Set NTFS folder permissions

Similar Messages

• Setting SharePoint folder permissions

  Our school has just got SharePoint 2013, and I have been tasked with setting up a folder structure for the Teachers.
  What they want is a Department Folder in the Root, and inside the Department Folder the Facility  Folder, and inside that the Subject Folder, and lastly a private Teacher Folder for storing and preparing work.
  EG:
  Department/Science/Biology/MGreen
  Department/Languages/French/RSmith
  Department/Languages/Latin/TJones
  I have setup the directory structure already, my question is how do make the Teacher Folder Private, so only they can view files inside?
  Many thanks

  Hi,
  According to your description, my understanding is that you want to make the Teacher Folder with unique permissions so that only the specific teacher has permissions to it.
  The following are the steps to set up unique permissions: 
  Navigate to the subfolder you want to configure with unique permissions.
  On that subfolder, select Manage Permissions from the drop-list under that subfolder.
  Under Permissions Tools, click: Stop Inheriting Permissions.
  A dialog box that says, "You are about to create unique permissions for this folder. Changes made to the parent folder will no longer affect this folder."  Click OK.
  Then delete all SharePoint security groups. After that, assign permissions to the specific teacher.
   Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• Setting NTFS Folder ACLs via GPO not working on 2012 R2

  I have configured some NTFS folder persmissions using a GPO in
  Computer configuration/Windows Settings/Security Settings/File System/
  Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
  This works great on all my Server 2008R2 boxes. But it has no effect on my 2012R2 boxes! 
  gpresult /z indicates that the policy is read and applied.   
  Why doesn't this work for 2012 R2 servers? 
  Many thanks.

  > This works great on all my Server 2008R2 boxes. But it has no effect on
  > my 2012R2 boxes!
  check %windir%\security\logs\winlogon.log - that's where file system
  permissions are logged.
  In addition, it might be that SYSTEM hasn't full access to the folder
  you want to modify?
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Unable to set Public Folder Permissions

  I have created a Public Folder Mailbox and Public Folder. When I go to set permissions via the EAC, the "User" field is grayed out...when I Browse for a user I can search and select a user, but that user is not carried over to the User field where
  you would set permissions.  I am unable to see ANYYONE with permissions via the EAC. However, when I access my Public Folders in Outlook 2013, I and a co-worker both have "Author" level permissions.
  I am an Administrator on the system and have added myself to the Public Folders role and anything else that looked even remotely related :-o
  Thanks for the help!
  -Nick 

  Hi,
  We can try settings the permission on the specific folders by using the exFolders tool:
  https://gallery.technet.microsoft.com/office/Exchange-2010-SP1-ExFolders-e6bfd405
  Thanks,
  Simon Wu
  TechNet Community Support

• Powershell Setting Share Folder Permissions

  I have a script that create a shared folder and I am trying to set permissions. Here is what I have so far:
  $serverName = "myfileserver"
  $folderName = "d:\Personal"
  $shareName = $newSAM+"$"
  $fullName = "\\$serverName\"+$folderName.Replace(":", "$")+"\$newSAM"
  # Creating the Directory
  $finalResult = New-Item $fullName -type directory
  $trustee = ([wmiclass]"Win32_trustee").psbase.CreateInstance()
  $trustee.Domain = "domain.com"
  $trustee.Name = $newSAM
  $ace = ([wmiclass]"Win32_ACE").psbase.CreateInstance()
  $ace.AccessMask = 2032127
  $ace.AceFlags = 3
  $ace.AceType = 0
  $ace.Trustee = $trustee
  $trustee2 = ([wmiclass]"Win32_trustee").psbase.CreateInstance()
  $trustee2.Domain = "domain.com"
  $trustee2.Name = "administrator"
  $ace2 = ([wmiclass]"Win32_ACE").psbase.CreateInstance()
  $ace2.AccessMask = 2032127
  $ace2.AceFlags = 3
  $ace2.AceType = 0
  $ace2.Trustee = $trustee2
  $trustee3 = ([wmiclass]"Win32_trustee").psbase.CreateInstance()
  $trustee3.Domain = $serverName
  $trustee3.Name = "administrator"
  $ace3 = ([wmiclass]"Win32_ACE").psbase.CreateInstance()
  $ace3.AccessMask = 2032127
  $ace3.AceFlags = 3
  $ace3.AceType = 0
  $ace3.Trustee = $trustee3
  $sd = ([wmiclass]"Win32_SecurityDescriptor").psbase.CreateInstance()
  $sd.ControlFlags = 4
  $sd.DACL = $ace, $ace2, $ace3
  $sd.group = $trustee3
  $sd.owner = $trustee3
  # Creating the Folder Share
  $finalResult = Invoke-WmiMethod -Class win32_share -name Create -ArgumentList @($sd,"",4294967295,$shareName,"","$folderName\$newSAM",0) -computername $serverName
  The folder is created correctly but I am getting this error when setting permissions: 
  Exception setting "DACL": "Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.Manage
  ment.ManagementBaseObject'."

  I am testing it against a remote 2003 R2 SP2 server...
  I have upgraded to Powershell v3 in my frustation (although I would rather have worked with the default like our helpdesk folks who will be running this - now we have to install this on all their machines)... Anyway...
  I do not get any more errors when I run it, but it still does not add and share permissions... All it had is 'Everyone' as the sole group in the Permissions area...
  Here again is the code I ran:
  $serverName = "myServer"
  $folderName = "d:\Users"
  $shareName = $newSAM+"$"
  $fullName = "\\$serverName\"+$folderName.Replace(":", "$")+"\$newSAM"
  # Creating the Directory
  $finalResult = New-Item $fullName -type directory
  # AccessMasks:
  # 2032127 = Full Control
  # 1245631 = Change
  # 1179817 = Read
  $trustee = ([wmiclass]"Win32_trustee").psbase.CreateInstance()
  $trustee.Domain = "domain"
  $trustee.Name = "administrator"
  $ace = ([wmiclass]"Win32_ACE").psbase.CreateInstance()
  $ace.AccessMask = 2032127
  $ace.AceFlags = 3
  $ace.AceType = 0
  $ace.Trustee = $trustee
  $trustee2 = ([wmiclass]"Win32_trustee").psbase.CreateInstance()
  $trustee2.Domain = "BUILTIN"  #Or domain name
  $trustee2.Name = "Administrators"
  $ace2 = ([wmiclass]"Win32_ACE").psbase.CreateInstance()
  $ace2.AccessMask = 2032127
  $ace2.AceFlags = 3
  $ace2.AceType = 0
  $ace2.Trustee = $trustee2
  $trustee3 = ([wmiclass]"Win32_trustee").psbase.CreateInstance()
  $trustee3.Domain = "domain"
  $trustee3.Name = $newSAM
  $ace3 = ([wmiclass]"Win32_ACE").psbase.CreateInstance()
  $ace3.AccessMask = 2032127
  $ace3.AceFlags = 3
  $ace3.AceType = 0
  $ace3.Trustee = $trustee3
  $sd = ([wmiclass]"Win32_SecurityDescriptor").psbase.CreateInstance()
  $sd.ControlFlags = 4
  $sd.DACL = [System.Management.ManagementBaseObject[]] ($ace, $ace3)
  $sd.group = $trustee2
  $sd.owner = $trustee2
  # Creating the Folder Share
  $finalResult = Invoke-WmiMethod -Class win32_share -name Create -ArgumentList @($sd, "", 4294967295, $shareName, "", "$folderName\$newSAM", 0) -computername $serverName -EnableAllPrivileges
  I will change this manually so that I perform this on my laptop and report what results I get....

• Difference between Share Permissions and Security NTFS Folder Permissions

  What is the main difference between share and security in
  1. 2003 server and above:
  2. How in Organisations share data folder for users
  AS per me i Have following conclusion 
  1.
  Yes - Always open up Share permissions to Everyone-Full and the ACL (apply permissions) to the actual data
  folders (must be NTFS). With NT4 and W2000 you can leave the Share permissions at default when you create them and just ACL the NTFS data structures.
  With W2003, the default Share permission is locked down to Read, and as Share permissions over-ride NTFS permissions,
  even if you have Write access in the data folders, accessing via the Share will restrict to Read-Only, so you must open up the Share permissions on all new W2003 Shares that you create.
  2.
  Yes you can. Share the top level directory of your data. Open up the Share permissions to Everyone - Full,
  and then ACL the sub-folders appropriately for you different user access requirements. Don't permission (ACL) any data with 'Everyone' always use Groups (or users if you must...e.g. Home Directories), and at minimum for 'public' data use 'Authenticated Users'.
  Users will all be able to access the share, but only access folders and data that you allow via the NTFS permissions (ACLs).
  The only other way is to create separate shares for each different access requirement - a pain and none too
  flexible. Also if with W2K3 you leave the default Share permission (Read), even though you grant 'Write' NTFS permissions on the data, your users won't be able to write new data or make changes if they access via the Share, as Share permissions over-ride the
  NTFS permissions.
  If You have any other options so please suggest me or otherwise mark it as Answer 

  Sounds good. :)
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• Active studio folder permissions

  I am unable to set folder permissions in Shared Reports by using an ldap group to specify access, it only works when I set the folder permissions by using a specific ldap user. When I use the ldap group and login by the user which is a member of the group mentioned above I don`t see any folders. Is there a workaround possible ? Thnx.

  That is strange. I think you are confusing confusing enterprise groups (e.g. LDAP) with BAM application roles (e.g. Administrator, ReportCreator, etc.). BAM only adds/synchronizes enterprise groups if those groups have assigned BAM application roles. This is done to make sure that users are assigned the correct BAM application roles even when the role is granted by virtue of membership in an enterprise group that is assigned that application role. This is done for both login and registerUser(), so their is no difference between the two regarding enterprize groups.
  See section 23.3.3 on BAM application role vis-a-vis wls/ldap groups in "Managing BAM Guide" at http://download.oracle.com/docs/cd/E12839_01/integration.1111/e10226/bam_manage.htm#CIHJJGFJ

• Timecapsule folder permissions

  Is there any way to set specific folder permissions on a time capsule?
  Currently our time capsule is being used as a work server and we would like to restrict access to certain folders for specific users - there seems to be no way to obviously achieve this.
  Thanks in advance,
  Stu

  Yes, you can set the Time Capsule up to require an account name and password rather than use just the Time Capsule password. That would create separate user folders on the Time Capsule harddrive that can only be accessed by knowing those authentication details.
  Note that if somebody has the admin password for that Time Capsule, they can disable this feature and make the backups visible for everybody, so make sure the Time Capsule password is secure and the base station is not in a location where somebody can reset it. The following articles talk about using this feature.
  Mac OS X 10.5: Security tips for using Time Machine over a network
  http://support.apple.com/kb/HT3446
  Keeping Time Machine backups secure
  http://docs.info.apple.com/article.html?path=Mac/10.6/en/21241.html

• Most efficient/quickest way to set NTFS permissions in PowerShell

  Hello all,
  Trying to figure out what the most efficient/quickest way to set NTFS permissions via PowerShell is. I am currently using ICACLS but it is taking FOREVER as I can't figure out how to make inheritance work with this command.
  This has prompted me to begin looking at other options for setting NTFS permissions in PowerShell, and I wondered what everyone here likes to use for this task in PowerShell?

  Ah ok. Unfortunately, my ICACLS is taking FOREVER. Here is the code I'm using:
  ICACLS "C:\users\[user]\Desktop\test" /grant:r ("[user]" + ':r') /T /C /Q
  However:
  1.  I can't figure out how to make the inheritance parameter work with ICACLS
  2. If I do make the inheritance parameter work with ICACLS, I still need a way to add the permission to child objects that aren't inheriting.
  Any tips on how to improve performance of ICACLS?
  1. icacls folder /grant GROUPNAME:(OI)(CI)(F)  (i will post corrected code later, this works in CMD but not powershell couse of bracers)
  2.  get-childitem -recurse -force |?{$_.psiscontainer} |%{icacls ....}  (or u can list only folders where inheritance is disabled and apply icacls just on them)
  I think jrv and Mekac answered the first question about inheritance flags. I would just add that you probably don't want to use the /T switch with icacls.exe because that appears to set an explicit entry on all child items (that's probably why it's taking
  so long).
  For your second question, I'd suggest using the Get-Acl cmdlet. It throws terminating errors, so I usually wrap it in a try/catch block. Something like this might work if you just wanted the paths to files/folders that aren't inheriting permissions:
  dir $Path -Recurse | ForEach-Object {
  try {
  Get-Acl $_.FullName | where { $_.AreAccessRulesProtected } | ForEach-Object { Convert-Path $_.Path }
  catch {
  Write-Error ("Get-Acl error: {0}" -f $_.Exception.Message)
  return
  If you're looking for speed/performance, you don't want to just use the PowerShell Access Control (PAC) module that Mike linked to above by itself. It's implemented entirely in PowerShell, so it's incredibly slow right now (unless you use it along with Get-Acl
  / see below for an example). I'm slowly working on creating a compiled version that is much faster, and I think I'm pretty close to having something that I can put in the gallery.
  Since I wasn't sure which command would give you the best results, I used Measure-Command to test a few different ones. Each of the following four commands should do the exact same thing. Here are my results (note that I just ran the commands a few times
  and averaged the results on a test system; this wasn't very rigorous testing):
  # Make sure that this folder and user/group exist:
  $Path = "D:\TestFolder"
  $Principal = "TestUser"
  # Native PowerShell/.NET -- Took about 15 ms
  $Acl = Get-Acl $Path
  $Acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
  $Principal,
  "Read", # [System.Security.AccessControl.FileSystemRights]
  "ContainerInherit, ObjectInherit", # [System.Security.AccessControl.InheritanceFlags]
  "None", # [System.Security.AccessControl.PropagationFlags]
  "Allow" # [System.Security.AccessControl.AccessControlType]
  (Get-Item $Path).SetAccessControl($Acl)
  # PAC Module 3.0 w/ PowerShell/.NET commands -- Took about 35 ms
  $Acl = Get-Acl $Path | Add-AccessControlEntry -Principal $Principal -FolderRights Read -PassThru
  (Get-Item $Path).SetAccessControl($Acl)
  # icacls.exe -- Took about 40ms
  icacls.exe $Path /grant "${Principal}:(OI)(CI)(R)"
  # PAC Module 3.0 w/o Get-Acl -- Took about 350 ms
  Add-AccessControlEntry -Path $Path -Principal $Principal -FolderRights Read -Force
  Unless I messed something up, it looks like the native PowerShell/.NET commands are faster than icacls.exe, at least for modifying a single folder's DACL.

• Unable to set NTFS permissions on share using PowerShell. The user shows up with no rights checked off.

  I am having a little problem here with setting NTFS permissions via PowerShell. 
  Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
  $username = "test.user"
  $directory = "\\testlab-sv01\Share\newfolder"
  New-Item -Path $directory -ItemType Directory
  $colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
  $objType =[System.Security.AccessControl.AccessControlType]::Allow
  $objUser = New-Object System.Security.Principal.NTAccount("$username")
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
  $objACL = Get-ACL $directory
  $objACL.AddAccessRule($objACE)
  Set-ACL $directory $objACL
  A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it. 
  Thanks. 
  Kyle

  When you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
  Try changing the inheritance and propagation flags to this:
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
  the ACL Editor.
  Awesome. Thanks. That did work. 
  And yes I did mean that it was showing special permissions with nothing checked. 
  Kyle

• Advise about setting up a permissons on Lion server for a small office.

  What is the common wisdom and advise about setting up permissions optimally for a small office using OS X Lion Server as a file server?  I thought I had this solved by setting the ACL permissions so that all users and appropriate groups can read and write all files on the server.  This works great until a new file is created.  Then it appears that the POSIX umask kicks in and takes priority over the ACL permissions.  I need to allow group write permissions on all new files.  My options seem to be:
  Make everyone an admin - not great for obvious security reasons
  Change the umask for the whole machine - also security problems, though perhaps fewer than the everyone-an-admin route above
  Write a folder action applescript to add group write permission on all new files.  This works fine if you have a static number of folders  With new folders it has the problem: How do new folders created by non-admin users get this folder action automatically applied to them - some cronjob to hunt down the new folders; an applesscrpt folder action that adds a folder action to all new folders (sounds recursively complicated)?
  Have a cron job regularly do something like  `chmod -R 664` on all files.  This will break during those between the cracks times between when someone creates a new file and when the cronjob runs - not ideal.
  Seems like this should be easier which makes me think I'm missing something obvious.
  Any help great appreciated.  Thank you in advance!

  Good-heart's advice is certainly your first step, but if you've already done that and still have the problem you've described, you might have the 10.7.3 ACL bug, particularly if your users and groups are in an OD or AD rather than being local accounts on the server. The problem is that ACL's for directory accounts are incorrectly ignored, resulting in POSIX permissions coming into play.
  I've descibed my workaround for this here;
  https://discussions.apple.com/message/18037703
  I haven't yet tried the other trick I've read about, which is to ensure your Share's data directories are at least one level down on the volume - there is a post here on the Communities that mentions this;
  https://discussions.apple.com/message/18028746
  I seem to remember that this helped with an earlier version of AFP, if using external firewire or usb storage.
  Let us know if you find a fix, it seems a number of people have problems with this.
  Regards,
  Ian

• File and folder permissions for Adobe Photoshop CS5

  Good day,
  I am an IT specialist and I work for a Canadian governement agency and we are having an issue with Photoshop CS5. After successfully installing Photoshop CS5 from the Adobe Creative Suite 5 Design Premium set(using a local machine administrator account), Photoshop crashes immidiatly after launching it(even with the local administrator account). The exact error message is as follows:
  The instruction at "0x230dad8dc" referenced memory at "0x00000000". The memory could not be "read".
  Click on OK to terminate the program
  Click on CANCEL to debug the program
  I know this is an environement issue and not an application or hardware issue since I was able to successfully install and run Adobe Photoshop CS5 on a plain vanilla install of Windows SP3 XP on the same model of workstation(HP DC7800). This later also confirms it is not a RAM or video adapter issue either. My experience tells me it would be more related to file/folder permissions on the workstation(although I'm open to other suggestions).  Because we are a governement agency, our workstations have machine and user policies and desktop configurations that get applied to the workstations automatically upon joining our domain via GPOs and SMS. Certain system files and folder permissions may be locked down for security reasons therefor I was wondering is someone has a list of files and folders that Adobe CS5 needs access to upon startup in order to properly function?
  If anyone would like more details or information please let me know and I'll try to be more specific.
  Thanks in advance to all who take the time to read and help out!

  I appreciate that you're trying to surmise what's different, and it's good that you have had success with similar/identical hardware.  At least you know it can work.
  However, I wouldn't bet just yet that it's a permissions issue.  I'd think you should get a specific error if a locked-down file needed to be accessed, not a null pointer crash.  The Photoshop installer should be setting up the proper permissions on its own files for it to run.
  Is it exactly the same video card as the other computer, on which Photoshop works?
  Are you sure the video drivers are up to date with the same version as on the other computer?
  At exactly what point during startup does the failure occur (i.e., is the splash screen showing, and what does the status line in the splash screen say it's doing)?
  -Noel

• How to set default file permissions for applicatio...

  I have the nokia n86 and was wondering if there was any way of setting the file permissions of a program via the phone. To put it in context, i downloaded a program that edits photos but everytime i try to load a picture from my phone it asks me (for every single folder in my phone, not just the photo ones) if the program can open it. I can be there clicking yes all day as i there is a lot of folders and subfolders on the phone. I know sony ericssons had an option where you could select the programs permissions to always ask or never ask but i cant seem to find a similar option on the nokia.
  Does anyone have any ideas?

  Same issue here. Everything I put on the drive is set to Read-only for the group.

• Question about folder permissions

  I have set up separate user accounts for myself (as administrator) and my wife and four kids (a total of six user accounts). After having problems in iTunes and iPhoto with messages regarding "locked disk, or no access" I created a group called "family" which includes all the user accounts plus admin and root. I then changed the folder permissions for all the user subfolders (and their subfolders) to be as follows:
  owner = Eric, access = read & write
  group = family, access = read & write
  others = read only
  (Note that the folder permissions for the Users folder itself are the original ones, i.e., owner = system, access = read & write; group = admin, access = read & write; others = read only.)
  Are the changes I made unnecessary or incorrect? An alternative scheme that was recommended by someone in a thread pertaining to the iTunes "locked disk" issue was the following for a given user (presumably someone other than the administrator):
  owner = (user name), access = read & write
  group = (user name), access = read only
  others = read only
  Any comments/advice will be welcome.

  Hi Eric55,
  I want to suggest two things:
  You yourself should use a non-admin account for daily
  work. An administrator should administrate, and
  should not write a letter. This would reduce risks of
  malicious software doing bad things to your whole
  system (since it would have your admin rights) and
  you yourself doing bad things without noticing (like
  deleting important files accidentically just because
  you can do so without warning).
  Many thanks for your very helpful reply. I can see the wisdom of what you're suggesting. So, should I just create another account, e.g., called "Eric2," that I use for routine work, leaving the "Eric" account that has admin rights alone except when needed for admin tasks?
  Regarding your question with folder permission: There
  is a folder named "Shared" that should hold all the
  files that everyone needs to have access to. The
  important bit is that the files in it must also be
  available to everyone.
  I had understood from the book I bought ("Mac OS X, The Missing Manual, Tiger Edition," by David Pogue) that all users have access to the Shared folder and its contents. In fact, this is how I got into this whole issue of folder permissions. Pogue's book suggests putting music (MP3) files into the Shared folder (rather than leaving them in each user's Music folder) so that all users can share them in iTunes (after switching the iTunes music folder location to the Shared. . . folder). I did this, but then my son, working from within his user account, was unable to copy the contents of a music CD into the Shared folder. That got me started on what seems to have been a misguided effort to expand folder permissions so that he (and other users) would have read & write access to the Shared folder, not just read only access.
  But once I did that, the kids starting having problems with iTunes and iPhoto from their user accounts. For example, a common problem was that when trying to open iTunes they would get an error message saying that iTunes was on a locked disk or they didn't have permission to access the folder. This didn't make sense, since I thought I'd expanded their access rights sufficiently by putting them in a "family" group and giving that group R&W access. So at that point, I concluded that I didn't understand permissions well enough!
  And for this a common group is
  alright, but Mac OS does not do this automatically;
  all files copied there must be changed manually (or
  by a folder action Apple Script, if you know how to
  do this) to this group and have the proper rights
  set.
  That's what I thought I'd done with my "family" group, but that seems to have created more problems that it solved.
  BTW, I would not put admin or root users in this
  common group, again out of caution.
  OK, makes sense.
  And user folders
  should belong to users, not to everyone. Just my
  thinking ...
  Again, what I was basically trying to accomplish was to have all the music files in the Shared folder, but at the same time make it possible for individual users to add music to the Shared folder. Maybe you have some suggestions for how to do that, and for how to revise the permissions I set up, e.g., to put them back to how they were before. If so, many thanks in advance!
  --Eric

• Windows 2008 R2 cross domain shared/security folder permissions

  I have a Windows 2008 R2 server located in the example.com domain.  I have a folder that's shared out and it needs to be accessed by a group of machines that are not in the same domain, they are part of a different domain.
  I made sure to give Everyone FULL Share and FULL NTFS Security permissions but that didn't make any difference.  This used to work fine on Windows 2003 server.  Something must have changed with the way that Windows 2008 handles share/security permissions.
  A temporary workaround is to create a local user on the Windows 2008 R2 server and have the users access the share using those credentials. 
  I need it to work without asking the users for any credentials. 

  Hi,
  Please enable Guest account, assign Everyone group the permission to access the sharing folder and then add the Anonymous SID to the Everyone access
  token.
  To enable anonymous access on a local workstation or server computer
  1.Open Local Security Settings. Click
  Start, click Control Panel, double-click
  Administrative Tools, and then double-click Local Security Policy.
  2.In the console tree, double-click Local Policies, and then click
  Security Options.
  3.In the details pane, right-click
  Network access: Let Everyone permissions apply to anonymous users, and then click
  Properties.
  4.On the Local Security Settings tab, click
  Enabled, and then click OK.
  For more information, please refer to the following Microsoft TechNet article:
  Anonymous user cannot access a shared folder
  http://technet.microsoft.com/en-us/library/cc755781(WS.10).aspx
  Regards,
  Arthur Li
   TechNet
  Subscriber Support 
  If you are
  TechNet Subscription 
  user and have any feedback on our support quality, please send your feedback
  here .
  Arthur Li
  TechNet Community Support