OU or group?

I am installing a WS2003 DC server in my school.
I have 6 year groups as Users. Each year group will contain the pupil's work
folders. The pupils will log on with their year group name and password. The
will be able to access other year groups folders.
All users/pupils need to be able to read and write files in their folders
but not able to delete/create or move folders.
Should I place all users in an OU, Group or folder(school?) and would
permissions need to be or not be inherited and how would I achieve the
above?

TIA
MH

"Toobi Won Kenobi" <Toobi Won (E-Mail Removed)> wrote in message
news:eqddug$6rj$1$(E-Mail Removed)...
>I am installing a WS2003 DC server in my school.
> I have 6 year groups as Users. Each year group will contain the pupil's work
> folders. The pupils will log on with their year group name and password. The
> will be able to access other year groups folders.
> All users/pupils need to be able to read and write files in their folders but
> not able to delete/create or move folders.
> Should I place all users in an OU, Group or folder(school?) and would
> permissions need to be or not be inherited and how would I achieve the above?

You don't place users in anything,...at least to do this. They should be in an
OU so you can appliy Group Policy to them,...by default they are in a built-in
AD Folder. But that has nothing to do directly with granting permissions for
them. Permissions focus on Group Memberships, not AD Locations.

The permissions are done in the file system and permissions are granted to
Groups. The users "out of the box" are already in the Domain Users Group and you
can use that. You can also create other new groups to use them in as well if
you like.

--Users--Defaults--
Location in AD: Users Folder (not an OU)
Group Membership: Domain Users

They can be members of multiple groups, but can be in only one AD Location at a
time.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Toobi Won Kenobi" <Toobi Won (E-Mail Removed)> wrote in message
> news:eqddug$6rj$1$(E-Mail Removed)...
>>I am installing a WS2003 DC server in my school.
>> I have 6 year groups as Users. Each year group will contain the pupil's
>> work folders. The pupils will log on with their year group name and
>> password. The will be able to access other year groups folders.
>> All users/pupils need to be able to read and write files in their folders
>> but not able to delete/create or move folders.
>> Should I place all users in an OU, Group or folder(school?) and would
>> permissions need to be or not be inherited and how would I achieve the
>> above?
>
> You don't place users in anything,...at least to do this. They should be
> in an OU so you can appliy Group Policy to them,...by default they are in
> a built-in AD Folder. But that has nothing to do directly with granting
> permissions for them. Permissions focus on Group Memberships, not AD
> Locations.
>
> The permissions are done in the file system and permissions are granted to
> Groups. The users "out of the box" are already in the Domain Users Group
> and you can use that. You can also create other new groups to use them in
> as well if you like.
>
> --Users--Defaults--
> Location in AD: Users Folder (not an OU)
> Group Membership: Domain Users
>
> They can be members of multiple groups, but can be in only one AD Location
> at a time.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed (as annoying as they are, and as stupid as they
> sound), are my own and not those of my employer, or Microsoft, or anyone
> else associated with me, including my cats.
> -----------------------------------------------------
Many thanks Philip,

I have created an OU called school and placed the "year group" account users
into it.
I then made a share called school and gave everyone full control at share
level.
I then made folders for all the year groups.
I found that if I left the "users" in the properties security tab, all year
groups could see each others folders (obviously). The only way I could
prevent this happening was to remove the users group and add the year group
user and admins, but this removed inheritence. (not a problem) This stopped
the users seeing each others folders.
With the default folder permission settings I found I could not delete
folders but I could create them, neither could I save files to the folder as
I was told the the folder was read only. The only way I could save to the
folder was to make it full control at the ntfs level but this allowed the
creation or deletion of folders. If I then edited these functions out, I
found I could no longer save to the folder, it was back to being read only.
This has got to something pretty basic I am missing, no?
It doesn't help just having one monitor, keyboard and mouse to swap between
the two machines. (Test rig with server and 1 workstation)

TIA

MH

You just need to do some more reading & studying on the nature of how the
permissions work. For example giving Read/Write Permissions does not give the
abiltiy to Delete,...and having the ability to Delete does not give the ability
to Delete folders.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

"Toobi Won Kenobi" <Toobi Won (E-Mail Removed)> wrote in message
news:eqf4v9$6vb$1$(E-Mail Removed)...
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>> "Toobi Won Kenobi" <Toobi Won (E-Mail Removed)> wrote in message
>> news:eqddug$6rj$1$(E-Mail Removed)...
>>>I am installing a WS2003 DC server in my school.
>>> I have 6 year groups as Users. Each year group will contain the pupil's work
>>> folders. The pupils will log on with their year group name and password. The
>>> will be able to access other year groups folders.
>>> All users/pupils need to be able to read and write files in their folders
>>> but not able to delete/create or move folders.
>>> Should I place all users in an OU, Group or folder(school?) and would
>>> permissions need to be or not be inherited and how would I achieve the
>>> above?
>>
>> You don't place users in anything,...at least to do this. They should be in
>> an OU so you can appliy Group Policy to them,...by default they are in a
>> built-in AD Folder. But that has nothing to do directly with granting
>> permissions for them. Permissions focus on Group Memberships, not AD
>> Locations.
>>
>> The permissions are done in the file system and permissions are granted to
>> Groups. The users "out of the box" are already in the Domain Users Group and
>> you can use that. You can also create other new groups to use them in as
>> well if you like.
>>
>> --Users--Defaults--
>> Location in AD: Users Folder (not an OU)
>> Group Membership: Domain Users
>>
>> They can be members of multiple groups, but can be in only one AD Location at
>> a time.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed (as annoying as they are, and as stupid as they sound),
>> are my own and not those of my employer, or Microsoft, or anyone else
>> associated with me, including my cats.
>> -----------------------------------------------------
> Many thanks Philip,
>
> I have created an OU called school and placed the "year group" account users
> into it.
> I then made a share called school and gave everyone full control at share
> level.
> I then made folders for all the year groups.
> I found that if I left the "users" in the properties security tab, all year
> groups could see each others folders (obviously). The only way I could
> prevent this happening was to remove the users group and add the year group
> user and admins, but this removed inheritence. (not a problem) This stopped
> the users seeing each others folders.
> With the default folder permission settings I found I could not delete folders
> but I could create them, neither could I save files to the folder as I was
> told the the folder was read only. The only way I could save to the folder was
> to make it full control at the ntfs level but this allowed the creation or
> deletion of folders. If I then edited these functions out, I found I could no
> longer save to the folder, it was back to being read only. This has got to
> something pretty basic I am missing, no?
> It doesn't help just having one monitor, keyboard and mouse to swap between
> the two machines. (Test rig with server and 1 workstation)
>
> TIA
>
> MH
>
>

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> You just need to do some more reading & studying on the nature of how the
> permissions work. For example giving Read/Write Permissions does not give
> the abiltiy to Delete,...and having the ability to Delete does not give
> the ability to Delete folders.
Thanks Phillip,

You said it! At the mo it would be nice just to be able to save to the
folder. Still, all part of the learning curve.
Regards
MH

> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed (as annoying as they are, and as stupid as they
> sound), are my own and not those of my employer, or Microsoft, or anyone
> else associated with me, including my cats.
> -----------------------------------------------------
>
> "Toobi Won Kenobi" <Toobi Won (E-Mail Removed)> wrote in message
> news:eqf4v9$6vb$1$(E-Mail Removed)...
>>
>> "Phillip Windell" <@.> wrote in message
>> news:(E-Mail Removed)...
>>> "Toobi Won Kenobi" <Toobi Won (E-Mail Removed)> wrote in message
>>> news:eqddug$6rj$1$(E-Mail Removed)...
>>>>I am installing a WS2003 DC server in my school.
>>>> I have 6 year groups as Users. Each year group will contain the pupil's
>>>> work folders. The pupils will log on with their year group name and
>>>> password. The will be able to access other year groups folders.
>>>> All users/pupils need to be able to read and write files in their
>>>> folders but not able to delete/create or move folders.
>>>> Should I place all users in an OU, Group or folder(school?) and would
>>>> permissions need to be or not be inherited and how would I achieve the
>>>> above?
>>>
>>> You don't place users in anything,...at least to do this. They should
>>> be in an OU so you can appliy Group Policy to them,...by default they
>>> are in a built-in AD Folder. But that has nothing to do directly with
>>> granting permissions for them. Permissions focus on Group Memberships,
>>> not AD Locations.
>>>
>>> The permissions are done in the file system and permissions are granted
>>> to Groups. The users "out of the box" are already in the Domain Users
>>> Group and you can use that. You can also create other new groups to use
>>> them in as well if you like.
>>>
>>> --Users--Defaults--
>>> Location in AD: Users Folder (not an OU)
>>> Group Membership: Domain Users
>>>
>>> They can be members of multiple groups, but can be in only one AD
>>> Location at a time.
>>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>>
>>> The views expressed (as annoying as they are, and as stupid as they
>>> sound), are my own and not those of my employer, or Microsoft, or anyone
>>> else associated with me, including my cats.
>>> -----------------------------------------------------
>> Many thanks Philip,
>>
>> I have created an OU called school and placed the "year group" account
>> users into it.
>> I then made a share called school and gave everyone full control at share
>> level.
>> I then made folders for all the year groups.
>> I found that if I left the "users" in the properties security tab, all
>> year groups could see each others folders (obviously). The only way I
>> could prevent this happening was to remove the users group and add the
>> year group user and admins, but this removed inheritence. (not a problem)
>> This stopped the users seeing each others folders.
>> With the default folder permission settings I found I could not delete
>> folders but I could create them, neither could I save files to the folder
>> as I was told the the folder was read only. The only way I could save to
>> the folder was to make it full control at the ntfs level but this allowed
>> the creation or deletion of folders. If I then edited these functions
>> out, I found I could no longer save to the folder, it was back to being
>> read only. This has got to something pretty basic I am missing, no?
>> It doesn't help just having one monitor, keyboard and mouse to swap
>> between the two machines. (Test rig with server and 1 workstation)
>>
>> TIA
>>
>> MH
>>
>>
>
>

"Toobi Won Kenobi" <Toobi Won (E-Mail Removed)> wrote in message
news:eqfglk$618$1$(E-Mail Removed)...
>
> "Phillip Windell" <@.> wrote in message
> news:%(E-Mail Removed)...
>> You just need to do some more reading & studying on the nature of how the
>> permissions work. For example giving Read/Write Permissions does not give the
>> abiltiy to Delete,...and having the ability to Delete does not give the
>> ability to Delete folders.
> Thanks Phillip,
>
> You said it! At the mo it would be nice just to be able to save to the folder.
> Still, all part of the learning curve.

Yea, I think your attempts are moving in the right general direction, just hunt
down some material on working with NTFS permissions and share Permissions so you
can refine how you are doing it and I think you will be fine.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------