# Shared folders and permission - Win2008 R2



## hqnet (Nov 14, 2009)

Hi,

Permissions management is something I´ve always found very unfriendly in Windows server, but I feel it has gone worst in Windows 2008 R2 :S

To make a long story short I usually have a folder shared at the root of the data disc, inside of which I would place serveral subfolders and assign access permissions to the necesary Groups of users. In that way I only need to share and map just one folder and the subfolder can be accessed by individual Groups or a combination of them by just managing their permissions.

but in 2008 R2 I am struggling with permissions not propagating down (even with the alledgedly correct settings) or files getting the wrong ownerships that cant be backed up.

So I wonder if I should take an easier road and share each folders on it own?... some user will end up with multiple mapped drives, but it seems that in this case it would be less of a hassle than doing it in my usual way.

I am talking about around 8 to 10 folders for 8 to 10 groups, most groups will access just one share, a couple would access 2 or 3 shares.

There is no Active directory in place, just a workgroup.

What would you suggest?

TIA.


----------



## Rockn (Jul 29, 2001)

Don't base any security on shares only access to the shares. I generally set a top level share for something like departments giving authenticated users full access to the departments share. Then I map based on the folders below based on security group membership. I never share the root of any drive. I usually have a public share, a departmental share and redirect My Documents. Maybe you could give an example of what you need to do. AD would make it so much easier.


----------



## hqnet (Nov 14, 2009)

Hi, thanks your for the reply.

I will try to explain the situation.

My shares structure on disk is usually like this:


```
HD 
 |_> DocsFolder (net share)
              |___> SalesFolder (acc. by group perms)
              |___> AdminFolder (acc. by group perms)
              |___> PublicFolder (acc. by group perms)
              |___> ManagementFolder (acc. by group perms)
```
I share "DocsFolder" and set file permissions so departments can only access their folder. 
This allows me to 
A) have a public folder within the same share,
B) have groups/departments access more than one folder if needed (i.e. Management has access to every folder in the share).
C) make it easy for users to deal with only one share/drive

Now, I am finding issues with permissions propagation in Win2008 R2 (not saying it doesn't work, just that its logic and mine deviate too much) (also the wording in the spanish version if awful and contradicting imho).

So I wonder if I would just make this easier (for me) and share the "departmental shares" (8 to 10 instead of the 4 in my example) instead of the parent "DocsFolder".

Security permissions would be set up at share and filesystem level, but by the quick shot I gave it, it would seem to work as I expect it without the hassles I am hitting now.

to be honest, it's not that I can't find *some* way to do it in 2008R2 , it's more that I would like to know how others would deal with this so maybe I could use a better method.

AD is something I try to avoid since we like the terminals to have more independence from the server than what AD requires.

TIA


----------



## Rockn (Jul 29, 2001)

I don't understand what sort of independence you would be referring to that AD would impose. AD is a godsend from a management standpoint and control of security as well. You could make about 50 login scripts to do your mapping, but I will have to think about the directory structure.


----------



## hqnet (Nov 14, 2009)

well, in any case, I´d like to resolve this without AD, so I am still looking for opinions about the covenience of sharing a single parent folder or its subfolders 
Any thoughts on that?

Thanks in advance.


----------



## Rockn (Jul 29, 2001)

How do you handle authentication in a workgroup setting? Is each workstation responsible for managing it's own password? I am just trying to thing of a way to do this in your workgroup scenario. Are you using local security groups on the server to allow access to the resources in the share?


----------

