Google Answers Logo
View Question
Q: Windows SBS 2003 - admin user without folder permissions ( No Answer,   1 Comment )
Subject: Windows SBS 2003 - admin user without folder permissions
Category: Computers > Operating Systems
Asked by: hookjd-ga
List Price: $10.00
Posted: 18 May 2006 22:35 PDT
Expires: 17 Jun 2006 22:35 PDT
Question ID: 730294
I am running Windows Small Business Server 2003.  We use it as a file
server and an Exchange Server in our office with about 6 users.  We
have a number of shared folders that all 6 users access, but I have
one share that only 3 of us can access.  It contains sensitive
business information that I want protected (both for me and for the
sake of my employees).

One of my employees is partly responsible for keeping our network up
and running, our Exchange server, printers, server data backups, etc. 
He needs to be able to administer that server in almost every way (I
have no concerns about his abilities).  However, I need him to not
have privileges to change folder permissions on folders that he does
not have access to.

I know this must be an easy task for a Windows Server expert, but none
of us are... and I can't find this answer anywhere online.  Basically,
I need him to have ALL the privileges of an admin user, except the
ability to modify the permissions on a single folder.  If I leave him
as an admin and remove his permissions to that folder he can still
reset them (doh! because he's an admin!).  "Power Users" don't have
enough permissions for him to be able to do everything he needs to do
on the server.

That's it.  Please help.

Request for Question Clarification by sublime1-ga on 19 May 2006 00:59 PDT

I don't have 2003 SBS, I have Win2000, but I think you'll find
the process similar. If you've given your guy access to THE
Admin account log in, you'll need to change the password. Then
create a set of permissions specific to his usual logon name,
or create a logon name just for him, and then set the permissions
for his account.

After creating his logon username, you should be able to find it
by r-clicking on the main drive and looking at the list of
names on the Security tab under Properties. If his username isn't
there, click on Add to add it from the complete list. The name 
should show up in the form of Computername [Computername\Username].

Once he's on the list, start by giving him Full Permissions for
the whole drive or drives or parts of the network you want him 
to manage. Then go to the folders you want to protect, and right-
click on them and go to Properties -> Security tab.

Click on the Advanced button at the bottom. Now click on his user
name and click on View/Edit. This should give you access to an
extended list of permissions. You can leave them all checked except
'Change Permissions', and, perhaps, 'Read Permissions'.

You'll likely need to reboot.

I'm pretty sure that will work, but I have no way to test it, so
I won't post a formal answer 'til I hear back from you that it 
worked, or that you need clarification.

Let me know...


Clarification of Question by hookjd-ga on 19 May 2006 08:32 PDT
Thanks for your answer, but I'm afraid that doesn't do it.  I have
created a user account for testing this out.  When I create a user
account, I use the "Administrator Template" to create it (which I
think is where the problem lies).  But I have gone to the share I want
to deny access to and moved all the permissions to "deny" for this
user, including "change permissions" just as you suggested.

But when I log in as this user I can still go to the share, look at
the properties, and give myself full control of the folder without

I think it must be to do with the user template I am using, it must
override the permissions on the specific object to allow me to do
anything I want.  I think my ultimate goal will be to create a new
user template that has all the permissions of an admin, except the
ability to change file/folder permissions.  In SBS, this is not at all
clear how this will work.

To reiterate, I need this user to be able to log in remotely to our
server and have complete to control to all aspects, including
installation of software, administering printers, everything.  I just
want him not to be able to access one folder and not have the ability
to modify the system to give himself access to that folder.

Request for Question Clarification by sublime1-ga on 19 May 2006 12:40 PDT
> But when I log in as this user I can still go to the share, look at
> the properties, and give myself full control of the folder without
> problem.

This does sound like it's due to the use of the "Administrator Template",
though I'm not familiar with this. Perhaps it's an aspect of SBS 2003.
I don't see it in Windows 2000. I was thinking you would create the new
user, logged in as Administrator, from Start -> Settings -> Control
Panel -> Users and Passwords, and then proceed to set permissions as
I described previously.

If that doesn't work, I'm afraid I'm stumped on this one. Perhaps
another researcher will be able to assist you. Until a researcher
posts a formal answer, the question remains open to everyone, and
you are not charged.

Let me know if this makes any difference...


Clarification of Question by hookjd-ga on 19 May 2006 14:49 PDT
OK Thanks.  It seems like someone familiar with SBS 2003 should be
able to quickly advise me how to do this.  We are using all the
default templates and this is the one difficulty we have had.
There is no answer at this time.

Subject: Re: Windows SBS 2003 - admin user without folder permissions
From: exms-ga on 26 May 2006 14:31 PDT
You will need to split out his rights to the server itself.

Backup Operators - to run or check the backups
Network Config Oper - to manamge the network settings
Power Users
Remote Desktop Users

Any other specific issues please post.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy