the Internet Windows Android
Expand
the main

How to open access folder on the server. Access rights on the file server in the domain environment

Attention! All actions occur on the server itself running the Windows Server 2003 operating system. It can also be done on the server using the Terminal Server Control Service.

All below will work only on the NTFS file system. If you still have FAT32 (16), then translate your file system to NTFS. This can be done easily with standard means. In the command prompt, type just convert [Disc] / FS: NTFS. For example: convert C: / FS: NTFS.

  • It is impossible to convert to the FAT system.
  • Ori conversion of the system disk will warn about the loss of descriptors, agree. This does not lead to data losses.
  • Overload.

Open access

To open access to the use of the folder, as a network for a user, you need to do the following:

Run Conductor

Press the right mouse button on the desired folder, select " Properties»

In the window that appears, move the tick to the item " Open sharing this folder».

Assign the name to the shared resource. As a rule, the default is the name of the folder.

We leave the default " Maximum number of users"" Maximum possible»

After the above actions, click on the button " Permissions»

Adding a user

When you click on the button " Add»Select from the list of the desired user

After adding to him appropriate rights Full access, The change, Reading. The rights are exhibited at the discretion of the administrator, that is, you.

To select the desired user, you need to do the following:

After pressing the button " Add»A window will appear where you can choose both a group and any user separately.

Enter the username manually (if you certainly remember it by heart), or press the button " Additionally"And using the search to choose from the proposed list of users.

After you prescribed everything you need in the folder " Access»Go to the daddy" Safety"And rejoice" Oh God "as much of all right here.

Additional rights

We choose the desired user and begin to finish justice: it can not be possible.

When pressing the button " Additionally"There will be an even more extensive list of rights, which will be possible to the user, and what is not.

Also in the section " Additional"Right, choose the desired user:

Remove the tick from the point " Allow inheritance ..." - If this is not done, then all your actions will be in vain, and all internal folders will inherit rights from a higher level. As a rule, from the disk (and there is only reading from everyone).

Install a tick " Replace permissions».

Click " Apply"And the process of distribution of rights for the current user will begin. This process can delay for a few minutes, depending on the number of files. File size In this case, the value does not have.

Problem: Unable to access a network resource. Network folder is displayed ...

but when you try to enter the login, the system issues a message:

Windows cannot access \\\\ computer \\ network_resurs. Permission to access \\\\ computer \\ network_resurs absent. Contact your network administrator to gain access.

In the Windows XP operating system, the same message sounds like this:

No access to K. \\\\ computer \\ network_resurs. Perhaps you have no right to use this network resource. Contact your administrator to obtain appropriate access rights. Access denied


Why is there no access to a network resource?

The reason may be in the following factors:

  • the user has no permission to access a shared resource.
    These rights are configured on the tab. Access and are relevant only to configure access over the network.
  • the user has no permission to access the NTFS rights level
    Configured on the tab Safety. This setting adjusts access rights in both the network and local access.
  • the user has no permissions for network access, nor NTFS rights.

How to open access to the network folder for all users

Settings must be performed on the computer where the network resource is located.

We go into computer management:

Open section Common folders. Select subsection Shared resources And find out the local path to the folder, which is open to the network.
In our example, we see that the network resource temp. Matches the local path C: \\ temp :


We find a local folder, press on it right mouse button and call Properties:


1 first thing to check is network access permissions. Open the tab Access and press the button Extended setting:

Press the button Permissions:

We check for whom network access is open, and also verify the rights.
In order to enter a network resource, all users could list Resolution for shared resourceyou need to add a group Everything.
In our case, the full access for the group will separated Everything. So, with permissions to access over the network, everything is in order:

2 Second, what to check is NTFS rights. We go to the tab Safety And check global permissions to access the folder.
In our example, we see that only users and local computer administrators have access to this folder. This means that if we try to enter the network resource under the user who has no account on the local computer, we will be denied access.

In order to enable access to the folder to all users, not even with an account on the local computer, you must add the same group to the list. Everything. To do this, press the button Change:

Click Add:

Add a group Everything and click OK..

Attention! Looking a group in the list of groups and users is not necessary. You can simply write the word "all" with your hands - necessarily with a capital letter.


Now we specify which operations are allowed for a group. To access and download files over the network, it is enough to allow:

  • Reading;
  • Reading and execution;
  • List of folder content.

After specifying permissions, click OK.To save permission settings:

Again OK.:

Check. Access to the folder is both from a computer running Windows 7 and from a computer on Windows XP:



If you encounter an "error of applying security settings", read how to fix it.

Wire or wi -fi and found that computers do not see each other. And these computers are managed by Windows 7, while computers with old, but hotly beloved, XP perfectly detect each other on the network and see the folders open to shared access.

In Windows 7, work with networks and shared access was drastically recycled. "Network accommodations" appeared (home, working, public network and domain network) and was made it was certainly for our good, but it turned out, as they say, as always.

By default, the seven defines all new networks as public, and very harsh safety rules are installed: Network detection is disabled (computer blind and do not see other machines), disabled to files and printers (other computers do not see smashed folders, folders, printers), Access to the computer from the network is pardoned.

Even with the gloomy times of Windows Vista, many people remember this network location screen that appears whenever the computer connects to the new network.

So, how to open access to network files in Windows 7 ( split Files)?
You can choose a home network every time when you select Network Placement. And you can configure the computer once again for convenient use when connected to any network, with the inhabitants of which you want to split the files. If you are interested in the safety of your confidential data, simply do not provide access to them and try not to open to files and full access folders (on recording and reading).

If you are afraid that third-party persons will have access to your files when, for example, you are at the airport and connected to the Wi-Fi network, install the program

Kill Watcher.

and close access to your computer from the outside with two mouse clicks. Kill Watcher. Stops the server service, and your files become unavailable on the network even for reading.

Preparation for decaying

Click on the network icon in tray and follow the link to Network and Shared Access Control Center.


In the window that appears, set the values \u200b\u200bof the switches as shown on screenshot:

Note. I do not recommend opening access to network users can read and record files in shared folders. These folders are located on the "C" disk, and the separation of them access to write, you open the way to Trojans and viruses on your car. Do it only if all computers in the network are familiar to you and they have installed anti-virus software.

How to split the file or folder
Click on the folder or file right-click and go to Properties.


Click the tab Access and click on the button Extended setting


Put a tank near Open sharing this folder and click on the button Permissions

Click Add


In the window that appears, click Additionally


Press the button Search On the right in the middle (1) - a list of services and users will appear in the bottom field of the window (2). Scroll to Niza and find Net. Highlight Net(3) left mouse button and press OK.(four). Then again OK..


In the field selected yellow, you can set the rights for users who will connect to you on the network.

Differences between full access, change and reading are shown in this table (Material from Windows Help).

If briefly, the difference between full access and change is that with full access you can delete files.
When you configure the desired rights for users, click OK. twice and go to the window properties folders to the tab Safety. Next, you need to perform actions similar to what we were performed when specifying permissions.

Press the button Change.


In the window that appears, click Add.

Press the button Additionally In the next window.


Next click Search and locate the list below Net. Highlight Net left mouse button and click OK.. Twice confirm the choice by pressing OK..


In this window, as before in the access parameters, set the desired security parameters. If you leave a list without change, the default folder will be set to read options. Confirm your choice twice by clicking OK..

That's basically it. You can proceed to transfer files over the network.

If, despite all the above measures, the computer is still unavailable for others, try to disable Windows Firewall or the one that is embedded in your antivirus.

This is especially true for ESET Smart Security users, which by default loves to block all network connections. Kis, too, happens, sins by it.

If the computer and in this case could not be separated, try to reboot and access to it, typing in the address of the address of the conductor (in any window) it is the address. Before the address must be two backslash (\\\\).

In the Windows operating system, you can connect sharing folder in the local home network for exchanging data between computers using public folders. This is a very convenient and fast way to transfer files according to a computer-computer schema, without using external media (flash drives, external hard drives, memory cards, etc.).

In this article, I will tell about the creation of a local network using the example of the Windows operating system 10. Creating and configuring a local network in Windows 8 and in Windows 7 occurs in a similar way, this manual is universal.

The article discusses the following option of using public folders on the local network: Multiple computers connected to the Cable and Wi-Fi wireless network are connected to the router, combined onto the home network. Each computer creates a shared folder, access to shared folders have all computers included in this local network.

On computers connected to the home local network, Windows 10, Windows 8, Windows 7 operating systems can be installed (different OS, or the same operating system) connected to the Wi-Fi router or cable.

Creating and configuring the local network is in four stages:

  • first stage - checking the name of the working group and network card settings
  • the second stage - the creation and configuration of the parameters of the local network
  • third Stage - Connecting Sharing Folder On Local Network
  • fourth Stage - Data Exchange on LAN

You must first check the parameters of the working group and setting up a network card, and then create a local Windows network.

Check the settings of the network card and the working group

On the desktop, right-click on the "Computer" icon ("My Computer", "Computer"), in the context menu, select "Properties". In the System window, click on the "Advanced System Parameters" item.

In the "System Properties" window that opens, click the "Computer Name" tab. Here you will see the name of the working group. By default, in Windows 10, the workgroup is given the name "Workgroup".

On all computers connected to this local network, the name of the working group should be the same. If working groups connected to the network connections are different names, change the names by selecting one name for the working group.

To do this, click on the "Edit ..." button, in the "Changing Computer or Domain Name" window, give another name for the Working Group (write a new name in large letters, better in English).

Now check the settings of the network card. To do this, in the notifications area, click the right back of the mouse on the network icon (Internet access). Click on the "Network and Shared Access Center" item. In the "Network and Shared Access Center" window, click on the "Changing Adapter Settings" link.

In the Network Connections window, select a network card, Ethernet or Wi-Fi, depending on the computer connection method to the Internet. Next, right-click on the network card, press the "Properties" in the context menu.

In the Network Card Properties window, in the "Network" tab, select the "IP version 4 (TCP / IPv4)" component, and then click the "Properties" button.

In the Internet Protocol Properties window that opens, in the General tab, check the parameters of the IP address and DNS service. In most cases, these parameters are assigned automatically. If these parameters are inserted manually, specify the appropriate addresses from your Internet provider (the IP address on computers connected to the network must be different).

After completing the parameters check, you can go directly to creating a local network in Windows.

Creating a local network

First of all, configure the parameters of the local network in Windows. Log in to the "Network and Shared Access Center", click on "Change Advanced Sharing Options".

In the "Advanced Sharing Options" window, a change in sharing parameters for various network profiles is configured. Windows operating system for each network used creates a separate network profile with its own special parameters.

In total, three network profile is available:

  • Private
  • Guest or public available
  • All networks

In the Private Network Profile in the "Network Detection" parameter, select "Enable Network Detection".

In the "Sharing File and Printer" parameter, activate the "Enable Sharing and Printer" item.

In the "Home Group Connection" parameter, select "Allow Windows to manage the domestic connections (recommended)".


After that, open the network profile "All Networks". In the "Shared Accessory Folder" parameter, select "Enable sharing so that network users can read and record files in shared folders."

In the "Connection of Sharing File Connection" parameter, select the "Use 128-bit encryption to protect the total access connections (recommended)".

In the "Sharing Password Protection" parameter, activate the "Disable access with password protection" item.


After completing the settings, click on the "Save Changes" button.

Repeat all these actions on all computers that you plan to connect to the home LAN:

  • check the name of the Working Group (the name must be the same)
  • check the network card settings
  • in the sharing parameters, enable network detection, enable sharing files and printers, disconnect sharing with password protection.

How to enable sharing folder

In this case, I created a folder and the name "General". Right-click on this folder, in the Folder Properties window, click the "Access" tab.

Then click on the "Advanced Settings" button.

In the "Enhanced General Access Setting" window, activate the "Open access to this folder" item, and then click on the "Resolution" button.

Select permissions to use the shared folder data from another computer. There is a choice of three options:

  • Full access
  • The change
  • Reading

To save the settings, click on the "OK" button.

Log in to the folder properties, open the Safety tab, and then click on the "Edit ..." button.

In the window that opens, enter the name "All" (without quotes) in the field "Enter the names of the selected objects", and then click on the "OK" button.


In the Folder Properties window, in the Security tab, configure the permissions that you previously selected for the shared folder.

To change the permission for the "All" group, click on the "Advanced" button. In the "Advanced Security Settings for Shared Folder" window, highlight the "All" group, and then click on the "Change" button to change permissions.

Setting up a local network in Windows completed. In some cases, it may be necessary to restart the computer in order for all changes to take effect.

Local home entrance

Open the Explorer, in the "Network" section you will see all available computers connected to the local home network. To log on to another computer, click on the computer name, and then click on the name of the shared folder in order to access files and folders in the shared folder.

The local network in Windows 10 is created and configured.

Elimination of some problems with the network

Sometimes, after setting up the network, there are problems with access to folders on the local network. One possible problem may be an incorrectly selected network profile. I myself encountered this computer. After reinstalling the system, I created and configured the local network, but my computer did not see two laptops connected to this network. From the laptop, you could easily go to the general folder of my computer, and did not see the computer at all.

I checked all the settings of the local network several times, and only then I noticed that a public network was working on my computer, and not a private (home) network, like on laptops. How can I solve such a problem?

Enter the "Network and Shared Access Center", click on troubleshooting. Select "Shared Folders" section, run diagnostics and troubleshooting. At the very end, the application will propose to configure the network as private. Apply this hotfix, and then restart the computer. After performing this operation, my computer has access to shared folders on laptops on a local network.

Often problems arise due to the network. In Windows 10, it is possible to reset the network settings on default settings. Log in to "Parameters", "Network and Internet", in the "Changing Network Settings" section, click on the "Network Reset" to apply the default network settings.

Other problems may occur, their solution is looking for on the Internet.

Conclusion

In Windows, you can create a local private (home) network between computers, to organize data exchange using shared folders, access the printer. On computers in one network, different, or the same operating systems (Windows 10, Windows 8, Windows 7) can be installed.

It is a generally accepted norm and their presence will not surprise anyone. Due to the availability of Internet connection, various online services are becoming increasingly popular. One of the most popular are network folders and remote resources, organized both in the home network and provided by your Internet provider. Most often everything works as it should be, but from time to time there may be errors that prevent full-fledged work that the usual user does not know how to solve. One of the most popular errors are "no access to the network folder" errors. Some of them can be denoted by digital or alphanumeric code, for example, 1231 or 0x800704CF. The causes of these troubleshooting can be various factors. In this article, we invite you to deal with all the reasons, as well as offer ways to solve them.

No access to the network folder

Imagine that you have several computers between which you want to configure the home network to constantly not copy the necessary files. In this case, you need to create a folder on one of the computers, make it publicly available to access from any other device with Internet access. It can even be a smartphone or tablet.

One of the most common errors when working with remote folders - there is no access to the network folder, the error code 0x800704CF may be issued. You are in the conductor you see a public network folder, but when you try to open it, you receive the message "No access to the resource". Accurate message text may differ depending on the version of the operating system. What are the possible reasons for such a problem? There may be several of them:

  • Separately taken to the user were not provided with access rights to the folder located on the network.
  • The user has no permission to access the network resource at the security level of the operating system.
  • The user, in general, there are no permissions for access to the resource.


You can solve each problem. Let's discern more.

Setting up a network folder for each user

All settings must be performed on the computer or the resource on which the contents of the folder are stored. To configure user access to the folder, you must:

  1. Go to computer management (depending on the version of the operating system, right-click on the My Computer icon on the Windows desktop or the Start button, then select Management or Manage Computer) and select Community Folders - Shared resources.
  2. Find in the Resource list folder, access to which you can not get, and see its location on the hard disk.
  3. Open Explorer and find the desired folder (Windows 10 users can perform further actions, without moving to the conductor, simply clicking the right mouse button right in the Computer Management utility menu).
  4. Click on it right-click, select Properties - Access - Advanced Settings - Permissions (or Properties - Permissions for Share Resource).
  5. You will see at least two points - administrators and everything. Help the arrow of the cursor to the item all and make sure that there are ticks opposite all items in the column allow (full access, changing, reading). If, in front of some item, it is a tick in the bar to ban, you should remove it from here and put on the column to allow.
  6. Confirm the changes by clicking Apply - OK, after which you will repeat the attempt to use the network resource.


Right with the "Computer" button and select Management in the context menu.

Setting the resource access at the system security level

Sometimes it happens that at the level of security of the operating system, third-party access to the network resource is prohibited. To correct the problem:

  1. In the Properties menu, click Security tab and click the Edit button, and then add.
  2. In the "Enter the names of the selected objects", type with a large letter, and click OK.
  3. After you are transferred back to the list of groups and users, Move the cursor to the newly created group all and mark the actions you want to resolve. The default items noted is enough to read data from a remote network resource.
  4. Click Apply - OK - OK and try access to the network folder.

When trying to connect to the Internet, an error occurs 1231

Error 1231 occurs when a Windows computer cannot access resources located on a remote server. Most often occurs when the Internet provider provides access to the international network using VPN technology. In addition, it may occur when attempting to access the local resource provider of network access services. If access was and suddenly disappeared, this problem may occur for one of the following reasons:

  • problems from the provider;
  • communication break between the subscriber and the server;
  • breakage of the computer network card;
  • network card driver failure;
  • the security system of the operating system blocks the connection via VPN;
  • incorrectly established or disabled connection over the local network;
  • actions of viral programs.

First of all, check if the error does not occur 1231 due to the fault of the Internet provider. To do this, you need to run the command line (Win + R - CMD, or right-click on the Start button - command line) and enter the following command:

nET VIEW \\\\ Domain: domain name,

where domain name Means the address of the server that the provider provided you to connect to the World Wide Web. If "System Error 53. not found Network Path", then the problem is from the service provider. In this case, you should contact technical support.

If such an error does not knock out, you will have to seek the reason in your computer or laptop on Windows. What can be done to correct an error 1231?

Conclusion

We hope that we helped you with solving the problem of access to network resources with codes 1231 and 0x800704CF. We are confident that if you will definitely follow our instructions, you will have to solve everything yourself. In the comments, please indicate whether you have to deal with the question without the help of specialists.


On the expanses of Russia, many firms and small enterprises do not have in the state of their system administrator on an ongoing basis or coming from time to time. The company is growing and sooner or later, one shared folder on the network, where everyone can do what he wants, becomes little. Requires access to different users or user groups on the MS Windows platform. Linuxoids and experienced admins Please do not read the article.

The best option is to take the staff of the experienced admin and think about buying a server. An experienced admin in place will decide: raise MS Windows Server with Active Directory or use something from the world Linux.

But this article is written for those who have decided to suffer independently without applying modern software solutions. I will try to explain at least how to implement the delimitation of rights.

Before you want to warm up a couple of moments:

  • Any operating system "recognizes" and "distinguishes" real people through their accounts. It should be like this: one person \u003d one account.
  • The article describes the situation that the company does not have its admin and not purchased, for example, MS Windows Server. Any usual MS Windows simultaneously serves on the network not more than 10 for WinXP and 20 people for Win7. This is done by Microsoft specifically that client windows do not move the road to Windows servers and you did not spoil Microsoft's business. Remember the number 10-20 and when your company will have more than 10-20 people, you will have to think about buying MS Windows Server or ask someone to raise you free Linux Samba server that does not have such restrictions.
  • If you do not have a competent admin, then your regular computer with client MS Windows will portray out a file server. You will be forced to duplicate user accounts on it from other computers to access shared files. In other words, if there is an accountant OLY accountant at PC1 with Olya account, then on this "server" (hereinafter referred to as WinServer) you need to create an OLYA account with the same password as on PC1.
  • People come and go. Frame fluidity is everywhere and if you, that poor person who is not admin and appointed (forced) to support IT issues of the company, here's the advice. Make accounts not affected by personality. Create for managers - MANAGER1, Manager2. For accountants - BUH1, BUH2. Or something similar. Gone man? The other will not be offended if the Manager1 will use. Agree it better than the seven to use Olya account, as the queen or no one to redo it and everything works 100 years.
  • Forget such words like: "Make a password to the folder." Those times when the password was imposed on the resources a long time ago passed. The philosophy of work with various resources has changed. Now the user enters its system using an account (identification), confirming itself with its password (authentication) and it is provided with access to all permitted resources. Once entered the system and got access to everything - that's what you need to remember.
  • It is advisable to execute the actions below from the built-in Administrator account or from the first account in the system, which is the default administrators group.

Cooking.

In the conductor, remove simplified access to the things we need.

  • MS Windows XP. Menu Service - Folder Properties - View. Remove tick Use a general access master
  • MS Windows 7. Click Alt. Menu Service - folder parameters - View. Remove tick Use simple sharing files.

Create a WinServer folder on your computer that will store your wealth in the form of files of orders, contracts and so on. I, as an example, it will be C: \\ Dostup \\. The folder must be created on the NTFS section.

Network access.

At this stage you need note on network access (Share - Share) folder to work with it by other users on their computers of this local network.

And the most important thing! Put the folder in access with full resolution for everyone! Yes Yes! You did not hear. But what about the delimitation of access?

We allow all the local network to be connected to the folder, but we will delete access to the security tools stored in the NTFS file system on which our directory is located.

  • MS Windows XP. On the desired folder (C: \\ DOSTUP \\) with the right mouse button and properties there. Access Tab - Full access.
  • MS Windows 7. On the desired folder (C: \\ DOSTUP \\) with the right mouse button and properties there. Access tab - Extended setting. Put a tick Open sharing this folder. Fill Note. Click permission. Group Everything should have the right on the network Full access.

Users and security groups.

You need to create the necessary user accounts. I remind you that if various accounts are used on numerous personal computers for users, then all of them must be created on your "server" and with the same passwords. This can be avoided only if you have a competent admin and computers in Active Directory. Not? Then constantly create accounts.

  • MS Windows XP.
    Local users and groups - Users. Menu Action - New User.
  • MS Windows 7. Control Panel - Administration - Computer Management.
    Local users and groups - Users. Menu Action - Create a user.

Now turn for the most important group! Groups allow you to include user accounts and simplify manipulations with the issuance of rights and delimitation of access.

A little lower will be explained by "overlaying rights" to directories and files, but now the main thing is to understand one thought. Rights to folders or files will be provided to groups that are figuratively can be compared with containers. And the groups will already "pass" the rights included in them by accounts. That is, you need to think at the level of groups, and not at the level of individual accounts.

  • MS Windows XP. Control Panel - Administration - Computer Management.
  • MS Windows 7. Control Panel - Administration - Computer Management.
    Local users and groups - groups. Menu Action - Create a group.

You need to enable the necessary accounts in the necessary groups. For example, on the group accountants right-click and there Add to group or properties and there is the Add button. In field Enter the names of the selected objects Enter the name of the required account and click Check names. If everything is true, the account will change to the sight of the imasserver \\ account_name. Figure above, the BUH3 account was shown to WinServer \\ BUH3.

So, the necessary groups are created and user accounts are included in the necessary groups. But before the assignment stage of rights on folders and files with the help of groups, I would like to discuss a couple of moments.

Is it worth bothering with the group if there is one account? I think it's worth! The group gives flexibility and maneuverability. Tomorrow you will need another person to give the same rights as a certain person with his account A. You just add an account to a group where it is already available and that's it!

It is much easier when access rights are issued to groups, not separate personnel. You can only manipulate groups and the inclusion of the necessary accounts in them.

Access rights.

It is advisable to execute the actions below from the built-in Administrator account or from the first account in the system, which is the default administrators group.

So I got to the stage where the magic of delimitation of access rights for various groups occurs, and through them and users (more precisely their accounts).

So, we have a directory at C: \\ Dostup \\, which we have already issued all employees in access. Inside the catalog C: \\ dostup \\ for example, we will create a contract folder, orders, accounting of MC. Suppose there is a task to do:

  • the contract folder must be available for read-only accountants. Reading and writing for group managers.
  • the accounting folder must be available for reading and writing accountants. A group of managers has no access.
  • the orders folder must be available for accountants and read-only managers.

On the contract folder right-click and there properties - the Security tab. We see that some groups and users already have access to it. These rights were inherited from the Dostup's parent, and that in turn from their parent with:

We interrupt this inheritance rights and appoint our own-Wishlist.

Click the Advanced button - Permissions tab - button Change permissions.

First, interrupt the inheritance of rights from the parent. Take a tick Add permissions inherited from parental objects. We will warn us that permits from the parent will not apply to this object (in this case it is a contract folder). Select: Cancel or Delete or Add. We click add and right from the parent to us inheritance, but more parents will not be distributed to us. In other words, if in the future of the right access rights from the parent (DOSTUP folder) change - it will not affect the subsidiary of the contract. Note in the field Inherited OT. worth it not inherited. That is, communication parent - baby Ripped.

Now carefully delete unnecessary rights, leaving Full access For administrators and system. We allocate in turns all sorts Past check and just Users And delete the Delete button.

Add button in this window Additional security settings Designed for experienced admins that will be able to set special, special permissions. The article is aimed at knowledge of an experienced user.

We put a tick Replace all resolutions of a subsidiary on permissions inherited from this object. and click approx. Go back and again OK to return to a simple type of properties.

This window will make it easier to achieve the desired one. The Edit Button will display the "Resolution For Group" window.

Click add. In the new window we write accountants and click "check the names" - approx. By default, it is given in a simplified view of reading access. Talks in the Allow the "Read and Execution", "List of the folder", "reading". It suits us and click OK.

Now, on our technical specifications, you need to give reading and writing rights for the Managers Group. If we are in the Properties window, then change again - add - drive managers - check the names. Add in column to allow checkboxes change and record.

Now you need to check everything!

Watch for the thought. We ordered that the contract folder would not inherit the rights from a two-parent Dostup. They ordered child folders and files inside the folder of the contract to inherit rights from her.

On the contract folder, we left the following access rights: The accountant group should only read files and open folders inside, and group managers create, change files and create folders.

Consequently, if within the directory of the contract the file will be created, it will be permits from its parent. Users with their accounts will access such files and catalogs through their groups.

Go to the contract folder and create a test file contract1.txt

On it click on the right mouse button and there properties - the Security tab - additionally - the current permissions tab.

We click to choose and write an account of any accountant, for example BUH1. We see clearly that BUH1 received the rights from his group accountants that have rights to read to the parental folder of the contract, which "distributes" their permits to their subsidiaries.

We try to Manager2 and see clearly that the manager gains reading and recording, as the manager is included in the group, which gives such rights to this folder.

Absolutely, by analogy with the contract folder, access rights and for other folders, following your technical assignment.

Outcome.

  • Use the NTFS sections.
  • When you deliver access to folders (and files), then manipulate groups.
  • Create accounts for each user. 1 person \u003d 1 account.
  • Accounts include in groups. The account may enter different groups simultaneously. If the account is in several groups and any group allows something, then this will be allowed an account.
  • The column to prohibit (prohibiting rights) has priority before the resolution. If the account is in several groups and some group prohibits something, and the other group allows it, then it will be prohibited by the account.
  • Delete an account from the group if you want to deprive access that this group gives.
  • Think about hiring an admin and do not offend it with money.

Specify questions in the comments and ask, straighten.

The video show shows a special case when you only need to prohibit access to the folder using the fact that prohibiting rules take priority to resolve the rules.

I will try to formulate a set of general rules / recommendations / abstracts for organizing access rights on the file server in the domain environment on Windows Server 2012 R2 servers, based on your own experience and observations:

        1. On the file server, you do not install any roles and services, except for the role of the file server. The cleaner - the better. We organize data replication to another file server, backup data on the backup server, monitoring / audit / scripts and all ... RDP access should be only at administrators, you do not have to deploy the terminal server, install the client software and let user server.
        2. Access to data for users is carried out by providing overall access to the root folder (in my opinion, only one root folder is "split"). It makes no sense to publish several folders on one disk and at one level of the hierarchy, as everything is wonderful "ruling" by the rights of access on the Security tab and the "Enumeration or ABE" option - folders to the "Access Based Enumeration or ABE" who do not have access will not be displayed. On Windows Server 2012 R2 servers, the ABE option is here: it makes sense to "share" several folders in the following cases:
          1. Folders are on different disks. There are two options: either you have multime-tempered data arrays and you rest in the physical limitations of the size of the RAID array or logical volume in the OS, or you have been lazy to organize (or you did not give money to it) a raid-array of sufficient volume. A more viable second option, so it should be reorganized / upgrading the disk subsystem.
          2. You need to access the folder, deeply "buried" in the directory hierarchy, while not allowing access to neighboring and superior catalogs. In this case, to configure access rights, you will have to go throughout the path to the search folder, issuing the minimum right to each "transit" folder. If you "share" the target folder, it will be easier to give the access rights, and the user will be easier to go into it. Alternative ways: to issue PowerShell scripts (in the future I publish an article about this) or revise / optimize the structure of folders and access rights to them. For faster access to "buried" folders, you can use shortcuts or connect network drives.
        3. To provide access to the distribution folder, with the movable profiles and desktops of users are hidden "balls", For example, Distr $, Prof $, DSK $. These shared folders are not displayed in the network environment and are available only on the exact path: \\\\ SRV01 \\ PROF $ \\ and so on.
        4. In the root folder we create folders of departments, exchange, projects, directions, branches, and so on. The structure of the folders should be thought out to be carefully thought out at the initial stage. , special attention to the implementation of access to the department of the department to employees of other departments and data exchange options between departments. You should also consider a number of restrictions for folders: maximum size allowed file formats and so on. It is advisable to build a clear hierarchy of folders and appropriate access rights in such a way that users can change the structure of the folders only with 3-4 nesting levels.
        5. Should adhere to the principle of issuing the smallest rights, expanding them only as necessary . In the root folder, we turn off the inheritance with the conversion of inherited rights to explicit. We leave full access for this folder, its subfolders and files to administrators and the system, the rights of the owner are cutting, the rest of the access rights are deleted:
        6. The cost of access of the creator-owner should not be deleted. For example, there is a folder "... \\ personnel department \\", to which the user has change to change only for this folder. The user creates a new folder and "he does not happen", and more accurately the folder is created, but there is no access to an employee to it, since inherited rights from the parent folder are applied. If access based on access (ABE) is disabled for a shared folder, the folder being created will be visible, but to rename it, open or delete an employee will not be able to.
        7. System access rights should not be deleted. Many services work with system rights, for example, the shadow copy service (VSS), which can be used by the backup system, for example, Acronis. For work scripts on a schedule without binding to a user account, a system account is also used. Thus, for correct operation, the system must have full rights to all folders and server files.
        8. We add a domain administrators group to a local administrators group. Thus, administrative rights on the server, including full access to all folders and server files, will be the local administrators, and the domain administrators through membership in the local administrator group. In the domain it is very conveniently configured through group policies and applies to all servers and domain workstations: Computer Configuration -\u003e Setup -\u003e Control Panel Settings -\u003e Local Users and Groups.
        9. For privileged users (Company management, auditors, etc.) Create a group of access to the domain and give it right in the root directory for reading for this folder, its subfolders and files. If necessary, the subdirectories are expanding the rights by adding permission to change. In the case of a full access request to all folders, the maximum add the right to change (in understanding users it is full access, and it is possible to allow users to administer access rights is fraught with the consequences for which to respond to the system administrator). In this case, the change to change is as follows: in the root folder we assign read right for this folder, its subfolders and files. In the root folder subdirectories, assign the right to change only for subdirectories and files. Thus, VIP users will have the right to change folders / files, starting from the 3rd hierarchy level, which will ensure the safety of the root directory subdirectories: without a system administrator, new folders will not appear in the root, no one will rename and delete the whole folder Department / divisions.
        10. For other employees Create a general access group and access group in the domain for each department, divisions, project, directions, branch. For a common access group, give rights in the root directory read only for this folder. For the departments of departments, we assign the right to read the rights, managers of departments and their deputies to change the right to change. It is advisable to issue rights in the Department folder only for this folder, and in subdirectories - for this folder, its subfolders and files; leaders and their deputies to give rights to change in subdirectors of the department folder only for subfolders and files. This will save the common structure of the folders within the departments catalogs, as well as in the future to quickly create a new subfolder with limited access without disabling the inheritance of access rights.
        11. The rights need to be assigned to access groups, and not accounts for users, in any case at the top levels of the folder hierarchy necessarily! First, it is visualine and more convenient to administer. Secondly, in more "deep" on the nesting directories, there can be a very impressive number of access rights, given the inherited permits from parent folders. Third, when dismissing employees and blocking / deleting their accounts, the folder's access rights remains "slag" in the form of irrelevant (read - useless / unnecessary / unnecessary) permissions for accounts (and when deleting an account - SID-account identifiers ). For 1-2 years, quite a lot of "garbage" accumulates, do not recalculate scroll.
        12. Do not be takenlated by turning off the inheritance of parental access rights., I must try to use this opportunity as a last resort, the same applies to obvious prohibiting rights. When the inheritance is turned off, the integrity of the use of access rights from above-down. And God forbid if the rights to the entire root directory and folders of departments are issued through the access groups and they are already present from folders with a disabled inheritance (then it is enough to add an account of a new employee to the necessary group), and if the rights were issued by user accounts?! And if you need a group of users to give permissions to all child folders, including 5-6 with inheritance, but to prohibit access to 3-4 folders with inheritance included?! And if for each of these users there should be different access rights and merge into the group will not work?! To avoid such troubles, turn off the rights of rights should be in exceptional cases and for lower level folders (without the structure of child subdirectories).
        13. When copying the folder to a new directory clearly given rights not saved And to the folder inherited rights are applied from the new parent folder even when the inheritance is disabled Parent access rights from a copied folder. BUT when moving the folder to the new directory - clearly specified rights are saved, including disconnected inheritance . With inheritance included with explicitly specified rights apply and inherited rights from the new parent folder. Therefore, when "moving" into the new folder structure, you need to copy data, and not move! Otherwise, "trash" will appear in the form of irrelevant access rights and not all rights will be applied due to the disconnected subfolder inheritance. And reverse thesis - to save the disabled inheritance and the necessary access rights specified in the explicit way, you need to move the folders, and not copy! Or will have to re-configure access rights. You should prevent users about the possible consequences of such manipulations: someone may have disappeared access to the folders, others may appear. It is extremely desirable to periodically check the relevance of access rights.
        14. The "Replace all records of the daughter object permissions inherited from this object" deletes all clearly specified permissions of all child objects and includes the inheritance of parental permissions for all subdirectories.:
          It makes sense to use when it's easier to cut everything and from scratch to configure access rights to the structure of subdirectories. Especially relevant when the rights are assigned to user accounts, a lot of "slag" has accumulated in the form of SID identifiers and disconnected accounts, the set of access rights is disabled and everything is very sad, but it is a clear understanding of what groups of users Access - then this option is very by the way.
        15. When the inheritance is turned off The parent folder should choose the option of converting inherited permits to explicit:
          After the conversion, delete unnecessary access rights, except for the rights of access for administrators, system and creator-owner (see clause 6 and 7).
        16. Consider typical access rights (general security permits) You can set the "Change" button on the Safety tab: As well as reveal the specified type access rights in the Advanced Security Settings section (in additional permissions display mode) by the "Advanced" button on the Safety tab: This will make it possible to see the area of \u200b\u200bapplication of type access rights and display their additional permissions.
          1. "Full access" Includes all subordination access rights: "Full access" in additional permissions display mode:
            Scope: "For this folder, its subfolders and files," includes all additional permissions, including changing permissions and the owner.
          2. "The change" Also includes all the lower access rights: "Change" in additional permissions display mode:
            Scope: "For this folder, its subfolders and files," includes all additional permissions, except for "deleting subfolders and files", "Clearing permits" and "Changing the owner". The lack of an additional permission to "delete subfolders and files" is due to the fact that these rights already have in the form of the "Delete" permission with the application area "for this folder, its subfolders and files."
          3. "Reading and execution" Includes access rights "List of folder content" and "Reading": "Reading and execution" in additional permissions display mode:
            Scope: "For this folder, its subfolders and files," includes additional permissions "traverse folders / execution of files", "Contents of the folder / reading of data", "reading attributes", "reading additional attributes", "Reading permissions".
          4. "List of folder content" : "List of folder content" in additional permissions display mode:
            Includes the same additional permissions as "reading and execution", differs only by a narrower application area: "For this folder and its subfolders."
          5. "Reading" :Reading In Additional Permissions Display Mode:
            Scope: "For this folder, its subfolders and files," includes the same additional permissions as "reading and execution", except for "traverse folders / execution of files".
          6. "Record" :"Record" in additional permissions display mode:
            Scope: "For this folder, its subfolders and files," includes additional permissions "Creating Files / Data Recording", "Creating Folders / Data Damage", "Recording Attributes" and "Recording Additional Attributes".
        17. Typical access rights are convenient due to their simplicity. : Do not choose the scope of application, only general permissions are presented, due to which you can view and edit user access rights in one window. As a result, the editing of the type of access rights takes less time than editing additional permissions (even in the display mode of general permissions). On the other hand, following the principles of issuing the least rights and preserving the integrity of inheritance from top to bottom, typical rights should be used carefully.
        18. All types of access rights have a wide range of applications. At the expense of which the given rights apply to all child subfolders. Thus, they should be applied only for those users whose access rights will not need to be limited in subsidiaries. This is mainly related to the rights of access of administrators, systems, privileged employees, heads of departments and their deputies. In further points, consider each type of access rights and options for their use.
        19. "Full access" You should assign only administrators and the system, it is used in the root folder and in subdirectories that the inheritance of parental rights is disconnected.
        20. "The change" It should be appointed to those employees who form the structure and hierarchy of directory in subdirectories of their department: managers of departments and their deputies. However, this will make it possible to delete and rename the subdirectories in the Department folder. For a more rigid policy, it is advisable to configure for subdirectories of access to change through additional permissions, limiting the scope of application "only for subfolders and files".
        21. "Reading and execution" It should be used in subdirectories with executable files, for example, in the distribution folder. However, ordinary staff, as a rule, need access only to data, so it is better to use the right to access "reading".
        22. "List of folder content" It should only be used to view the folder hierarchy, files when enabled access based on access will not be visible. I do not even know what situations it would be useful, never had to use this right to access practice.
        23. "Reading"perhaps the most used access right. It is applied to public folders with open data - for all employees, for the exchange folders between departments - for employees of other departments, for subfields of departments - department staff. It is only necessary to take into account the wide range of application, that is, to issue the rights to "read" for the folder directory, in the subdirectories of which you do not have to close access, turning off the inheritance of access rights.
        24. "Record" It should be used to expand the rights of access to reading or reading and executing for certain folders. The difference from the access rights to "change" is the lack of permits "Traverse folders / execution of files" and "delete". In itself, the right access to "recording" is meaningless, used only in combination with access rights to "read" or "reading and execution".
        25. Consider access rights in advanced mode. The screenshot below shows the possible areas of use of access rights:
        26. "Only for this folder" In my opinion, is actively used at the top levels of the folder hierarchy. For example, with this application area, access to "read" or "List of folder content" in the root folder, in the departments folder, and already starting with subdirectories, a wider area of \u200b\u200bapplication is applied and access rights are expanding.
        27. "For this folder, its subfolders and files" - Default scope. As a rule, the Advanced Mode of Access Rights comes to narrow the standard scope.
        28. "For this folder and its subfolders" - Access rights are applied only for directories. I do not remember to be made in practice. It can be used to permit read attributes only folders for an explicit ban on deleting only folders or some other specific access rights applied only to folders.
        29. "For this folder and its files" - It is convenient to use for point issuing or expanding access rights, rights are applied only at the current level of the hierarchy.
        30. "Only for subfolders and files" Used in conjunction with the application area "Only for this folder". For example, we give access to the head of the department and its deputies to "read" in the Division "only for this folder only for this folder and add access to" Change "in the" subfolder and files only ". Thus, in the Department folder, employees will not be able to create folders / files themselves, rename the department folder, all changes they can do from subdirectories of the department folder.
        31. "Only for subfolders" - Similar to the area "for this folder and subfolder", but applies to the level below the hierarchy.
        32. "File only" Personally did not use practice. It is possible to apply in combination of access rights to read "only for this folder" by adding permissions to change "File only". Thus, the user will not be able to create subdirectories and files in the folder, but will be able to edit / delete the files existing in the folder.
        33. Access rights in the mode of displaying additional permissions are akin to microsurgery, I do not remember that it ever accounted for so point and detail to issue access rights. As a rule, typical access rights and options for their applications are enough for ordinary organizations.

Below will be described how to configure various access rights for a specific directory in multiple users. The operating system in my example is. But for other OS, Windows family action will be similar.

0. Task:

On the server in mode there are several. Necessary for the folder " C: \\ Shared resource»Configure the rights so that the group" Users"There were rights only to read in this directory, and administrators and the user" Oyanov"There were rights and reading and writing.

1. Solution:

We find in the conductor the necessary folder, click on it right mouse button and select the context menu " Properties"(Properties).

In the folder properties window that opens, go to the " Safety"(Security) and click" Change ..."(Edit ...). Window opens Permissions for the group ... " In which we see that the security parameters are already defined for 3 system groups. In particular for the group " Administrators»Full access to the folder. To add groups and users, press the button " Add ...»(Add ...).

In the user selection window and group, click " Additionally"(Advanced ...), and in the selection window" Search"(Find Now) to withdraw all groups and all users existing in the system. Select in the search results you need a group " Users"And click" OK"To add it to the list.

Similarly add to the user list " Oyanov"And click" OK»To complete the selection.

Now choose permissions for each added position. For the group " Users"Set rights only to view the list, read and execute files and, accordingly, for the user" Oyanov»We note the flag" Full access» .

(Here you can create any actions with a folder for the selected user, and to prohibit, setting the appropriate flag. It must be remembered that prohibiting rules are always in a larger priority than permissive.)

By selecting the necessary parameters of the clamp " Apply"(Apply) to save the settings and clicking" OK»Close all window opening.

That's all. We have installed security settings for the selected directory in accordance with the task.

Will this article help you?

Did not find an answer to your question? Look at here
How to combine two accounts on Facebook?How to combine two accounts on Facebook?
Download and insert a beautiful framework to Word DocumentDownload and insert a beautiful framework to Word Document
How to fix clock_watchdog_timeout type errorsHow to fix clock_watchdog_timeout type "Blue screen" (0x00000101)