minutes, depending on the number of files. The file size does not matter in this case.

Problem: The network resource cannot be accessed. The network folder is displayed...

but when I try to log in, the system displays the following message:

Windows cannot access \\computer\network_resource. Permission to access \\computer\network_resource absent. Contact your network administrator to gain access.

In the Windows XP operating system, a similar message sounds like this:

No access to \\computer\network_resource. You may not have permission to use this network resource. Contact the administrator of this server to obtain the appropriate access rights. Access denied


Why can't I access the network resource?

The reason may be due to the following factors:

  • The user does not have permission to access the share.
    These rights are configured on the tab Access and are relevant only for setting up network access.
  • The user does not have permission to access the folder at the NTFS permission level
    Configured on the tab Safety. This setting controls access rights for both network and local access.
  • The user does not have network access permissions or NTFS rights.

How to share a network folder with all users

Settings must be performed on the computer where the network resource is located.

Go to Computer Management:

Open the section Shared folders. Select a subsection Shared Resources and find out the local path to the folder that is open to the network.
In our example, we see that the network resource temp matches local path C:\temp :


Find a local folder, right-click on it and call Properties:


1 The first thing to check is network access permissions. Open the tab Access and press the button Advanced setup:

Press the button Permissions:

We check for whom network access is open, and also check the rights.
In order for all users to be able to access the network resource, the list Share Permissions need to add a group All.
In our case, full access is open to the group All. This means that everything is fine with network access permissions:

2 The second thing you need to check is NTFS rights. Go to the tab Safety and check the global permissions to access the folder.
In our example, we see that only users and administrators of the local computer have access to this folder. This means that if we try to log into a network resource under a user who does not have an account on the local computer, we will be denied access.

In order to allow access to the folder to all users, even those who do not have an account on local computer, you need to add the same group to the list All. To do this, press the button Change:

Click Add:

Adding a group All and press OK.

Attention! It is NOT necessary to search for a group in the list of groups and users. You can simply write the word “Everything” with your hands - always with a capital letter.


Now we indicate which operations are allowed for the Everyone group. To access and download files over the network, just allow:

  • Reading;
  • Read and execute;
  • List of folder contents.

After setting permissions, click OK to save permission settings:

Again OK:

Let's check. The folder can be accessed both from a computer running Windows 7 and from a computer running Windows XP:



If during the process of setting up access you encounter an “error applying security settings,” read on to find out how to fix it.

By wire or via Wi-Fi and found that the computers “do not see” each other. And these computers are controlled by Windows 7, while computers with the old but beloved XP perfectly detect each other on the network and see folders open for public access.

In Windows 7, the work with networks and sharing has been radically redesigned. “Network locations” appeared (home, work, public and domain networks) and this was done, of course, for the benefit of you and me, but it turned out, as they say, as always.

By default, Seven defines all new networks as public, and very strict security rules are set for them: network discovery is disabled (the computer is blind and cannot be seen by other machines), files and printers are disabled (other computers do not see shared folders, folders, printers), access to the computer from the network is password protected.

Since the dark times Windows Vista Many people remember that network location selection screen that appears whenever a computer connects to a new network.

So, how to share files over the network in Windows 7 ( share files)?
You can select Home network each time you select a network location. And you can configure your computer once for convenient use when connecting to any network with the inhabitants of which you want to share files. If you are concerned about the safety of your confidential data, simply do not provide access to it and try not to give files and folders full access (write and read).

If you are afraid that third parties will have access to your files when, for example, you are at the airport and connected to a Wi-FI network, install the program

Kill Watcher

and block access to your computer from the outside with two clicks. Kill Watcher stops the server service, and your files become unavailable over the network, even for reading.

Preparing to share

Click on the network icon in tray and follow the link to Network and Sharing Center.


In the window that appears, set the values ​​of the switches as shown in screenshot:

Note. I do not recommend opening access so that network users can read and write files in shared folders. These folders are located on the “C” drive, and if you access them for writing, you open the way for Trojans and viruses to your machine. Do this only if all the computers on the network are familiar to you and have anti-virus software installed on them.

How to Share a file or folder
Right-click on the folder or file and go to Properties.


Go to the tab Access and click on the button Advanced setup


Check the box next to Share this folder and click on the button Permissions

Click Add


In the window that appears, click the button Additionally


Click the button Search middle right (1) – a list of services and users will appear in the lower field of the window (2). Scroll to the bottom and find Net. Highlight Net(3) left mouse button and click OK(4). Then again OK.


In the field highlighted in yellow, you can set the rights for users who will connect to you over the network.

The differences between Full Control, Modify, and Read are shown in this table (from Windows Help).

In short, the only difference between full access and modification is that with full access you can delete files.
Once you have configured the desired permissions for users, click OK twice and go to the window properties folders per tab Safety. Next, you need to perform steps similar to those we performed when setting permissions.

Click the button Change.


In the window that appears, click Add.

Click the button Additionally in the next window.


Next click Search and find at the bottom of the list Net. Highlight Net left mouse button and click OK. Confirm your selection by pressing twice OK.


In this window, as before in the access parameters, set the desired security parameters. If you leave the list unchanged, the folder will default to read settings. Confirm your choice by pressing twice OK.

That's basically all. You can start transferring files over the network.

If, despite all the above measures, your computer is still inaccessible to others, try turning off Windows firewall or the one that is built into your Anti-Virus.

This is especially true for users of Eset Smart Security, which by default really likes to block everything network connections. KIS also sometimes suffers from this.

If you couldn’t share the computer in this case, try rebooting and accessing it by typing its address in the address bar of Explorer (in any window). The address must be preceded by two backslashes (\\).

In the Windows operating system, you can connect shared access to a folder on a local home network to exchange data between computers using shared folders. This is a very convenient and fast way to transfer files computer-to-computer, without using external media (flash drives, external hard drives, memory cards, etc.).

In this article I will talk about creating a local network using the Windows 10 operating system as an example. Creation and configuration local network in Windows 8 and Windows 7 it happens in a similar way; these instructions are universal.

The article discusses the following option for using shared folders on a local network: several computers are connected to the router, connected via cable and wireless Wi-Fi network, united in a home network. A shared folder is created on each computer; all computers included in this local network have access to the shared folders.

On computers connected to the home local network, the operating systems Windows 10, Windows 8, Windows 7 (different OS, or the same operating system) can be installed, connected to the router via Wi-Fi or cable.

Creating and configuring a local network takes place in four stages:

  • the first stage is checking the workgroup name and network card settings
  • second stage - creating and configuring local network parameters
  • third stage - connecting shared access to a folder on the local network
  • fourth stage - data exchange over the local network

First you need to check your workgroup settings and settings network card, and then create a local Windows network.

Checking network card and workgroup settings

On the Desktop, right-click on the “This PC” icon (“My Computer”, “Computer”), select “Properties” from the context menu. In the “System” window, click on the “ Additional options systems."

In the “System Properties” window that opens, open the “Computer name” tab. Here you will see the workgroup name. By default, in Windows 10, a workgroup is named "WORKGROUP".

On all computers connected to this local network, the workgroup name must be the same. If the workgroups have different names on the computers you connect to the network, change the names by choosing one name for the workgroup.

To do this, click on the “Change...” button, in the “Changing computer or domain name” window, give a different name for the workgroup (write the new name in capital letters, preferably in English).

Now check your network card settings. To do this, in the notification area, right-click on the network icon (Internet access). Click on "Network and Sharing Center". In the Network and Sharing Center window, click the Change adapter settings link.

In the “Network Connections” window, select a network card, Ethernet or Wi-Fi, depending on how your computer connects to the Internet. Next, right-click on the network card, in context menu click on "Properties".

In the network card properties window, in the “Network” tab, select the “IP version 4 (TCP/IPv4)” component, and then click on the “Properties” button.

In the Internet Protocol Properties window that opens, in the “General” tab, check the IP address and DNS service settings. In most cases, these parameters are assigned automatically. If these parameters are inserted manually, check the corresponding addresses with your Internet provider (the IP address on computers connected to the network must be different).

After checking the settings, you can proceed directly to creating a local network in Windows.

Creating a local network

First of all, configure the local network settings in Windows. Enter the “Network and Sharing Center”, click on the “Change advanced sharing settings” item.

The Advanced Sharing Settings window allows you to change sharing settings for different network profiles. The Windows operating system creates a separate network profile with its own special parameters for each network used.

There are three network profiles available:

  • Private
  • Guest or public
  • All networks

In your private network profile, under Network Discovery, select Enable Network Discovery.

In the File and Printer Sharing option, enable the Enable File and Printer Sharing option.

In the Homegroup Connection option, select Let Windows manage homegroup connections (recommended).


After that, open the “All Networks” network profile. In the Public Folder Sharing option, select Enable sharing to allow network users to read and write files in public folders.

In the File Sharing Connection option, select the Use 128-bit encryption to secure sharing connections (recommended) option.

In the “Password Protected Sharing” option, enable the “Turn off Password Protected Sharing” option.


After completing the settings, click on the “Save Changes” button.

Repeat all these steps on all computers that you plan to connect to your home local network:

  • check the workgroup name (name must be the same)
  • check your network card settings
  • In sharing settings, enable network discovery, enable file and printer sharing, disable password protected sharing

How to enable folder sharing

In this case, I created a folder named “General”. Right-click on this folder and in the folder properties window, open the “Access” tab.

Then click on the “Advanced setup” button.

In the “Advanced sharing settings” window, activate the “Share this folder” option, and then click on the “Permissions” button.

Select permissions to use shared folder data from another computer. There are three options to choose from:

  • Full access
  • Change
  • Reading

To save the settings, click on the “OK” button.

Go back to the folder properties, open the “Security” tab, and then click on the “Change...” button.

In the window that opens, enter the name “Everyone” (without quotes) in the “Enter names of selected objects” field, and then click on the “OK” button.


In the folder properties window, in the “Security” tab, configure the permissions that you previously selected for the shared folder.

To change the permission for the “Everyone” group, click on the “Advanced” button. In the “Advanced security settings for a shared folder” window, select the “Everyone” group, and then click on the “Change” button to change permissions.

Setting up a local network in Windows is complete. In some cases, you may need to restart your computer for all changes to take effect.

Logging into your local home network

Open Explorer, in the “Network” section you will see all available computers connected to your local home network. To log into another computer, click on the computer name, and then click on the shared folder name to access the files and folders located in the shared folder.

The local network in Windows 10 has been created and configured.

Troubleshoot some network problems

Sometimes, after setting up the network, problems arise with accessing folders on the local network. One possible problem may be an incorrectly selected network profile. I encountered this myself on my computer. After reinstalling the system, I created and configured a local network, but my computer did not see two laptops connected to this network. From the laptop I could easily access the shared folder on my computer, but the computer did not see them at all.

I checked all the local network settings several times, and only then I noticed that my computer was running a public network, and not a private (home) network, like on laptops. How can such a problem be solved?

Enter the “Network and Sharing Center”, click on “Troubleshooting”. Select the “Shared Folders” section and run diagnostics and troubleshooting. At the very end, the application will offer to configure the network as private. Apply this fix, and then restart your computer. After performing this operation, my computer gained access to shared folders on laptops on the local network.

Often problems arise from the network. Windows 10 has the option to reset your network settings to default settings. Go to “Settings”, “Network and Internet”, in the “Change network settings” section, click on “Reset network” to apply the default network settings.

Other problems may arise; look for solutions on the Internet.

Conclusion

In Windows OS, you can create a local private (home) network between computers, organize data exchange using shared folders, and gain access to a printer. Computers on the same network can have different or the same operating systems installed (Windows 10, Windows 8, Windows 7).

They are a generally accepted norm and their presence will not surprise anyone. Due to the availability of Internet connections, various online services are becoming increasingly popular. Some of the most popular are network folders and remote resources, organized both on your home network and provided by your Internet provider. Most often, everything works as expected, but from time to time there may be errors that prevent full operation, which the average user does not know how to solve. One of the most popular errors is the “No access to network folder” errors. Some of them may be designated by a numeric or alphanumeric code, such as 1231 or 0x800704cf. These problems can be caused by various factors. In this article, we invite you to understand all the reasons and also suggest ways to solve them.

No access to network folder

Let's imagine that you have several computers between which you want to configure home network so as not to constantly copy the necessary files. In this case, you need to create a folder on one of the computers and make it publicly accessible so that it can be accessed from any other device with Internet access. It could even be a smartphone or tablet.

One of the most common errors when working with remote folders is that there is no access to a network folder, which may result in error code 0x800704cf. You see a public network folder in Explorer, but when you try to open it, you get the message “No access to resource.” The exact text of the message may vary depending on the operating system version. What are the possible causes of this problem? There may be several of them:

  • An individual user was not granted access rights to a folder located on the network.
  • The user does not have permission to access the network resource at the operating system security level.
  • The user generally does not have any permissions to access the resource.


Every problem can be solved. Let's take a closer look.

Configuring access to a network folder for each user

All settings must be performed on the computer or resource on which the contents of the folder are stored. To configure user access to a folder, you must:

  1. Go to computer management (depending on the version of the operating system, right-click on the My Computer icon on the Windows desktop or the Start button, then select Management or Computer Management) and select Shared Folders - Shared Resources.
  2. Find a folder in the list of resources that you cannot access and look at its location on your hard drive.
  3. Open Explorer and find the desired folder (Windows 10 users can perform further actions without going to Explorer by simply right-clicking directly on the Computer Management utility menu).
  4. Right-click on it, select Properties - Access - Advanced settings - Permissions (or Properties - Permissions for the shared resource).
  5. You will see at least two items - Administrators and Everyone. Hover the cursor over the All item and make sure that all items in the Allow column are checked (full access, change, read). If there is a checkmark in the Deny column opposite some item, you should remove it from here and put it in the Allow column.
  6. Confirm the changes by clicking Apply - OK, and then try again to use the network resource.


Right-click on “Computer” and select “Manage” from the context menu

Configuring access to a resource at the system security level

Sometimes it happens that the operating system security level prohibits third-party users from accessing a network resource. To fix the problem:

  1. In the Properties menu, open the Security tab and click on the Edit button and then Add.
  2. In the “Enter the names of the selected objects” line, capitalize All and click OK.
  3. Once you are taken back to the list of groups and users, hover over the newly created Everyone group and check the actions you want to allow. The checked items by default are quite sufficient for reading data from a remote network resource.
  4. Click Apply - OK - OK and try to access the network folder again.

Error 1231 occurs when trying to connect to the Internet

Error 1231 occurs when a Windows computer cannot access resources located on a remote server. Most often it occurs when an Internet provider provides access to an international network using VPN technology. In addition, it may occur when trying to access a local resource from a network access service provider. If you had access and suddenly lost it, this problem may occur for one of the following reasons:

  • problems from the provider;
  • loss of connection between the subscriber and the server;
  • computer network card failure;
  • network card driver failure;
  • The operating system security system blocks the VPN connection;
  • incorrectly established or disabled local network connection;
  • actions of virus programs.

First of all, you should check whether error 1231 is caused by your Internet provider. To do this, you need to launch the command line (Win + R - cmd, or right-click on the Start button - Command Prompt) and enter the following command:

net view \\domain:domain name,

Where domain name means the server address that the provider provided to you to connect to the World Wide Web. If “System error 53. Network path not found” is displayed, then the problem is on the part of the service provider. In this case, you should contact technical support.

If you don’t get this error, you’ll have to look for the reason in your Windows computer or laptop. What can I do to fix error 1231?

Conclusion

We hope that we have helped you with solving the problem of accessing network resources with codes 1231 and 0x800704cf. We are confident that if you follow our instructions exactly, you will be able to solve everything on your own. Please indicate in the comments whether you were able to resolve the issue without the help of specialists.

I will try to formulate a set of general rules/recommendations/theses for organizing access rights on a file server in a domain environment on Windows Server 2012 R2 servers, based on my own experience and observations:

        1. We do not install any roles or services on the file server except the file server role. The cleaner the better. We organize data replication to another file server, data backup to a backup server, monitoring/audit/scripts and that’s all... Only administrators should have RDP access, there is no need to deploy a terminal server, install client software and allow users onto the server.
        2. Access to data for users is achieved by sharing the root folder (in my opinion, ideally only one root folder is “shared”). There is no point in publishing several folders located on the same drive and at the same hierarchy level, since everything is fine “ruled” by access rights on the “Security” tab and the “Enable Access Based Enumeration” (ABE) option - folders to that do not have access will not be displayed. On Windows Server 2012 R2 servers, the ABE option is located here: It makes sense to “share” multiple folders in the following cases:
          1. The folders are on different drives. There are two options: either you have multi-terabyte data arrays and you are limited by the physical limitations of the size of a RAID array or logical volume in the OS, or you are too lazy to organize (or you were not given the money for this) a RAID array of sufficient size. The second option is more viable, so you should reorganize/upgrade the disk subsystem.
          2. It is necessary to give access to a folder deeply “buried” in the directory hierarchy, while not giving access to neighboring and higher-level directories. In this case, to configure access rights, you will have to go through the entire path to the desired folder, issuing minimal rights to each “transit” folder. If you “share” the target folder, it will be easier to assign access rights, and it will be easier for the user to enter it. Alternative ways: grant rights using Powershell scripts (I will publish an article on this in the future) or review/optimize the folder structure and access rights to them. For more quick access You can use shortcuts to “buried” folders or connect network drives.
        3. To provide access to the folder with distribution kits, roaming profiles and user desktops, hidden “balls” are created, for example distr$, prof$, dsk$. These shared folders are not displayed in the network environment and are accessible only through the exact path: \\srv01\prof$\ and so on.
        4. In the root folder we create folders of departments, exchange, projects, directions, branches and so on. The folder structure should be carefully considered at the initial stage , pay special attention to the implementation of access to department data for employees of other departments and options for data exchange between departments. You should also consider a number of restrictions for folders: maximum size, allowed file formats, and so on. It is advisable to build a clear hierarchy of folders and corresponding access rights in such a way that users can change the folder structure only from the 3-4th nesting level.
        5. The principle of issuing the least amount of rights should be adhered to, expanding them only as necessary . In the root folder, we disable inheritance and convert inherited rights to explicit ones. We leave full access for this folder, its subfolders and files to administrators and the system, we reduce the rights of the creator-owner, and we delete the remaining access rights:
        6. Creator-owner permissions should not be removed. For example, there is a folder “...\Human Resources\”, to which the user has rights to change only for this folder. User creates new folder and “nothing happens to him,” or rather, a folder is created, but the employee does not have access to it, since inherited rights from the parent folder are applied. If access-based enumeration (ABE) is disabled for a shared folder, the folder that is created will be visible, but the employee will not be able to rename, open, or delete it.
        7. System permissions should also not be removed. Many services run with system rights, such as the Shadow Copy Service (VSS), which can be used by the system backup, for example Acronis. To run scripts on a schedule without being tied to a user account, a system account is also used. Thus, for correct operation, the system must have full rights to all folders and files on the server.
        8. Add the Domain Administrators group to the local Administrators group. Thus, both local administrators and domain administrators will have administrative rights on the server, including full access to all folders and files on the server, through membership in the local administrators group. In a domain, this can be very conveniently configured via group policies and applies to all servers and workstations in the domain: Computer Configuration -> Settings -> Control Panel Settings -> Local Users and Groups.
        9. For privileged users (company management, auditors, etc.) create an access group in the domain and give it read rights in the root directory for this folder, its subfolders and files. If necessary, we expand the rights to subdirectories by adding permission to change. In the case of a request for full access to all folders, at most we add change rights (in the understanding of users, this is full access, and allowing users to administer access rights is fraught with consequences for which the system administrator is responsible). In this case, we assign change rights as follows: in the root folder we assign read rights to this folder, its subfolders and files. In subdirectories of the root folder, we assign change rights only to subdirectories and files. Thus, VIP users will have the rights to change folders/files, starting from the 3rd level of the hierarchy, which will ensure the safety of the subdirectory structure of the root directory: without knowledge system administrator no new folders will appear in the root, no one will rename or delete the folder of an entire department/division.
        10. For other employees We create a general access group and access groups in the domain for each department, division, project, direction, branch. For a general access group, we give read rights in the root directory only for this folder. For department access groups, we assign read rights in their folders; we assign change rights to department heads and their deputies. It is advisable to grant rights in a department folder only for this folder, and in subdirectories - for this folder, its subfolders and files; give managers and their deputies permission to change subdirectories of the department folder only for subfolders and files. This will save general structure folders inside department directories, and also in the future quickly create a new subfolder inside a department with limited access without disabling inheritance of access rights.
        11. Rights should be assigned to access groups, not user accounts, at least at the upper levels of the folder hierarchy! Firstly, it is more visual and easier to administer. Secondly, in more “deep” nested directories there can be a very impressive number of access rights, taking into account inherited permissions from parent folders. Thirdly, when employees are fired and their accounts are blocked/deleted, “slag” remains in the folder access rights in the form of irrelevant (read: useless/unnecessary/superfluous) permissions for accounts (and when an account is deleted, account SIDs ). Over the course of 1-2 years, quite a lot of “garbage” accumulates, it’s impossible to count it by scrolling.
        12. Don't get carried away with disabling inheritance of parental access rights, we must try to use this opportunity in as a last resort, the same applies to explicit prohibitory rights. Disabling inheritance breaks the integrity of the top-down application of access rights. And God forbid, if the rights to the entire root directory and department folders are issued through access groups and they are already present in folders with disabled inheritance (then just add the new employee’s account to the required group), and what if the rights were granted to user accounts?! What if you need to give a group of users rights to all child folders, including 5-6 with inheritance disabled, but deny access to 3-4 folders with inheritance enabled?! What if each of these users must have different access rights and they cannot be combined into a group?! To avoid such troubles, inheritance of rights should be disabled in exceptional cases and for lower-level folders (without a structure of child subdirectories).
        13. When copying a folder to a new directory explicitly specified rights are not preserved and to the folder inherited rights apply from the new parent folder even with inheritance disabled parental access rights for the copied folder. A when moving a folder to a new directory - explicitly set rights are preserved, including disabled inheritance . With inheritance enabledwith explicitly specified rights, inherited rights are also applied from the new parent folder. Therefore, when “moving” to a new folder structure, you need to copy data, and not move it! Otherwise, “garbage” will appear in the form of irrelevant access rights and not all rights will be applied due to disabled subfolder inheritance. And the opposite thesis - to preserve disabled inheritance and the necessary access rights specified explicitly, you need to move folders, not copy! Or you will have to configure access rights again. Users should be warned about the possible consequences of such manipulations: some may lose access to folders, others may gain access. It is highly advisable to periodically check that access rights are up to date.
        14. Option "Replace all permission entries of a child object with those inherited from this object" removes all explicit permissions of all child objects and enables inheritance of parent permissions for all subdirectories:
          It makes sense to use it when it’s easier to trash everything and set up access rights to the subdirectory structure from scratch. This is especially true when rights were assigned to user accounts, a lot of “slag” has accumulated in the form of SID identifiers and disabled accounts, many subdirectories have disabled inheritance of access rights and in general everything is very sad, but at the same time there is a clear understanding of which user groups need what rights access - then this option is very useful.
        15. When disabling rights inheritance parent folder, you should select the option to convert inherited permissions to explicit:
          After conversion, remove unnecessary access rights, except for access rights for administrators, system and creator-owner (see paragraphs 6 and 7).
        16. Let's look at typical access rights (general security permissions) , which can be set using the “Edit” button on the “Security” tab: We will also expand the specified standard access rights in the section of additional security settings (in the mode of displaying additional permissions) using the “Advanced” button on the “Security” tab: This will allow you to see the scope of typical permissions and display their additional permissions.
          1. "Full access" includes all lower access rights: “Full control” in additional permissions display mode:
            Scope: “For this folder, its subfolders and files”, includes all additional permissions, including changing permissions and ownership.
          2. "Change" also includes all lower access rights: “Change” in the additional permissions display mode:
            Scope: “For this folder, its subfolders and files”, includes all additional permissions except “Delete subfolders and files”, “Change permissions” and “Change owner”. The absence of the additional permission “Delete subfolders and files” is due to the fact that these rights already exist in the form of the “Delete” permission with the scope “For this folder, its subfolders and files.”
          3. "Read and Execute" includes “List folder contents” and “Read” access rights: "Read and Execute" in additional permissions display mode:
            Scope: “For this folder, its subfolders and files”, includes additional permissions “Folder traverse / execute files”, “Folder contents / read data”, “Read attributes”, “Read additional attributes”, “Read permissions”.
          4. "List the contents of the folder" :“List folder contents” in additional permissions display mode:
            Includes the same additional permissions as “Read and Execute”, but differs only in a narrower scope: “For this folder and its subfolders.”
          5. "Reading" :“Reading” in additional permissions display mode:
            Scope: "For this folder, its subfolders and files", includes the same additional permissions as "Read and Execute", except for "Traverse folders / execute files".
          6. "Record" :“Record” in additional permissions display mode:
            Scope: “For this folder, its subfolders and files”, includes additional permissions “Create files / write data”, “Create folders / add data”, “Write attributes” and “Write additional attributes”.
        17. Standard access rights are convenient due to their simplicity : There is no need to select an area of ​​application, only general permissions are presented, due to which you can view and edit user access rights in one window. As a result, editing standard permissions takes less time than editing additional permissions (even in display mode general permissions). On the other hand, following the principles of issuing least rights and preserving the integrity of inheritance from top to bottom, model rights should be used carefully.
        18. All standard access rights have a wide scope , due to which the specified rights apply to all child subfolders. Therefore, they should only be used for those users whose access rights will not need to be restricted in child subdirectories. This mainly concerns the access rights of administrators, systems, privileged employees, department heads and their deputies. In further paragraphs we will consider each type of access rights and options for using them.
        19. "Full access" should only be assigned to administrators and the system, applies to the root folder and subdirectories where parental inheritance is disabled.
        20. "Change" should be assigned to those employees who form the structure and hierarchy of directories in the subdirectories of their department: department heads and their deputies. However, this will provide the ability to delete and rename subdirectories in the department folder. For a more stringent policy, it is more advisable to configure change access rights for subdirectories through additional permissions, limiting the scope to “Only for subfolders and files.”
        21. "Read and Execute" should be used in subdirectories with executable files, for example, in the distribution folder. However, regular employees typically only need access to data, so it is better to use the “read” access right.
        22. "List the contents of the folder" should only be used to view the folder hierarchy; files will not be visible when access-based enumeration is enabled. I don’t even know in what situations this would be useful; I have never had to use this access right in practice.
        23. "Reading", perhaps the most used access right. Used for public folders with open data - for all employees, for exchange folders between departments - for employees of other departments, for subfolders of departments - for department employees. You just need to take into account the wide scope of application, that is, issue “read” rights to a directory of folders, in the subdirectories of which you will not have to then deny access by disabling the inheritance of access rights.
        24. "Record" should be used to extend read or read-execute permissions to specific folders. The difference from the “change” access right is the absence of “Traverse folders / execute files” and “Delete” permissions. The “write” access right on its own is meaningless and is only used in combination with the “read” or “read and execute” access rights.
        25. Let's look at access rights in advanced mode. The screenshot below shows possible areas of application of access rights:
        26. "Only for this folder" , in my opinion, is actively used at the upper levels of the folder hierarchy. For example, with this scope of application, access is granted for “read” or “list of folder contents” in the root folder, in the departments folder, and starting from subdirectories, a wider scope is applied and, if necessary, access rights are expanded.
        27. "For this folder, its subfolders and files" — default scope. As a rule, extended access rights mode is entered in order to narrow the standard scope of application.
        28. "For this folder and its subfolders" — access rights apply only to directories. I don't remember ever having to use it in practice. Can be used to allow reading the attributes of only folders, to explicitly deny deletion of only folders, or some other specific access rights that apply only to folders.
        29. "For this folder and its files" — convenient to use for targeted issuance or expansion of access rights; rights are applied only at the current hierarchy level.
        30. "Only for subfolders and files" used in conjunction with the "Only this folder" scope. For example, we grant “read” access to the department head and his deputies in the department folder “Only for this folder” and add “change” access to the department folder “Only for subfolders and files.” Thus, in the department folder, employees will not be able to create folders/files themselves, or rename the department folder; they will be able to make all changes starting from the subdirectories of the department folder.
        31. "Only for subfolders" - similar to the “For this folder and subfolders” area, but applied one level lower in the hierarchy.
        32. "For files only" I personally haven’t used it in practice. It is possible to use a combination of read permissions “Only for this folder”, adding permissions to change “Only for files”. Thus, the user will not be able to create subdirectories and files in the folder, but will be able to edit/delete files existing in the folder.
        33. Access rights in the mode of displaying additional permissions are akin to microsurgery; I don’t remember ever having to issue access rights so precisely and in detail. As a rule, standard access rights and options for the scope of their application are quite sufficient for ordinary organizations.

Below we will tell you how to configure different access rights for a specific directory in multi-user mode. The operating system in my example is . But for other operating systems of the family Windows actions will be similar.

0. Task:

There are several running on the server in . Required for the folder " C:\Share» configure rights so that the group has « Users" had read-only rights in this directory, and Administrators and the user " Onyanov" had both read and write rights.

1. Solution:

Find the required folder in Explorer, right-click on it and select “ Properties"(Properties).

In the folder properties window that opens, go to the “ Safety"(Security) and press " Change…"(Edit...). The window “ Group permissions...." in which we see that security parameters have already been defined for 3 system groups. In particular for the group " Administrators"Full access to the folder is set. To add groups and users, click the button " Add…"(Add...).

In the window for selecting users and groups, click " Additionally"(Advanced...), and in the selection window the button " Search» (Find Now) to display all groups and all users existing in the system. Let’s select the group we need from the search results “ Users" and click " OK» to add it to the list.

Similarly, add the user “ Onyanov" and click " OK» to complete the selection.

Now let's select permissions for each added position. For the group " Users"we will set rights only for viewing the list, reading and executing files and, accordingly, for the user " Onyanov"check the flag " Full access» .

(Here you can either allow or deny any actions with the folder for the selected user by setting the appropriate flag. It must be remembered that prohibiting rules always have higher priority than allowing ones.)

Having selected the necessary parameters, click “ Apply" (Apply) to save the settings and click " OK» close the entire window opening.

That's it. We have set the security settings for the selected directory in accordance with the task at hand.

Did this article help you?


In the vastness of Russia, many firms and small enterprises do not have a system administrator on their staff on a permanent basis or who comes from time to time. The company is growing and sooner or later one shared folder on the network, where everyone can do whatever they want, becomes not enough. Access control is required for different users or user groups on the MS Windows platform. Linux users and experienced admins, please do not read the article.

Most best option- hire an experienced administrator and think about buying a server. An experienced administrator will decide on the spot: whether to raise MS Windows Server from Active Directory or use something from the Linux world.

But this article was written for those who have decided to suffer on their own for now, without using modern software solutions. I will try to explain at least how to correctly implement the differentiation of rights.

Before we begin, I would like to cover a couple of points:

  • Any operating system“recognizes” and “distinguishes” real people through their accounts. It should be like this: one person = one account.
  • The article describes the situation that the company does not have its own admin and has not purchased, for example, MS Windows Server. Any regular MS Windows simultaneously serves no more than 10 people for WinXP and 20 people for Win7 over the network. This was done by Microsoft specifically so that Windows clients do not cross the path of Windows servers and you do not spoil Microsoft's business. Remember the number 10-20 and when your company has more than 10-20 people, you will have to think about buying MS Windows Server or ask someone to install a free Linux Samba server for you, which does not have such restrictions.
  • Since you do not have a competent administrator, then your ordinary computer with a client MS Windows will pretend to be a file server. You will be forced to duplicate user accounts on it from other computers in order to access the shared files. In other words, if there is an accountant Olya in the company PC1 with an olya account, then on this “server” (hereinafter I will refer to it as WinServer) you need to create account olya with the same password as on PC1.
  • People come and go. Staff turnover is everywhere, and if you are the poor person who is not an administrator and is assigned (forced) to support the company’s IT issues, then here is some advice for you. Create accounts that are not tied to a person. Create for managers - manager1, manager2. For accountants - buh1, buh2. Or something like that. Has the person left? Someone else won't be offended if they use manager1. Agree, this is better than Semyon using the olya account, since it’s broken or there’s no one to redo it and everything has been working for 100 years.
  • Forget words like: “make a password for the folder.” The days when passwords were imposed on resources are long gone. The philosophy of working with various resources has changed. Now the user logs into his system using an account (identification), confirming himself with his password (authentication) and is given access to all authorized resources. Login once and have access to everything - that's what you need to remember.
  • It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

Preparation.

In Explorer, remove simplified access to the things we need.

  • MS Windows XP. Menu Tools - Folder Options - View. Uncheck Use the Sharing Wizard
  • MS Windows 7. Press Alt. Menu Tools - Folder Options - View. Uncheck Use simple file sharing.

Create a folder on your WinServer computer that will store your wealth in the form of files of orders, contracts, and so on. For me, as an example, it will be C:\dostup\. The folder must be created on a partition with NTFS.

Network access.

At this stage you need make available over the network(share) a folder for other users to work with on their computers on this local network.

And most importantly! Share the folder with full permission for everyone! Yes yes! You heard right. But what about access control?

We allow everyone to connect to the folder via the local network, BUT we will limit access using security measures stored in the file NTFS system, where our catalog is located.

  • MS Windows XP. On the desired folder (C:\dostup\) right-click and select Properties. Access tab - Full access.
  • MS Windows 7. On the desired folder (C:\dostup\) right-click and select Properties. Access tab - Advanced settings. Put a tick Share this folder. Fill out the Note. Click Permission. The Everyone group must have network rights Full access.

Users and security groups.

You need to create the necessary user accounts. I remind you that if on numerous of your personal computers different user accounts are used, then they all must be created on your “server” and with the same passwords. This can only be avoided if you have a competent administrator and computers in Active Directory. No? Then carefully create your accounts.

  • MS Windows XP.
    Local users and groups - Users. Action menu - New user.
  • MS Windows 7. Control Panel - Administration - Computer Management.
    Local users and groups - Users. Menu Action - Create user.

Now it's time for the most important thing - the groups! Groups allow you to include user accounts and simplify manipulations with the issuance of rights and access control.

The “imposition of rights” on directories and files will be explained below, but for now the main thing is to understand one idea. Rights to folders or files will be granted to groups, which can be figuratively compared to containers. And groups will already “transfer” rights to the accounts included in them. That is, you need to think at the level of groups, and not at the level of individual accounts.

  • MS Windows XP. Control Panel - Administration - Computer Management.
  • MS Windows 7. Control Panel - Administration - Computer Management.
    Local users and groups - Groups. Menu Action - Create group.

You need to include the right accounts in the right groups. For example, on the Accountants group, right-click and there Add to group or Properties and there the Add button. In the field Enter the names of the selected objects enter the name of the required account and click Check names. If everything is correct, the account will change to the form SERVER NAME\account_entry. In the picture above, the buh3 account has been mapped to WINSERVER\buh3.

So, the necessary groups have been created and user accounts are included in the necessary groups. But before the stage of assigning rights to folders and files using groups, I would like to discuss a couple of points.

Is it worth bothering with a group if there is only one account in it? I think it's worth it! The group gives flexibility and maneuverability. Tomorrow you will need to give another person B the same rights as a certain person with his account A. You will simply add account B to the group that already has A and that’s it!

It is much easier when access rights are granted to groups rather than to individuals. All you have to do is manipulate the groups and include the necessary accounts in them.

Access rights.

It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

So we’ve reached the stage where the magic of delineating access rights for different groups, and through them, users (more precisely, their accounts) actually happens.

So, we have a directory at C:\dostup\, which we have already made available to all employees over the network. Inside the C:\dostup\ directory, for the sake of example, we will create the folders Contracts, Orders, MC Accounting. Let's assume that there is a task to do:

  • the Agreement folder must be read-only for Accountants. Read and write for a group of Managers.
  • The AccountingMC folder must be accessible to Accountants for reading and writing. The Managers group does not have access.
  • the Orders folder should be read-only for Accountants and Managers.

On the Agreement folder, right-click and there Properties - Security tab. We see that some groups and users already have access to it. These rights were inherited from the parent dostup\, and that in turn from its parent C:

We will interrupt this inheritance of rights and assign our own desired rights.

Click the Advanced button - Permissions tab - button Change permissions.

First, we interrupt the inheritance of rights from the parent. Uncheck the box Add permissions that are inherited from parent objects. We will be warned that permissions from the parent will not apply to this object (in this case, the Agreement folder). Select: Cancel or Delete or Add. Click Add and the rights from the parent will remain our inheritance, but the rights of the parent will no longer apply to us. In other words, if in the future the access rights of the parent (the dostup folder) are changed, this will not affect the child folder of the Agreement. Note in the box Inherited from costs not inherited. That is the connection parent - child torn.

Now we carefully remove the unnecessary rights, leaving Full access for Administrators and System. We select in turn all sorts of Verified and just Users and delete it with the Delete button.

Add button in this window Additional security options is intended for experienced administrators who will be able to set special, special permissions. The article is aimed at the knowledge of an experienced user.

We tick Replace all permissions of a child object with permissions inherited from this object and click OK. Let's go back and OK again to go back to the simple Properties view.

This window will make it easier to achieve what you want. The Edit button will display the Group Permissions window.

Click Add. In the new window, write Accountants and click “Check names” - OK. By default, “read” access is given in a simplified form. The checkboxes in the Allow column are automatically set to “Read and Execute”, “List folder contents”, “Reading”. We are happy with this and click OK.

Now according to us technical specifications You need to give read and write permissions to the Managers group. If we are in the Properties window, then again Change - Add - enter Managers - Check names. Add the Change and Write checkboxes in the Allow column.

Now we need to check everything!

Follow the thought. We have ordered that the Treaty folder does not inherit rights from its parent dostup. Ordered child folders and files inside the Agreement folder to inherit rights from it.

We have imposed the following access rights on the Agreement folder: the Accountants group should only read files and open folders inside, and the Managers group should create, modify files and create folders.

Therefore, if a document file is created inside the Agreement directory, it will have permissions from its parent. Users with their own accounts will have access to such files and directories through their groups.

Go to the Agreements folder and create a test file agreement1.txt

On it, right-click and there Properties - Security tab - Advanced - Effective permissions tab.

Click Select and write the account of any accountant, for example buh1. We can clearly see that buh1 has received rights from his Accountants group, which has read rights to the parent Agreement folder, which “extends” its permissions to its child objects.

Let's try manager2 and see clearly that the manager gets read and write access, since he is a member of the Managers group, which gives such rights for this folder.

In exactly the same way, by analogy with the Agreement folder, access rights are imposed for other folders, following your technical specifications.

Bottom line.

  • Use NTFS partitions.
  • When you restrict access to folders (and files), manipulate groups.
  • Create accounts for each user. 1 person = 1 account.
  • Include accounts in groups. An account can be a member of different groups at the same time. If an account is in several groups and one group allows something, then it will be allowed for the account.
  • The Deny column (denying rights) takes precedence over Allow. If an account is in several groups and one group prohibits something, and another group allows it, then it will be prohibited for the account.
  • Remove an account from a group if you want to deny access that this group provides.
  • Think about hiring an admin and don’t offend him with money.

Ask questions in the comments and ask, correct.

The video shows special case, when you just need to deny access to a folder, taking advantage of the fact that denying rules take precedence over allowing rules.


Related articles

Review of the free version of AdwCleaner AdwCleaner: what is it

Review of the free version of AdwCleaner AdwCleaner: what is it

How to turn your Android device into a wireless gamepad

How to turn your Android device into a wireless gamepad

Wireless router Asus RT-N11P How to connect a new router asus rt n11p

Wireless router Asus RT-N11P How to connect a new router asus rt n11p

×
Close