Access to shared files with Server Essentials role

timeshifter

Well-Known Member
Reaction score
2,418
Location
USA
I've got a customer with a Windows Server 2012 R2 box. It's set up as a DC. I've installed the Essentials Role on it as that is what they had before and wanted to keep some of the features. Now I'm kicking myself.

The file share permissions are a mess.

When you set up a new user in the Dashboard it walks you through a wizard and you determine what level of access that user has to different shares: Read, Read / Write, No Access.

They have 34 users, but not that many PCs. Maybe 18 PCs. There are two main groups of people based on which of the two business entities they belong to. Group A has share and and Group B has share B. There are a few users who access a QB share. And some users from both groups have extra privileges to certain folders.

It's getting a little too complex to manage through the Essentials role dashboard. Plus, it appears that these rights are given as share permissions. And based on what I've been reading up on is that it works best to leave the Share permissions as Everyone and control access through NTFS permissions.

I want to go in and rip out all the share permissions manually and then assign NTFS permissions based on some groups I'll set up.

Am I going about this in the right way?
 
I've got a customer with a Windows Server 2012 R2 box. It's set up as a DC. I've installed the Essentials Role on it as that is what they had before and wanted to keep some of the features. Now I'm kicking myself.

The file share permissions are a mess.

When you set up a new user in the Dashboard it walks you through a wizard and you determine what level of access that user has to different shares: Read, Read / Write, No Access.

They have 34 users, but not that many PCs. Maybe 18 PCs. There are two main groups of people based on which of the two business entities they belong to. Group A has share and and Group B has share B. There are a few users who access a QB share. And some users from both groups have extra privileges to certain folders.

It's getting a little too complex to manage through the Essentials role dashboard. Plus, it appears that these rights are given as share permissions. And based on what I've been reading up on is that it works best to leave the Share permissions as Everyone and control access through NTFS permissions.

I want to go in and rip out all the share permissions manually and then assign NTFS permissions based on some groups I'll set up.

Am I going about this in the right way?

As you have found the wizard directly adds permissions to the folders and when you have lots of users it becomes a mess. Personally I create a folder structure outside of the Company folder and set my own permissions on the folders using groups and then add users to groups (managers, sales etc) via active directly. When running through the wizard just leave all the permissions as no access.
 
As you have found the wizard directly adds permissions to the folders and when you have lots of users it becomes a mess. Personally I create a folder structure outside of the Company folder and set my own permissions on the folders using groups and then add users to groups (managers, sales etc) via active directly. When running through the wizard just leave all the permissions as no access.

↑ Do this. ↑ If you can, create one big share and then use a combination of AD groups with NTFS permissions and Access Based Enumeration to allow people access to what they need.
 
So my plan was to test this, create a new share, share it with Everyone, then add a group to the NTFS permissions to define access rights. It seems to work but has a peculiar side-effect. Maybe it's normal, maybe not. Let me walk you through it:

1) On the server I create a new folder at d:\serverfolders\test01. I right-click, go to properties and share it. Then I assign the Everyone group with RW access:

ScreenConnect_-_D949P282_-_Connected_2017-04-25_17-34-45.png


2) Next I head over and work on NTFS properties. I remove Everyone from the list and add the ACA group and give them Full Control:

ScreenConnect_-_D949P282_-_Connected_2017-04-25_17-41-50.png


3) When I go back and look at the Share permissions I see this:

ScreenConnect_-_D949P282_-_Connected_2017-04-25_17-43-53.png


I discussed this with a friend of mine and he was puzzled by that behavior. We were expecting to see the Share permissions as we left them. It looks like somehow the NTFS permissions are being translated to Sharing.

So, here are some possibilities:
  1. I'm doing it wrong
  2. Windows Server 2012 does it differently than older versions
  3. Windows Server Essentials Role is doing it differently
  4. It's working like it's supposed to, I need further education
Any thoughts?
 
Have you tried creating your shared folder outside of the ServerFolders folder? Thats what i normally do and dont have an issue.
 
Have you tried creating your shared folder outside of the ServerFolders folder? Thats what i normally do and dont have an issue.
Yes, I tried it on some other machines and saw a similar result. I think in the end what I'm seeing on that last screenshot is what I call the effective or resultant sharing permissions, whether they're share or NTFS permissions. What I'm seeing there is the combination of share and NTFS.

Here's what you'd see if you go to the folder's Properties, Security tab, Advanced:

sharepermsissions.png


NTFS_permissions.png
 
Back
Top