Permission Puzzle: Can't Exclude User but Allow Others to Access

Hi All,

This is my first post here. I am trying hard to solve this permissions problem on my own--with lots of research, but I am truly stumped and I hope you can help.

Here is the overview:

I have FIVE PC's networked to a server, FOUR of them through Homegroup and FIFTH PC outside Homegroup. I want to exclude the FIFTH PC from all folders on the FOUR PC's and FOUR of the FIVE folders on the server. The FOUR PC's will have everything BUT Full Control access to the FIVE other folders on the server, but the FIFTH PC will be totally excluded from FOUR of those folders. with everything BUT Full Control over the FIFTH folder. These FIVE folders are on the "J" drive on the server, under a parent folder called "Network Shared Folders."

I learned that if you, or a group you belong to, have share permissions AND NTFS rights, you can browse into the share. I also learned that if you, or the group you belong to, are ONLY on the NTFS, you cannot browse into the share AND you cannot access any folders beneath the share, even if you have rights to them. The two other applicable rules: 1) when combining NTFS permissions and share permissions, the most restrictive effective permission applies and 2) permissions are combined when a user is not explicitly denied access. Finally, you should avoid using the "Deny" permission if possible.

When I set the share and NTFS permissions according to those rules, I either get all the PC's excluded from the folder,OR all the PC's are included. I think it has to do with my inability to place, omit or include "Everyone" in the proper place in the share permissions and NTFS, and setting the inheritance correctly. I noticed that if I set "Everyone" in Shared Permissions, it automatically appears in NTFS Permissions. I can't set it in one, but not the other, even if I remove inheritance from above.

Currently, I have the following permission settings which are not working properly because it allows User 5 to access Folders 1-4:



Any help would be greatly appreciated. Thanks.

When you say "server" is this an actual server with server software such as Windows server 2012 or, is the server just a Windows 7 machine with files that the other machines can access?

There is an easy way to do this using Homegroups,. Actual Windows servers aren't made to work with the Homegroup.

@chev65

Sorry, the "server" in the network is just a PC running Windows 8. I would like to know how to do it with Homegroups without giving the FIFTH PC access to the hundreds of files on the other FOUR PCs. Thanks.

@Kaktussoft,

Thanks for the quick reply. Here is the directory structure:

"J" Drive
|
|
Shared Network Folders ("Parent")
|
|
Sub-Folder 1
Sub-Folder 2
Sub-Folder 3
Sub-Folder 4
Sub-Folder 5

I don't want FIFTH PC to have access to Sub-Folders 1-4, but it can have access to Sub-Folder 5.
All the networked PC's run Windows 7 Professional. The "server" is just a PC running Windows 8.0 Pro

tobor8thman said:

@chev65

Sorry, the "server" in the network is just a PC running Windows 8. I would like to know how to do it with Homegroups without giving the FIFTH PC access to the hundreds of files on the other FOUR PCs. Thanks.

With Homegroups this very simple. It's best not to mess with the NTFS permission settings unless it's absolutely necessary. In this case it's not required. We will assume that the NTFS permissions are still at the default settings.

I assume the one PC that requires limited access has never been included in the Homegroup. If it was included in the current Homegroup at one time then it's best leave the old Homegroup on all Homegroup machines then create a new one, allowing only the full access machines to join. This is a security step so the limited access machine can't automatically rejoin the old Homegroup unless you give it the Homegroup password.

At this point the limited access "non Homegroup" machine won't have access to any shared Library's on the Homegroup machines unless you add the "Everyone" share using the Homegroup sharing options.

Lets assume you want the limited access machine "non Homegroup" to have access to a single Library on one of the Homegroup machines.

To do this you need to right click a Homegroup Library, choose "Share with" choose "Specific People" click the drop down arrow, Add Everyone to the share with list, add read/write access as required, click Ok etc. If you want to add access to a certain drive then just add the drive location to a shared Library.

In this case the Everyone share refers to machines that are included in the local Workgroup.

Example of the Everyone share added to a Homegroup library in the picture. :)

@Kaktussoft,

You said: "J is shared. parentfolder is shared.

But is userfolder1-4 also shared (in screenshot of post #1 it is)?
userfolder5 is shared as well? (not in screenshot)"

Thanks for your reply. Well, this is how I thought about it--it may be incorrect but this is what I did which I thought was a correct way to apply the rules. Users 1-5 are shared because they are part of the group "Everyone." I then gave Users 1-4 and User 5 special permissions because I did not want ANY USER to be able to modify the permissions, which they would have been able to do if they directly inherited the permissions of Everyone (because Users 1-5 are part of the group "Everyone.") If you look at the "Settings" column in #1 above, you will see more restrictive permissions under the column next to NFTS and SHARE permissions.