Permission Puzzle: Can't Exclude User but Allow Others to Access

[QUOTE=chev65;2648699]

tobor8thman said:

@chev65
With Homegroups this very simple. It's best not to mess with the NTFS permission settings unless it's absolutely necessary. In this case it's not required. We will assume that the NTFS permissions are still at the default settings.

I need to try it with Homegroups--I am making a mess of share and NTFS permissions. I will try your suggestion tonight. Thanks.

Kaktussoft said:

Let's forget about shares in this discussion. It's the NTFS permissions that should be modified.

J drive: Do you really want EVERYONE to be able to do everything? (full control)
A folder on J [parentfolder]: Do you really want EVERYONE to be able to do everything? (full control).
Or do you want only user1-4 to have full access?

No, not really, I thought I was just following network best practices--initially establish the least restrictive NFTS permissions in the parent folder and THEN be restrictive in the child folders

All I want to do is to have user accounts 1-4 to have full control over sub-folders 1-5, and user account 5 to have full control over sub-folder 5, BUT have NO access to sub-folders 1-4.

In case you were wondering, I've tested this sharing procedure and given the same advice countless times with great success.

Every step I've mentioned has been verified to work perfectly by every person who has followed those instructions.

The problems start when people unknowingly dive into the NTFS settings and start messing up default permissions, because of this, returning them to default and unchecking any inherited permissions my be required.

chev65 said:

In case you were wondering, I've tested this sharing procedure and given the same advice countless times with great success.

Every step I've mentioned has been verified to work perfectly by every person who has followed those instructions.

The problems start when people unknowingly dive into the NTFS settings and start messing up default permissions, because of this, returning them to default and unchecking any inherited permissions my be required.

No worries, your approach sounds logical. But I did mess with the NTFS settings, but only by accessing via Workgroup directory, not the Homegroup directory. Do I need to worry about non-default NTFS settings appearing and causing difficulties if user accounts 1-4 (and not user account 5) will be browsing the shares through Homegroup rather than Workgroup? Thx

tobor8thman said:

chev65 said:

In case you were wondering, I've tested this sharing procedure and given the same advice countless times with great success.

Every step I've mentioned has been verified to work perfectly by every person who has followed those instructions.

The problems start when people unknowingly dive into the NTFS settings and start messing up default permissions, because of this, returning them to default and unchecking any inherited permissions my be required.

No worries, your approach sounds logical. But I did mess with the NTFS settings, but only by accessing via Workgroup directory, not the Homegroup directory. Do I need to worry about non-default NTFS settings appearing and causing difficulties if user accounts 1-4 (and not user account 5) will be browsing the shares through Homegroup rather than Workgroup? Thx

@chev65,

Ok, I've structured the share permissions like you suggested and not messed around with the NTFS settings. . . AND IT WORKS! User account 5 has been excluded from all FOUR folders and has access to the FIFTH folder, while user accounts 1-4 have access to all FIVE folders. MANY THANKS, and you will be repped. BUT . . . I have one more additional question--Let say I have a user account 6 which I want to put ON THE SAME PC as the excluded user account 5. BUT user account 6 must have access to all FIVE folders. How do I do that? Below is what I did so far:

• I selected the menu item Share with a Specific Person and choose user account 6, but the permissions for FOUR of the FIVE folders nevertheless denied user account 6 access. Why? The FIFTH folder had "Everyone" and "Homegroup" in its share permissions; the other FOUR folders had "Homegroup" but no "Everyone."
• If I make the FIFTH PC (containing user accounts 5 and 6) a member of the Homegroup, then user account 5 will have access to all FIVE files, which is not allowed.

So, is there a way to do this? Thx.

Kaktussoft said:

So user folder 1 to 4: Permissions allow HOMEGROUP. Most likely you removed EVERYONE and made the permission explicit instead of inherit(?)

user folder 5: Permissions allow HOMEGROUP and EVERYONE. Don't know yet if they are inherited or explicit on folder.
--------------
User folder 1 to 4 are accessible by all members of group HOMEGROUP. Give group MYGROUP access as well to user folder 1 to 4 (NTFS permissions). But first create the group and put the useraccount6 in that group.

Later you can add useraccount7 to MYGROUP to give him access as well.

Just made User Account 6 a member of MYGROUP through lusrmgr.msc. Added MYGROUP to NTFS permissions of folders 1-4 and set for "Full Control". RESULT: User Account 6 is denied access. I think you have to put Everyone in the NTFS permissions--it appears to work when you do that. But if you do that, then User 5 will have access to folders 1-4. I don't understand why your approach would not work, you should be able to list an individual user account or groups containing the user account under the permissions without including "Everyone" too to make it work, shouldn't you?

tobor8thman said:

Kaktussoft said:

So user folder 1 to 4: Permissions allow HOMEGROUP. Most likely you removed EVERYONE and made the permission explicit instead of inherit(?)

user folder 5: Permissions allow HOMEGROUP and EVERYONE. Don't know yet if they are inherited or explicit on folder.
--------------
User folder 1 to 4 are accessible by all members of group HOMEGROUP. Give group MYGROUP access as well to user folder 1 to 4 (NTFS permissions). But first create the group and put the useraccount6 in that group.

Later you can add useraccount7 to MYGROUP to give him access as well.

Just made User Account 6 a member of MYGROUP through lusrmgr.msc. Added MYGROUP to NTFS permissions of folders 1-4 and set for "Full Control". RESULT: User Account 6 is denied access. I think you have to put Everyone in the NTFS permissions--it appears to work when you do that. But if you do that, then User 5 will have access to folders 1-4. I don't understand why your approach would not work, you should be able to list an individual user account or groups containing the user account under the permissions without including "Everyone" too to make it work, shouldn't you?

Which is why my way "the right way" is also the "ONLY" way to do this. I'm not about to go back and forth with anyone on this because as I've already mentioned, it's been tried many times and proven to work, there is no need to use any other method for this. There is also an easy way "same method" to allow access for this new user 6.

It's also easier to use the "Public" folders for this type of sharing because access to the Public folders is not limited with NTFS permissions.