Sanity check: AD accounts can be limited to read-only access to folders, yes?

Faust · Post by **Faust** » Wed Jun 19, 2013 11:42 am

To be brief, it has been a few years since I had my hands on domain control and policies, so I want to be sure I'm not overlooking something, but...

The DC, VoIP and admin/office systems administration where I work are outsourced, which is fine by me. I handle everything beyond that, which isn't a lot thank goodness as I have too much else to do to have to keep resetting passwords. Anyways, from time to time I send off a request for things like router or domain account configuration changes.

Recently I wired up the shop for RS232 comms from the CNC/CAM workstation to the CNC machines. I then sent a request to have a new domain account set up strictly for the CNC setup guys so they can send the CNC programs directly to their machines. I asked for that account have read-only access to the CNC program folder (on the server) for obvious reasons. Other higher level accounts should have full access.

The guys who handle the domain sent a reply the changes had been made. So, I went to the workstation, logged into the CNCsetup account, navigated to the CNC program folder and proceeded to create a new text file, create a new folder and drag that text file into the new folder.

Does that sound like read-only to you guys?

Am I just stuck on stupid or am I taking crazy pills?!?

Post by **YeOldeStonecat** » Wed Jun 19, 2013 11:49 am

User accounts can be given very granular rights when it comes to directories and even individual files..down to list..down to read only...and many other options....so "Yes".
As to the fact that you made a txt file in a directory...."where" was the directory? On the server...or workstation?

Faust · Post by **Faust** » Wed Jun 19, 2013 3:19 pm

That's what I thought (granular control). It's just been so long I wanted to make sure I wasn't being a fool before I ask them what part of "read-only" they didn't understand.

The "read-only" directory where I created the txt test file and folder are on the server. In this case there is absolutely no reason to store local content (on the CNCsetup account. The CNC setup guys are sharp mathematically but their computer skills are, shall we say, scary bad which is why I asked specifically for read-only. They just fire up Cimco Editor, point it to the program folder on the server, turn the DB25 switchbox knob to point to their machine and click send. Any more access rights beyond that and I'd have nightmares of someone accidentally moving the Haas folder inside the Inspection folder or something.

Post by **YeOldeStonecat** » Thu Jun 20, 2013 6:45 am

On the "share" level, I have "Everyone" with full read/write.
On the "Security" level (this is where NTFS kicks in)...this is where I peel back the permissions, give full control to admin, domain admin, system, and then giving "whatever" control to the domain users group or other security groups created, and I remove the "Everyone" group totally from here.

Faust · Post by **Faust** » Thu Jun 20, 2013 8:20 pm

Seems like a pretty straightforward template to adopt for sure.

What I really should do is just set AD on one of my old servers (still sitting in the closet since I moved into my place) so I can freshen up a bit so I don't have to ask seemingly silly questions before I yell at the on-site IT guys... which I did this morning.

About 30 mins later I ran gpupdate (I was shocked I remember anything useful), did my little test deal and all is well now.

Thx, bud!