Re: share level & ntfs permissions

Sorry, I overlooked this in your report.

I set up a share on my Win2003 SBS server the way you report
you set it up on your machine. Here are the details:

=======================
Output from the command "net share test"
Share name test
Path c:\temp
Remark
Maximum users No limit
Users
Caching Manual caching of documents
Permission LOCKD\GSkare, READ
=======================
Output from the command "cacls c:\temp"
C:\Temp BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
LOCKD\GSkare:(OI)(CI)F
=======================
Output from the command "net user GSkare"
User name GSkare
Full Name
Comment Test User
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/03/2006 20:17
Password expires 21/04/2006 20:17
Password changeable 10/03/2006 20:17
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/03/2006 20:24

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users

=======================

I then logged on to a network machine as GSkare, mapped drive Q:
to the server share Test and issued a number of commands. Here is
a screen shot.

Q:\>net use
New connections will be remembered.
Status Local Remote Network
----------------------------------------------------------------------------
---
OK Q: \\lock\test Microsoft Windows Network
The command completed successfully.

Q:\>dir *.txt
Volume in drive Q is "Server C:"
Volume Serial Number is 08C5-230B
Directory of Q:\
13/03/2006 05:11 PM 513 Spam.txt
23/02/2006 06:23 PM 2,426 test.txt
2 File(s) 2,939 bytes
0 Dir(s) 2,431,115,264 bytes free

Q:\>echo This is a test > test1.txt
Access is denied.

Q:\>del test.txt
Q:\test.txt
Access is denied.

In other words, I found exactly what I expected:
- Read access: Yes
- Write access: No
If your machine behaves differently then there is something
wrong somewhere. What it is I cannot find out remotely.
You may have to perform some detective work! Perhaps
your test user is a little more than a test user . . .


"John Smith" <someone@xxxxxxxxxxxxx> wrote in message
news:uRwHO7lRGHA.4384@xxxxxxxxxxxxxxxxxxxxxxx
is this not it:

Share name Engineering
Path C:\Admin Tools\Engineering
Remark Testing Permissions
Maximum users 10
Users
Caching Manual caching of documents
Permission BORREROFAMILY\test, READ

The command completed successfully.



"Pegasus (MVP)" <I.can@xxxxxxx> wrote in message
news:Obhtp4lRGHA.5656@xxxxxxxxxxxxxxxxxxxxxxx
You omitted the most important bit: The output from the
net share command!


"John Smith" <someone@xxxxxxxxxxxxx> wrote in message
news:%23DKX2ylRGHA.792@xxxxxxxxxxxxxxxxxxxxxxx
Here is the output for net user:
User name test
Full Name test
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 3/12/2006 8:58 PM
Password expires Never
Password changeable 3/12/2006 8:58 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/12/2006 5:15 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.


here is the output for cacls:
c:\admin tools\Engineering BORREROFAMILY\oborrero:(OI)(CI)F
BORREROFAMILY\test:(OI)(CI)F

and here is the output for netshare:
Share name Engineering
Path C:\Admin Tools\Engineering
Remark Testing Permissions
Maximum users 10
Users
Caching Manual caching of documents
Permission BORREROFAMILY\test, READ

The command completed successfully.




"Pegasus (MVP)" <I.can@xxxxxxx> wrote in message
news:OTtdhOlRGHA.3052@xxxxxxxxxxxxxxxxxxxxxxx
Let's have a look at your settings! Start a command prompt
on your server and type these commands:

net share xxx > c:\test.txt
cacls "d:\Shares\yyy" >> c:\test.txt
net user %UserName% >> c:\test.txt

Replace xxx with the name of your problem share and
d:\Shares\yyy with the path to that share. Now paste
the contents of c:\test.txt into your reply!

Note that the "net share" command will return permission information
under Windows 2003 only but not under other versions of Windows.


"John Smith" <someone@xxxxxxxxxxxxx> wrote in message
news:O736j4kRGHA.4920@xxxxxxxxxxxxxxxxxxxxxxx
it also says that, but i just wanted to see if they really apply the
most
restrictive permissions when you combine them. it's not doing it, so
i'm
just tryin to get it to run

"Pegasus (MVP)" <I.can@xxxxxxx> wrote in message
news:epw3xPkRGHA.4976@xxxxxxxxxxxxxxxxxxxxxxx

"John Smith" <someone@xxxxxxxxxxxxx> wrote in message
news:OQQK91jRGHA.5924@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,
I'm attempting to do my lab but i've run into a problem with
Share
Level
and
NTFS File permissions.

Here's my setup
1. One domain, with one domain controller that hosts DNS, DHCP,
and
File
Server Services (Contoso.Com).
1. One XP PRO SP2 Client Machine

Now the book says, "Share level permissions should be used in
conjunction
with NTFS permisssions, not instead of them. The 2 levels of
security
work
together. Users who access the share will have a combination of
the
more
restrictive permissions that have been set."

I setup my Test user account with a share level permission of
Read,
and
the
NTFS file permission FUll Control. When i login to my domain from
the
XP
Pro
client, and access the resource i'm still able to delete, and
change
anything in the folder when i should only be allowed to read.
Inheritance
is
setup properly, but the effective permissions show FULL Control
for
resource
that i'm trying to access for the test user account. What am i
doing
wrong
??

I don't know what book you quote but most sysadmins will
set the share permissions to "Full Control" for everyone and
set appropriate NTFS permissions. I see no advantage in
having two permission schemes that will possibly contradict
each other. Furthermore, NTFS permissions are so much more
powerful than share permissions!














.

Relevant Pages

  • Re: login/logoff Report
    ... Share/NTS Permissions ... Make sure you're logged onto the SBS server as a domain admin. ... In the section marked "Permissions for Domain Users", ...
    (microsoft.public.windows.server.sbs)
  • RE: logon error: error occured while an inital user program was st
    ... explorer.exe permissinos and I have Administrators, Authenticated Users, ... Server Operators, System as the groups that have permissions, with the ... Authenticated Users having less permissions. ... I added domain users, and everything started working. ...
    (microsoft.public.windows.terminal_services)
  • RE: logon error: error occured while an inital user program was st
    ... "MattShell" wrote: ... Server Operators, System as the groups that have permissions, with the ... Authenticated Users having less permissions. ... I added domain users, and everything started working. ...
    (microsoft.public.windows.terminal_services)
  • File Permissions Change after file is closed
    ... The group "Domain Users" has been given explicit ... folder is mapped to any PC on the network ... letter mapped to this server either. ... permissions at the console level, open the database, ...
    (microsoft.public.win2000.security)
  • Re: OSX Privilege on Saved Files
    ... Give the Group Read and Write access to the Published Folder on the server. ... triangle of Ownership & Permissions, and flip both Group and Others popups ... be able to open and edit the scripts over on Test user. ...
    (microsoft.public.mac.office.word)