User Rights Conflict On Folder/SubFolder Access

Hi all,

I have a snooping user whom I need to stop access to opening files in a
particular folder without it being a really noticeable issue for him or
anyone else, unless they snoop.

I am attempting to deal with the situation via user rights, but have a user
rights conflict issue, I just can't see what I'm doing wrong.

Mapped drive location on SBS2003. Domain Users have full access to mapped
drive (G:\).

I have a folder: G:\BDT\Training of which I want to set different user
access rights to it. I have ensured that rights are NOT being inherited from
the G:\ settings, and after I changed the rights on the folder as required,
that these were sent to all child objects.

* Security Group - Domain Admin users have full access
* Security Group - Training Folders users have full access
* Security Group - Inhouse AdminTeam Group users have list/read/read&execute
rights only (can see, open read-only data, can't update)
* Security Group - Domain Users - users have list rights only (can see
files, but no access to file contents)

Security Group - Domain Admin and Security Group - Training Folders works as
required.

My problem is with a conflict between the Inhouse AdminTeam Group and the
Domain Users group.

Members of the Inhouse AdminTeam Group are of course, also members of the
Domain Users group.

If I add the Domain Users group to the folder, with right - list (only)
the Inhouse AdminTeam group can also only list - the extra rights of
read/read&execute are ignored. That is, they can see the file, but when they
try to open it, it says that it is encrypted or corrupted, and the file won't
open.

Please help.

TIA


--
Wendy

Larry
Fri Mar 28 05:11:37 PDT 2008

Hi Wendy:

You are going to have to find a different way of accomplishing this, as the
more restrictive rights assignment will always apply.

Maybe create a new security group that you can block and put the blocked
users in that group, with no reference to another groups, so that the
allowed users are not blocked.

--
Larry

Please post the resolution to
your issue so that all can benefit.


"Wendy" <Wendy@discussions.microsoft.com> wrote in message
news:DF494B9C-1661-45E8-A14C-A4CA20D29A7C@microsoft.com...
> Hi all,
>
> I have a snooping user whom I need to stop access to opening files in a
> particular folder without it being a really noticeable issue for him or
> anyone else, unless they snoop.
>
> I am attempting to deal with the situation via user rights, but have a
> user
> rights conflict issue, I just can't see what I'm doing wrong.
>
> Mapped drive location on SBS2003. Domain Users have full access to mapped
> drive (G:\).
>
> I have a folder: G:\BDT\Training of which I want to set different user
> access rights to it. I have ensured that rights are NOT being inherited
> from
> the G:\ settings, and after I changed the rights on the folder as
> required,
> that these were sent to all child objects.
>
> * Security Group - Domain Admin users have full access
> * Security Group - Training Folders users have full access
> * Security Group - Inhouse AdminTeam Group users have
> list/read/read&execute
> rights only (can see, open read-only data, can't update)
> * Security Group - Domain Users - users have list rights only (can see
> files, but no access to file contents)
>
> Security Group - Domain Admin and Security Group - Training Folders works
> as
> required.
>
> My problem is with a conflict between the Inhouse AdminTeam Group and the
> Domain Users group.
>
> Members of the Inhouse AdminTeam Group are of course, also members of the
> Domain Users group.
>
> If I add the Domain Users group to the folder, with right - list (only)
> the Inhouse AdminTeam group can also only list - the extra rights of
> read/read&execute are ignored. That is, they can see the file, but when
> they
> try to open it, it says that it is encrypted or corrupted, and the file
> won't
> open.
>
> Please help.
>
> TIA
>
>
> --
> Wendy

Steve
Fri Mar 28 06:03:00 PDT 2008

Wendy wrote:

>Hi all,
>
>I have a snooping user whom I need to stop access to opening files in a
>particular folder without it being a really noticeable issue for him or
>anyone else, unless they snoop.
>
>I am attempting to deal with the situation via user rights, but have a user
>rights conflict issue, I just can't see what I'm doing wrong.
>
>Mapped drive location on SBS2003. Domain Users have full access to mapped
>drive (G:\).
>
>I have a folder: G:\BDT\Training of which I want to set different user
>access rights to it. I have ensured that rights are NOT being inherited
>from
>the G:\ settings, and after I changed the rights on the folder as required,
>that these were sent to all child objects.
>
>* Security Group - Domain Admin users have full access
>* Security Group - Training Folders users have full access
>* Security Group - Inhouse AdminTeam Group users have
>list/read/read&execute
>rights only (can see, open read-only data, can't update)
>* Security Group - Domain Users - users have list rights only (can see
>files, but no access to file contents)
>
>Security Group - Domain Admin and Security Group - Training Folders works
>as
>required.
>
>My problem is with a conflict between the Inhouse AdminTeam Group and the
>Domain Users group.
>
>Members of the Inhouse AdminTeam Group are of course, also members of the
>Domain Users group.
>
>If I add the Domain Users group to the folder, with right - list (only)
>the Inhouse AdminTeam group can also only list - the extra rights of
>read/read&execute are ignored. That is, they can see the file, but when
>they
>try to open it, it says that it is encrypted or corrupted, and the file
>won't
>open.

Security privileges are aggregated, so a member of both AdminTeam and D.U.
will get the privileges of AdminTeam (if those are more generous).

The exception to this would be if you've used "Deny" settings anywhere,
since they will override all "Allow" options.

So if you have D.U. set explicitly to "Deny" everything but List, "Allow"
privileges inherited through other group membership (AdminTeam) won't apply.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Lanwench
Fri Mar 28 07:13:18 PDT 2008

Wendy <Wendy@discussions.microsoft.com> wrote:
> Hi all,
>
> I have a snooping user whom I need to stop access to opening files in
> a particular folder without it being a really noticeable issue for
> him or anyone else, unless they snoop.
>
> I am attempting to deal with the situation via user rights, but have
> a user rights conflict issue, I just can't see what I'm doing wrong.
>

<snipped for length>


My comment... .abandon this technique. It's always going to be an immense
pain in the a__. Don't set different permissions on subfolders under the
same share. Move any data/folders that shouldn't have the same permissions,
out to a different share, to which you control access via AD group
membership.

Although many have tried this, your current method is really going to be
impossible to administer in the long term, and ultimately, what you have is
a behavioral problem, not a technological one.

Just my $02 !

Larry
Fri Mar 28 07:43:38 PDT 2008

I agree, and that was my first thought. But I think I saw in Wendy's post
that this is a training share, so that the files probably need to be kept
together. If that is not the case, then absolutely separate them.

--
Larry

Please post the resolution to
your issue so that all can benefit.


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:OT$Rt3NkIHA.4684@TK2MSFTNGP06.phx.gbl...
> Wendy <Wendy@discussions.microsoft.com> wrote:
>> Hi all,
>>
>> I have a snooping user whom I need to stop access to opening files in
>> a particular folder without it being a really noticeable issue for
>> him or anyone else, unless they snoop.
>>
>> I am attempting to deal with the situation via user rights, but have
>> a user rights conflict issue, I just can't see what I'm doing wrong.
>>
>
> <snipped for length>
>
>
> My comment... .abandon this technique. It's always going to be an immense
> pain in the a__. Don't set different permissions on subfolders under the
> same share. Move any data/folders that shouldn't have the same
> permissions,
> out to a different share, to which you control access via AD group
> membership.
>
> Although many have tried this, your current method is really going to be
> impossible to administer in the long term, and ultimately, what you have
> is
> a behavioral problem, not a technological one.
>
> Just my $02 !
>
>

Russ
Fri Mar 28 13:51:35 PDT 2008


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:OT$Rt3NkIHA.4684@TK2MSFTNGP06.phx.gbl...
> Wendy <Wendy@discussions.microsoft.com> wrote:
> Just my $02 !

Even at 2 bucks that's good advice :)

Russ :)

Wendy
Sun Mar 30 18:22:02 PDT 2008

Thank you all for your help.

I too could wish I could separate it out as well to make it easier to
control, however, it isn't an option at this time. Hopefully this will be
only an issue for another 12 months, then the person involved will have left
the picture, and more normal settings can be applied.

I have decided to take the advice to create a new security group and put the
blocked user in the group instead, along with others, with a fairly generic
name so it isn't obvious what is happening with the group. Then I can avoid
using the Domain Users group settings - fortunately, we don't have a high
turnover in staff so this shouldn't be a huge issue.

Thanks again.


--
Wendy


"Steve Foster [SBS MVP]" wrote:

> Wendy wrote:
>
> >Hi all,
> >
> >I have a snooping user whom I need to stop access to opening files in a
> >particular folder without it being a really noticeable issue for him or
> >anyone else, unless they snoop.
> >
> >I am attempting to deal with the situation via user rights, but have a user
> >rights conflict issue, I just can't see what I'm doing wrong.
> >
> >Mapped drive location on SBS2003. Domain Users have full access to mapped
> >drive (G:\).
> >
> >I have a folder: G:\BDT\Training of which I want to set different user
> >access rights to it. I have ensured that rights are NOT being inherited
> >from
> >the G:\ settings, and after I changed the rights on the folder as required,
> >that these were sent to all child objects.
> >
> >* Security Group - Domain Admin users have full access
> >* Security Group - Training Folders users have full access
> >* Security Group - Inhouse AdminTeam Group users have
> >list/read/read&execute
> >rights only (can see, open read-only data, can't update)
> >* Security Group - Domain Users - users have list rights only (can see
> >files, but no access to file contents)
> >
> >Security Group - Domain Admin and Security Group - Training Folders works
> >as
> >required.
> >
> >My problem is with a conflict between the Inhouse AdminTeam Group and the
> >Domain Users group.
> >
> >Members of the Inhouse AdminTeam Group are of course, also members of the
> >Domain Users group.
> >
> >If I add the Domain Users group to the folder, with right - list (only)
> >the Inhouse AdminTeam group can also only list - the extra rights of
> >read/read&execute are ignored. That is, they can see the file, but when
> >they
> >try to open it, it says that it is encrypted or corrupted, and the file
> >won't
> >open.
>
> Security privileges are aggregated, so a member of both AdminTeam and D.U.
> will get the privileges of AdminTeam (if those are more generous).
>
> The exception to this would be if you've used "Deny" settings anywhere,
> since they will override all "Allow" options.
>
> So if you have D.U. set explicitly to "Deny" everything but List, "Allow"
> privileges inherited through other group membership (AdminTeam) won't apply.
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.
>