Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Permission Puzzle: Can't Exclude User but Allow Others to Access

06 Jan 2014   #1
tobor8thman

Windows 7 Professional 32 bit
 
 
Permission Puzzle: Can't Exclude User but Allow Others to Access

Hi All,

This is my first post here. I am trying hard to solve this permissions problem on my own--with lots of research, but I am truly stumped and I hope you can help.

Here is the overview:

I have FIVE PC's networked to a server, FOUR of them through Homegroup and FIFTH PC outside Homegroup. I want to exclude the FIFTH PC from all folders on the FOUR PC's and FOUR of the FIVE folders on the server. The FOUR PC's will have everything BUT Full Control access to the FIVE other folders on the server, but the FIFTH PC will be totally excluded from FOUR of those folders. with everything BUT Full Control over the FIFTH folder. These FIVE folders are on the "J" drive on the server, under a parent folder called "Network Shared Folders."

I learned that if you, or a group you belong to, have share permissions AND NTFS rights, you can browse into the share. I also learned that if you, or the group you belong to, are ONLY on the NTFS, you cannot browse into the share AND you cannot access any folders beneath the share, even if you have rights to them. The two other applicable rules: 1) when combining NTFS permissions and share permissions, the most restrictive effective permission applies and 2) permissions are combined when a user is not explicitly denied access. Finally, you should avoid using the "Deny" permission if possible.

When I set the share and NTFS permissions according to those rules, I either get all the PC's excluded from the folder,OR all the PC's are included. I think it has to do with my inability to place, omit or include "Everyone" in the proper place in the share permissions and NTFS, and setting the inheritance correctly. I noticed that if I set "Everyone" in Shared Permissions, it automatically appears in NTFS Permissions. I can't set it in one, but not the other, even if I remove inheritance from above.

Currently, I have the following permission settings which are not working properly because it allows User 5 to access Folders 1-4:



Any help would be greatly appreciated. Thanks.


My System SpecsSystem Spec
.
06 Jan 2014   #2
chev65

Windows 7 Ult, Windows 8.1 Pro,
 
 

When you say "server" is this an actual server with server software such as Windows server 2012 or, is the server just a Windows 7 machine with files that the other machines can access?

There is an easy way to do this using Homegroups,. Actual Windows servers aren't made to work with the Homegroup.
My System SpecsSystem Spec
06 Jan 2014   #3
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

subfolders1: ntfs security: Add explicit DENY all to user5 on subfolder1

If working... do the same to subfolder2 to 4
========
NTFS permissions users1-4 and users1-5 isn't needed. The folders are already accessible by EVERYONE through inheretence
My System SpecsSystem Spec
.

06 Jan 2014   #4
tobor8thman

Windows 7 Professional 32 bit
 
 

@chev65

Sorry, the "server" in the network is just a PC running Windows 8. I would like to know how to do it with Homegroups without giving the FIFTH PC access to the hundreds of files on the other FOUR PCs. Thanks.
My System SpecsSystem Spec
06 Jan 2014   #5
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Is parent folder part of J?
are subfolder1 to subfolder2 part of what you call parent folder?
is subfolder5 part of same parent folder?
My System SpecsSystem Spec
06 Jan 2014   #6
tobor8thman

Windows 7 Professional 32 bit
 
 

@Kaktussoft,

Thanks for the quick reply. Here is the directory structure:

"J" Drive
|
|
Shared Network Folders ("Parent")
|
|
Sub-Folder 1
Sub-Folder 2
Sub-Folder 3
Sub-Folder 4
Sub-Folder 5

I don't want FIFTH PC to have access to Sub-Folders 1-4, but it can have access to Sub-Folder 5.
All the networked PC's run Windows 7 Professional. The "server" is just a PC running Windows 8.0 Pro
My System SpecsSystem Spec
06 Jan 2014   #7
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Shares shown in #1 all have permissions EVERYONE and Administrators (both full access).

About NTFS permissions:
J-drive: You say administrators and EVERYONE have full control.
parentfolder: You say administrators and EVERYONE have full control. Is that inherited permissions or direct permissions on that folder?
subfolder 1-4:You say administrators and EVERYONE have full control. Is that inherited permissions or direct permissions on that folder? Why do you give user1-4 special permissions???? The are part of group EVERYONE and have full control anyway.
subfolder 5:You say administrators and EVERYONE have full control. Is that inherited permissions or direct permissions on that folder? Why do you give user1-5 special permissions???? The are part of group EVERYONE and have full control anyway.
My System SpecsSystem Spec
06 Jan 2014   #8
chev65

Windows 7 Ult, Windows 8.1 Pro,
 
 

Quote   Quote: Originally Posted by tobor8thman View Post
@chev65

Sorry, the "server" in the network is just a PC running Windows 8. I would like to know how to do it with Homegroups without giving the FIFTH PC access to the hundreds of files on the other FOUR PCs. Thanks.
With Homegroups this very simple. It's best not to mess with the NTFS permission settings unless it's absolutely necessary. In this case it's not required. We will assume that the NTFS permissions are still at the default settings.

I assume the one PC that requires limited access has never been included in the Homegroup. If it was included in the current Homegroup at one time then it's best leave the old Homegroup on all Homegroup machines then create a new one, allowing only the full access machines to join. This is a security step so the limited access machine can't automatically rejoin the old Homegroup unless you give it the Homegroup password.

At this point the limited access "non Homegroup" machine won't have access to any shared Library's on the Homegroup machines unless you add the "Everyone" share using the Homegroup sharing options.

Lets assume you want the limited access machine "non Homegroup" to have access to a single Library on one of the Homegroup machines.

To do this you need to right click a Homegroup Library, choose "Share with" choose "Specific People" click the drop down arrow, Add Everyone to the share with list, add read/write access as required, click Ok etc. If you want to add access to a certain drive then just add the drive location to a shared Library.

In this case the Everyone share refers to machines that are included in the local Workgroup.

Example of the Everyone share added to a Homegroup library in the picture.


Attached Images
Permission Puzzle: Can't Exclude User but Allow Others to Access-share-everyone.png 
My System SpecsSystem Spec
06 Jan 2014   #9
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

J is shared. parentfolder is shared.

But is userfolder1-4 also shared (in screenshot of post #1 it is)?
userfolder5 is shared as well? (not in screenshot)

You can access those folders using share parentfolder btw
My System SpecsSystem Spec
06 Jan 2014   #10
tobor8thman

Windows 7 Professional 32 bit
 
 

@Kaktussoft,

You said: "J is shared. parentfolder is shared.

But is userfolder1-4 also shared (in screenshot of post #1 it is)?
userfolder5 is shared as well? (not in screenshot)"


Thanks for your reply. Well, this is how I thought about it--it may be incorrect but this is what I did which I thought was a correct way to apply the rules. Users 1-5 are shared because they are part of the group "Everyone." I then gave Users 1-4 and User 5 special permissions because I did not want ANY USER to be able to modify the permissions, which they would have been able to do if they directly inherited the permissions of Everyone (because Users 1-5 are part of the group "Everyone.") If you look at the "Settings" column in #1 above, you will see more restrictive permissions under the column next to NFTS and SHARE permissions.
My System SpecsSystem Spec
Reply

 Permission Puzzle: Can't Exclude User but Allow Others to Access




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
you don't currently have permission to access this folder
Hello, I am on my Laptop, i have 3.5 IDE Hard Disk which is quiet few years old, my some Pictures and data is stored on it, now i am looking for few pictures of mine, and few notepads, i try to connect it on my laptop by using 3.5 hard drive ide enclosure caddy. problem is i keep getting ''you...
General Discussion
You don't currently have permission to access this folder
Hi, Im having trouble accessing an external hard drive. It says this when i try to access C:\Users i can view the rest of the hard drive though. When i go to change ownership it goes through the files and gets stuck on one particular file 3/4 times now and wont get past the one folder. Any...
General Discussion
I don't have permission to access my C drive!
On my new win7 home 64bit system I wanted to share my drives so that it would work with my other winxp computer as well so I used the trick of assigning permission to "Everyone" on all my drives. This worked great (better than the homegroup). However today I decided it wasn't a great idea to share...
Network & Sharing
appropriate permission to access
In the attempt to run the setup of a program I get this: “Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item.” I am the administrator. Usually, by right clicking the mouse, and selecting run as administrator, this...
Installation & Setup
Windows can't access file. May not have permission to access.
Hello, I am attempting to access an application.exe file on my desktop. Each time that I click on it the Windows message, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." pops up. I am the system administrator so this...
General Discussion
Permission&Access&User Acount Woes
Permission is just my newest trouble! My computer crashed some weeks ago, & I never received a solution; I have Windows 7 Home Premium on, 32 bit, on a Toshiba Satellite laptop. It replaces one that was stolen from me; no frills is fine, but I have had many troubles! I am in exams online in...
Performance & Maintenance


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:25.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App