Powershell Setting Share Folder Permissions

Similar Messages

• How to set share folder for mac 8.6 in windows

  I know how to set share folder for mac 8.6 in windows xp. I installed the NetBIOS. But i still can not found windows share file in mac 8.6. Need to install 'DAVE'?

  I want to setup file sharing. Then, I will setup share printer for mac8.6. I tried to config File Sharing control panel. But it do not scuccessful. Do have you way to solve file sharing and share printer problem. Not use NetPresenz.
  I follow the website to setup file sharing. But I is not successful.
  the website:
  http://homepage.mac.com/car1son/os9xnet_nfilesharing.html
  I go to appletalk control panel to connect via choose ethernet bulit-in. It appear a error. The error is 'An error occurred attempted to use Ethernet bulit-in. Make sure your network connection are correct.'
  Thank you very much for your help.

• Setting SharePoint folder permissions

  Our school has just got SharePoint 2013, and I have been tasked with setting up a folder structure for the Teachers.
  What they want is a Department Folder in the Root, and inside the Department Folder the Facility  Folder, and inside that the Subject Folder, and lastly a private Teacher Folder for storing and preparing work.
  EG:
  Department/Science/Biology/MGreen
  Department/Languages/French/RSmith
  Department/Languages/Latin/TJones
  I have setup the directory structure already, my question is how do make the Teacher Folder Private, so only they can view files inside?
  Many thanks

  Hi,
  According to your description, my understanding is that you want to make the Teacher Folder with unique permissions so that only the specific teacher has permissions to it.
  The following are the steps to set up unique permissions: 
  Navigate to the subfolder you want to configure with unique permissions.
  On that subfolder, select Manage Permissions from the drop-list under that subfolder.
  Under Permissions Tools, click: Stop Inheriting Permissions.
  A dialog box that says, "You are about to create unique permissions for this folder. Changes made to the parent folder will no longer affect this folder."  Click OK.
  Then delete all SharePoint security groups. After that, assign permissions to the specific teacher.
   Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• Mac OSX file copy to Windows Share folder permissions

  We'd got a few Mac's, one is snow leopard and the other is Lion.  The scenario is:
  Mac:
  Go > Connect to server > smb://servernamehere > Connect > select your share
  The authentication box then pops up, they've been typing in a username and password to connect to Server 2008 (Active Directory here by the way).  I don't think it matters if they type in "DOMAIN\username" and the password or just "username" and the password.
  They try to copy files around but they get this wacky -xx number and their Macs lock up.
  On the Windows Server Side I look at the folder permissions and the users they're using are all golden, full permissions.  I look at a test folder I create and it too looks good.
  The weird thing is this:
  If I look at the folders on Windows it looks normal but if I open the command line on a Mac, do:
  cd /
  cd Volumes
  ls
  cd Folder_I'm_Connected_To
  ls -la | grep testfolder_I_made
  I get these results...
  drwx------ 1 Their_Username_Here  staff  --> Some other stuff here like a folder size, date, time and the folder name
  My question is this I guess.
  Do I have to join these Macs to the Windows domain for the permissions and folder views on the Mac to look right AND to have them funtion properly?  The user of the other Mac says she never types in any authentication stuff, she just clicks a folder shortcut on her Mac ans she's in.
  I would expect the permissions to at least say something like:
  drwxdrwx---
  The Windows server doesn't have the group "staff" which makes it seem the Mac isn't looking at the mounted volume in the same way Windows is.  They also had this problem on AFP and SMB shares directly on a FreeNAS box which is also BSD like a Mac.
  As a result of the Macs behaving similarly on both Windows and BSD (FreeNAS) I think this seems to be some wacky Mac behavior and I just can't figure it out.
  Any help would be appreciated.
  Thanks.

  Hi, same results at the terminal command on a SMB share, observed here with mac computers running with OsX 10.8 with Windows 2008 R2 SMB shares. My issue is that theses computers need to copy files on theses shares with Chronosync or Carbon Copy and this is not working due to an "modify file attributes permissions" error. But if I copy the files using "Finder" it works great.
  You don't need to join your computers to your domain to get it to work. The error that you are talking about is the -5000 error ???

• Set NTFS folder permissions

  When creating new file servers we always need to set up the NTFS rights manually and that takes forever...
  Instead I would like to have a powershell command/script that configures the NTFS security settings on the folders.
  I have two needs that hopefuly some of you allready have a solution on,
  1, NTFS Settings on a homefolder share:
  Users should be able to access the location of all user folders (ex:
  \\server\users\). Then the user should only be able to create folder(s). Without access to any other users files or folders. The user should have have full r/w access to his/her created folder.
  Below you can see my settings as it is when I created it with Windows Explorer, how can I accomplish this this with Powershell instead?
  2, I need the commands to set following NTFS settings on a folder:
  A List Group: I want to add a AD group that should only be able to access the folder (not any subfolder or files).
  A Read Group: I want to add a AD group that should be able to read all files and subfolders in a folder.
  A  Write Group: I want to add a AD group that should be able to read and write on all files/subfolders in a folder.
  See sceenshot below how it looks today from Windows Explorer:

  Hi,
  First of all, thanks all for your quick answers to me..
  I decided to go with
  Mike Laughlin's answer. But I think I still need some more help from you all :)
  This is what my script do:
  I have a string that takes the computername and then remove the numbers in the end of the name to get the sitename (ex computername VEGAS001 will be VEGAS , which is the sitename)
  On D:\Fileshares I have my folderstructure, here I create all department folders under the "sitename" folder (ex D:\Fileshares\Vegas\) with the script. This works fine to create...
  Then the last is to set the NTFS rights on all the folders with the module Mike recomended.
  Here I try to set rights on different groups, but it doesnt work with my string $sitename (ex: Domain\$sitename_L_HR_W  = Domain\VEGAS_L_HR_W)
  It creates a setting in the NTFS security , but it's not the correct one (see below) , its just a none existing GUID number..
  I tried to add different symbols such as + " ' between/in the AD Group name
  Ex: Domain\$sitename+_L_HR_R /
  Domain\$sitename+"_L_HR_R" ,
  but without any success
  Sometimes it didnt add the GUID above, sometimes just a long error message that I couldnt understand.
  I guess for anyone with some more PowerShell skills then me will be able to fix this easy? :)
  Here is my code....
  #Import the PowerShell Module (PowerShellAccessControl)
  Import-Module PowerShellAccessControl
  # Configure sitename as an string
  $sitename = $env:computername
  $sitename = $sitename.Substring(0,$sitename.Length-3)
  # Create folder structure
  New-Item D:\Fileshares\$sitename$\DATA\Administration\IT -type directory
  New-Item D:\Fileshares\$sitename$\DATA\Administration\Finance -type directory
  # Configure NTFS settings on folder
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\IT | Add-AccessControlEntry -FolderRights Read -Principal Domain\$sitename_L_IT_R -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\IT | Add-AccessControlEntry -FolderRights modify -Principal Domain\$sitename_L_IT_W -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\HR | Add-AccessControlEntry -FolderRights Read -Principal Domain\$sitename_L_HR_R -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\HR | Add-AccessControlEntry -FolderRights modify -Principal Domain\$sitename_L_HR_W -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force

• Unable to set Public Folder Permissions

  I have created a Public Folder Mailbox and Public Folder. When I go to set permissions via the EAC, the "User" field is grayed out...when I Browse for a user I can search and select a user, but that user is not carried over to the User field where
  you would set permissions.  I am unable to see ANYYONE with permissions via the EAC. However, when I access my Public Folders in Outlook 2013, I and a co-worker both have "Author" level permissions.
  I am an Administrator on the system and have added myself to the Public Folders role and anything else that looked even remotely related :-o
  Thanks for the help!
  -Nick 

  Hi,
  We can try settings the permission on the specific folders by using the exFolders tool:
  https://gallery.technet.microsoft.com/office/Exchange-2010-SP1-ExFolders-e6bfd405
  Thanks,
  Simon Wu
  TechNet Community Support

• Active studio folder permissions

  I am unable to set folder permissions in Shared Reports by using an ldap group to specify access, it only works when I set the folder permissions by using a specific ldap user. When I use the ldap group and login by the user which is a member of the group mentioned above I don`t see any folders. Is there a workaround possible ? Thnx.

  That is strange. I think you are confusing confusing enterprise groups (e.g. LDAP) with BAM application roles (e.g. Administrator, ReportCreator, etc.). BAM only adds/synchronizes enterprise groups if those groups have assigned BAM application roles. This is done to make sure that users are assigned the correct BAM application roles even when the role is granted by virtue of membership in an enterprise group that is assigned that application role. This is done for both login and registerUser(), so their is no difference between the two regarding enterprize groups.
  See section 23.3.3 on BAM application role vis-a-vis wls/ldap groups in "Managing BAM Guide" at http://download.oracle.com/docs/cd/E12839_01/integration.1111/e10226/bam_manage.htm#CIHJJGFJ

• Timecapsule folder permissions

  Is there any way to set specific folder permissions on a time capsule?
  Currently our time capsule is being used as a work server and we would like to restrict access to certain folders for specific users - there seems to be no way to obviously achieve this.
  Thanks in advance,
  Stu

  Yes, you can set the Time Capsule up to require an account name and password rather than use just the Time Capsule password. That would create separate user folders on the Time Capsule harddrive that can only be accessed by knowing those authentication details.
  Note that if somebody has the admin password for that Time Capsule, they can disable this feature and make the backups visible for everybody, so make sure the Time Capsule password is secure and the base station is not in a location where somebody can reset it. The following articles talk about using this feature.
  Mac OS X 10.5: Security tips for using Time Machine over a network
  http://support.apple.com/kb/HT3446
  Keeping Time Machine backups secure
  http://docs.info.apple.com/article.html?path=Mac/10.6/en/21241.html

• Powershell: Set Access Based Enumeration on share in Failover Cluster

  Hi guys, 
  I'm facing the following problem. Below you see my script to create a shared folder. (My folder share is visible in failover cluster manager, underneath clustergroup TESTSTO01.) 
  Now I need to enable Access Based Enumeration on this share. Has anyone a clue how to do that in powershell? (Version 2). 
  I also need to make sure that the files and programs are not available offline. 
  Thanks in advance! 
  $SHARE_READ = 1179817     # 100100000000010101001  
  $SHARE_CHANGE = 1245631 # 100110000000100010110     
  $SHARE_FULL = 2032127     # 111110000000111111111  
  $SHARE_NONE = 1         # 000000000000000000001  
  $ACETYPE_ACCESS_ALLOWED = 0  
  $ACETYPE_ACCESS_DENIED = 1  
  $ACETYPE_SYSTEM_AUDIT = 2  
  $ACEFLAG_INHERIT_ACE = 2  
  $ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 4  
  $ACEFLAG_INHERIT_ONLY_ACE = 8  
  $ACEFLAG_INHERITED_ACE = 16  
  $ACEFLAG_VALID_INHERIT_FLAGS = 31  
  $ACEFLAG_SUCCESSFUL_ACCESS = 64  
  $ACEFLAG_FAILED_ACCESS = 128  
  # New Trustee  
  function New-Trustee($Domain, $User)  
  $Trustee = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_Trustee").CreateInstance()
      $Trustee.Domain = $Domain  
      $Trustee.Name = $User  
      if ($User -eq "Administrators")
  {$Trustee.SID = @(1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0,32,2,0,0)}
  else 
  {$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)} 
      return $Trustee  
  # New ACE  
  function New-ACE($Domain, $User, $Access, $Type, $Flags)  
  $ACE = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_ACE").CreateInstance()
      $ACE.AccessMask = $Access  
      $ACE.AceFlags = $Flags  
      $ACE.AceType = $Type  
      $ACE.Trustee = New-Trustee $Domain $User 
      return $ACE   
  # Get SD  
  function Get-SD
  $sd = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_SecurityDescriptor").CreateInstance()  
  $ACE1 = New-ACE -Domain $null -User "Everyone" -Access $SHARE_CHANGE -Type $ACETYPE_ACCESS_ALLOWED -Flags $ACEFLAG_INHERIT_ACE  
  $ACE2 = New-ACE -Domain $null -User "Administrators" -Access $SHARE_FULL -Type $ACETYPE_ACCESS_ALLOWED -Flags $ACEFLAG_INHERIT_ACE 
  [System.Management.ManagementObject[]] $DACL = $ACE1, $ACE2
  $sd.DACL =$DACL
  return $sd
  # Create-Share  
  function Create-Share($ShareName, $Path, $Comment,$Access)  
      $checkShare = (Get-WmiObject Win32_Share -Filter "Name='$ShareName'")  
      if ($checkShare -ne $null) {  
          # "Share exists and will now be deteted!!!"  
          get-WmiObject Win32_Share -Filter "Name='$ShareName'" | foreach-object { $_.Delete() }  
      $wmishare = [WMIClass] "\\TESTSTO01\ROOT\CIMV2:Win32_Share"  
  $Access = Get-SD
      $R = $wmishare.Create($Path,$Sharename,0,$null,$Comment,"", $Access)  
      if ($R.ReturnValue -ne 0) {  
          Write-Error "Error while creating share: " + $R.ReturnValue  
          exit  
      # Write-Host "Share has been created."  
  # Create first share with permissons **********************************  
  $ShareName = "$Company$"  
  $Path = "$Driveletter" + ":\$Company"  
  $Comment = ""  
  $Domain = $Null 
  Create-Share $ShareName $Path $Comment $Access

  Unable to find type [CmdletBinding(SupportsShouldProcess=$TRUE)]: make sure tha
  t the assembly containing this type is loaded.
  At C:\Script Nathalie\Everyware2.ps1:294 char:45
  + [CmdletBinding(SupportsShouldProcess=$TRUE)] <<<<
      + CategoryInfo          : InvalidOperation: (CmdletBinding(S...dProcess=$T
     RUE):String) [], RuntimeException
      + FullyQualifiedErrorId : TypeNotFound
  The term 'param' is not recognized as the name of a cmdlet, function, script fi
  le, or operable program. Check the spelling of the name, or if a path was inclu
  ded, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:295 char:6
  + param <<<< (
      + CategoryInfo          : ObjectNotFound: (param:String) [], CommandNotFou
     ndException
      + FullyQualifiedErrorId : CommandNotFoundException
  The term 'begin' is not recognized as the name of a cmdlet, function, script fi
  le, or operable program. Check the spelling of the name, or if a path was inclu
  ded, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:304 char:6
  + begin <<<<  {
      + CategoryInfo          : ObjectNotFound: (begin:String) [], CommandNotFou
     ndException
      + FullyQualifiedErrorId : CommandNotFoundException
  Get-Process : Cannot evaluate parameter 'Name' because its argument is specifie
  d as a script block and there is no input. A script block cannot be evaluated w
  ithout input.
  At C:\Script Nathalie\Everyware2.ps1:331 char:8
  + process <<<<  {
      + CategoryInfo          : MetadataError: (:) [Get-Process], ParameterBindi
     ngException
      + FullyQualifiedErrorId : ScriptBlockArgumentNoInput,Microsoft.PowerShell.
     Commands.GetProcessCommand
  The term 'end' is not recognized as the name of a cmdlet, function, script file
  , or operable program. Check the spelling of the name, or if a path was include
  d, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:345 char:4
  + end <<<<  {
      + CategoryInfo          : ObjectNotFound: (end:String) [], CommandNotFound
     Exception
      + FullyQualifiedErrorId : CommandNotFoundException
  The term 'set-shareABE' is not recognized as the name of a cmdlet, function, sc
  ript file, or operable program. Check the spelling of the name, or if a path wa
  s included, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:348 char:13
  + set-shareABE <<<<  TESTSTO01 $Company$ -Enable
      + CategoryInfo          : ObjectNotFound: (set-shareABE:String) [], Comman
     dNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException

• User share folder not passing permissions to subfolders

  I set up sharing properly best as I can tell between two user accounts on my iMac, however, sharing permissions do not pass to the subfolders I put into the user share folder. Do I have to assign permissions to every folder individually? This can't be right??

  OK, I found the the small gear icon at the bottom of the "Get Info" window. Unlock the Get Info window, click the gear icon and select "apply to enclosed items". Permissions work OK now. This little setting was not easy to find.

• Have to keep setting folder permissions on folders within a shared folder

  My husband and I both have iMacs and had problems with permissions being set to read only for everyone but him on his iMac. The problem is within a shared folder named Butterflies on his iMac. In a previous question I posted I was told to set ACLs using terminal for all files and folders in the Butterflies folder which is within the documents folder on his computer.
  This worked at the time but now the same problem is cropping up. He tried to run the same command on his computer (he is logged in as administrator) and the message comes up "unable to reset permissions" for each file in the Butterflies folder. We upgraded both computers to OS X 10.5.7 when it came out a while back but this started happening just yesterday. Is this some problem requiring an update we haven't installed yet?
  Thanks in advance...
  Kim

  The important thing to remember with inherited ACLs is that new files must be newly created or copied into the folder hierarchy for them to properly inherit the new permissions. If you make a new folder on your Desktop, and then move it into your sharing folder by drag and drop, it won't inherit the ACL properly and will still be read-only for others. It you have existing files that you want in the share folder, hold down the option key while dragging them in. That will make new copies of them, and then you can delete the originals.
  Also note that some apps (like Apple's TextEdit) will ignore the ACL if you try to directly save their files in the ACL folder. Save TextEdit files in a temporary location first, and then copy them in to the sharing folder.
  Also, be aware that most backup programs will strip off ACLs from the backups if the ACLs were inherited from a parent folder. Apple's Disk Utility, Time Machine, Finder, etc all have this problem. If you use SuperDuper or Carbon Copy Cloner to make backups then you can be sure that all your inherited ACLs are being copied properly.
  I know these ACL limitations are irritating. I use inherited ACLs to share files between my wife's and my user accounts, and these limitations sure irritate me. I think that ACLs are poorly implemented in OS X. I hope and wish that ACL handling will be improved in future OS X releases.

• Correct syntax to set "send as" permissions through Powershell

  Hello,
  A colleague of mine gave me a Powershell command to set "send as" permissions on a mailbox. His syntax is the following:
  Add-ADPermission -Identity UserBeingGrantedPermission -User UserWhoseMailboxIsBeingConfigured -ExtendedRights 'Send-As'
  In that example the user mentioned after "-User" is the one who's mailbox is being configured. Easy enough. Earlier Technet articles also use this syntax.
  However, I stumbled across the
  following article. Which clearly says:
  This example grants Send As permissions for Aaron Painter to Terry Adams's mailbox.
  Add-ADPermission -Identity "Terry Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "Send As"
  In this example "-User" is not the one mailbox that is being configured but the person that gets the rights.
  So who is right? Technet or Technet?

  Hi Fr0ns,
  Your colleague mistook it a little bit, (and I don't think he can compete with the Technet library :)
  -User <is always someone who is given permissions to>. In the Technet example - AaronPainter gets the permission to
  Send As Terry Adams.
  You can check it yourself pretty easily - enable command logging and attempt to assign the permissions with GUI where you clearly know who gets what.
  ▲ Vote if Helpful / Mark if Answer
  MCSE: Messaging 2013 Charter / Private Cloud / Server Infrastructure
  MaximumExchange.ru

• Advise about setting up a permissons on Lion server for a small office.

  What is the common wisdom and advise about setting up permissions optimally for a small office using OS X Lion Server as a file server?  I thought I had this solved by setting the ACL permissions so that all users and appropriate groups can read and write all files on the server.  This works great until a new file is created.  Then it appears that the POSIX umask kicks in and takes priority over the ACL permissions.  I need to allow group write permissions on all new files.  My options seem to be:
  Make everyone an admin - not great for obvious security reasons
  Change the umask for the whole machine - also security problems, though perhaps fewer than the everyone-an-admin route above
  Write a folder action applescript to add group write permission on all new files.  This works fine if you have a static number of folders  With new folders it has the problem: How do new folders created by non-admin users get this folder action automatically applied to them - some cronjob to hunt down the new folders; an applesscrpt folder action that adds a folder action to all new folders (sounds recursively complicated)?
  Have a cron job regularly do something like  `chmod -R 664` on all files.  This will break during those between the cracks times between when someone creates a new file and when the cronjob runs - not ideal.
  Seems like this should be easier which makes me think I'm missing something obvious.
  Any help great appreciated.  Thank you in advance!

  Good-heart's advice is certainly your first step, but if you've already done that and still have the problem you've described, you might have the 10.7.3 ACL bug, particularly if your users and groups are in an OD or AD rather than being local accounts on the server. The problem is that ACL's for directory accounts are incorrectly ignored, resulting in POSIX permissions coming into play.
  I've descibed my workaround for this here;
  https://discussions.apple.com/message/18037703
  I haven't yet tried the other trick I've read about, which is to ensure your Share's data directories are at least one level down on the volume - there is a post here on the Communities that mentions this;
  https://discussions.apple.com/message/18028746
  I seem to remember that this helped with an earlier version of AFP, if using external firewire or usb storage.
  Let us know if you find a fix, it seems a number of people have problems with this.
  Regards,
  Ian

• Question about folder permissions

  I have set up separate user accounts for myself (as administrator) and my wife and four kids (a total of six user accounts). After having problems in iTunes and iPhoto with messages regarding "locked disk, or no access" I created a group called "family" which includes all the user accounts plus admin and root. I then changed the folder permissions for all the user subfolders (and their subfolders) to be as follows:
  owner = Eric, access = read & write
  group = family, access = read & write
  others = read only
  (Note that the folder permissions for the Users folder itself are the original ones, i.e., owner = system, access = read & write; group = admin, access = read & write; others = read only.)
  Are the changes I made unnecessary or incorrect? An alternative scheme that was recommended by someone in a thread pertaining to the iTunes "locked disk" issue was the following for a given user (presumably someone other than the administrator):
  owner = (user name), access = read & write
  group = (user name), access = read only
  others = read only
  Any comments/advice will be welcome.

  Hi Eric55,
  I want to suggest two things:
  You yourself should use a non-admin account for daily
  work. An administrator should administrate, and
  should not write a letter. This would reduce risks of
  malicious software doing bad things to your whole
  system (since it would have your admin rights) and
  you yourself doing bad things without noticing (like
  deleting important files accidentically just because
  you can do so without warning).
  Many thanks for your very helpful reply. I can see the wisdom of what you're suggesting. So, should I just create another account, e.g., called "Eric2," that I use for routine work, leaving the "Eric" account that has admin rights alone except when needed for admin tasks?
  Regarding your question with folder permission: There
  is a folder named "Shared" that should hold all the
  files that everyone needs to have access to. The
  important bit is that the files in it must also be
  available to everyone.
  I had understood from the book I bought ("Mac OS X, The Missing Manual, Tiger Edition," by David Pogue) that all users have access to the Shared folder and its contents. In fact, this is how I got into this whole issue of folder permissions. Pogue's book suggests putting music (MP3) files into the Shared folder (rather than leaving them in each user's Music folder) so that all users can share them in iTunes (after switching the iTunes music folder location to the Shared. . . folder). I did this, but then my son, working from within his user account, was unable to copy the contents of a music CD into the Shared folder. That got me started on what seems to have been a misguided effort to expand folder permissions so that he (and other users) would have read & write access to the Shared folder, not just read only access.
  But once I did that, the kids starting having problems with iTunes and iPhoto from their user accounts. For example, a common problem was that when trying to open iTunes they would get an error message saying that iTunes was on a locked disk or they didn't have permission to access the folder. This didn't make sense, since I thought I'd expanded their access rights sufficiently by putting them in a "family" group and giving that group R&W access. So at that point, I concluded that I didn't understand permissions well enough!
  And for this a common group is
  alright, but Mac OS does not do this automatically;
  all files copied there must be changed manually (or
  by a folder action Apple Script, if you know how to
  do this) to this group and have the proper rights
  set.
  That's what I thought I'd done with my "family" group, but that seems to have created more problems that it solved.
  BTW, I would not put admin or root users in this
  common group, again out of caution.
  OK, makes sense.
  And user folders
  should belong to users, not to everyone. Just my
  thinking ...
  Again, what I was basically trying to accomplish was to have all the music files in the Shared folder, but at the same time make it possible for individual users to add music to the Shared folder. Maybe you have some suggestions for how to do that, and for how to revise the permissions I set up, e.g., to put them back to how they were before. If so, many thanks in advance!
  --Eric

• Need to set read/write permissions to ALL subfolders

  So I have a clients folder created on the server, and workgroup with employees setup to access the shared clients folder. You can log onto it from outside, and access the folders. However they all need to be able to write as well; save files, move files, etc.
  I have the permissions set for the workgroup to read/write on the clients root folder, but it only applies to that folder. Any folders underneath it dont take effect. And there are hundreds of folders and subfolders.
  Obviously there must be an option so that i the permissions i set to the root clients folder are applied to ALL subfolders! How do i do it?!
  Please and thanks!

  Server Admin>File Sharing>Share Points, Permissions tab, click on the gear icon and select "Propagate Permissions..."