we have a Sun Storage Appliance (7110) with a SMB/CIFS share configured. It is joined to our Active Directory. What I am trying to accomplish is: ordinary Domain Users (builtin AD-group) should have access on the drive with rights to modify files and folders but don't change permissions (because a user could lock out everyone else from a folder including administrators). Users in the AD-group "Storage_Admins" should have full control on the drive. There are two places to configure user rights: Share Level ACL and Root Directory ACL. As far as I know the best practice would be to grant Everyone with Full Control on the Share Level and do everything else on the Root Directory ACL but it doesn't work this way. What I did so far:
Share Level: Everyone - Full Control Root Directory: Storage_Admins - Full Control/Domain Users - Modify Result: Domain Users can change permissions on folders they created but not on the root folder
Share Level: Everyone - Modify Root Directory: Storage_Admins - Full Control/Domain Users - Modify Result: Domain Users can not change permissions on folders but Admins also can't change them. Domain Users can't rename or delete folders.
Share Level: Everyone - Modify/Storage_Admins - Full Control Root Directory: Storage_Admins - Full Control/Domain Users - Modify Result: Domain Users can not change permissions on folders but Admins also can't change them. Domain Users can't rename or delete folders.
I have read some article on Technet and found this:
The owner has an implied right to allow or deny other users permission to use the object, and this right cannot be withdrawn
I think thats exactly the problem. If a user creates a folder he is the owner and can change permissions on that folder. So is there anyway to prevent this behaviour? What is a best practice to configure permissions on network drives? Taking the ownership away is not an option because aftwerwards nobody can figure out who created what file. Thanks in advance.
UPDATE:
- Share Level: Everyone - Modify Root Directory: Storage_Admins - Full Control/Domain Users - Modify
This works if I share a folder on a normal windows machine. I shared a folder from a WinXP machine with this settings. A Domain-User can now modify everything except the permissions and members of the Storage_Admins group full control access (thats exactly what I want). So this problem:
Result: Domain Users can not change permissions on folders but Admins also can't change them. Domain Users can't rename or delete folders.
is obviously related to the Sun Appliance. Something like inheritance behaviour or similar on the appliance itself. I will look into that.
No, it is how Windows ACLs work. The owner is always allowed to change ACLs on her objects. You can prevent this for shared content by using a share which is only allowing "Everyone:Modify" permissions as this will "filter out" any change ACL requests at the share level. If you want to allow your Administrators to change ACLs, just add "Storage Admins:Full Control" to the share permissions.
Ok, figured it out. In Windows you have only 3 choices on the share level: read, change, full control.
In the appliance you have the full set of permissions on the share level and a dropdown box to choose:
If you choose "Modify" in the upper left corner the checkmarks will be set accordingly. The checkmark "Delete Child" however is not set when you choose "Modify" and this is the problem. If I choose "Modify" and check "Delete Child" on the share level plus setting "Modify" for Domain Users on the Root Directory everything works as expected.