Re: share level & ntfs permissions



Hello,

Thank you for your reply!

Based on my research, the Effective Permissions tool only produces an
approximation of the permissions that a user has. The actual permissions
the user has may be different, since permissions can be granted or denied
based on how a user logs on. This logon-specific information cannot be
determined by the Effective Permissions tool, since the user is not logged
on; therefore, the effective permissions it displays reflect only those
permissions specified by the user or group and not the permissions
specified by the logon.

For example, if a user is connected to this computer via a file share, then
the logon for that user is marked as a network logon. Permissions can be
granted or denied to the well-known security ID (SID) Network which the
connected user receives, so a user has different permissions when logged on
locally than when logged on over a network.

I have performed a test on my side and I cannot reproduce the issue. It
works fine. You may refer to the following:

1. Create a new account TEST in Windows 2k3 AD.
2. Create a folder named Testing on the Windows 2K3 DC
3. Grant READ share permission and FULL Control NTFS permission to the
folder Testing
4. Logon with TEST from a XP workstation in the domain. I can access
Testing folder from MY Network Places and attempt to create a folder. It
receives "unable to create the folder'XXX' Access is denied " thought the
effective permission display FULL Control on TEST account.

At this point I suggest you double check the read permission of the shared
folder below:

Click Run in Start Menu and type CMD
Type "net share sharename" (sharename is the share folder on the DC)
Please verify if the user only have READ permission. I suggest you reshare
the folder and grant the share permission on the folder.

If there is anything that is unclear, please feel free to let me know.

Best Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| From: "John Smith" <someone@xxxxxxxxxxxxx>
| References: <OQQK91jRGHA.5924@xxxxxxxxxxxxxxxxxxxx>
<epw3xPkRGHA.4976@xxxxxxxxxxxxxxxxxxxx>
<#g1IqUoRGHA.6940@xxxxxxxxxxxxxxxxxxxxx>
<ufB8NksRGHA.5108@xxxxxxxxxxxxxxxxxxxx>
<eKrE6WvRGHA.2088@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: share level & ntfs permissions
| Date: Mon, 13 Mar 2006 19:20:23 -0800
| Lines: 184
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <e5iYmXxRGHA.1096@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.file_system
| NNTP-Posting-Host: ip68-224-56-121.lv.lv.cox.net 68.224.56.121
| Path: TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: TK2MSFTNGXA03.phx.gbl microsoft.public.windows.file_system:8361
| X-Tomcat-NG: microsoft.public.windows.file_system
|
| its the only share on the whole server, and i didnt click on the tab new
| share (under sharing and security)
|
| "Pegasus (MVP)" <I.can@xxxxxxx> wrote in message
| news:eKrE6WvRGHA.2088@xxxxxxxxxxxxxxxxxxxxxxx
| >I suspect that you're sharing your folder twice: Once with
| > restricted permissions, once with full permissions. Depending
| > on which share you use, you have restricted access or full
| > access. This would not be an OS vulnerability but a trap of
| > your own making.
| >
| >
| > "John Smith" <someone@xxxxxxxxxxxxx> wrote in message
| > news:ufB8NksRGHA.5108@xxxxxxxxxxxxxxxxxxxxxxx
| >> jason: thanks for your reply. it has all the info that u posted in the
| > book
| >> (dam your good ;-) )and i read it 100 times but still wasnt able to
get
| >> it
| >> to work. UNTIL...
| >>
| >> Pegasus: I think i found the problem. Listen to this... i MAPPED the
| > network
| >> drive and when i tried to delete one of the folders inside the
directory
| >> I
| >> WAS UNABLE to. The share and ntfs permissions started to combine.
HOWEVER
| >> when i accessed the share thru MY NETWORK PLACES/ENTIRE
| >> NETWORK/MYDOMAIN/THESERVER/THESHARE i was able to delete anything. do
you
| >> think this a OS vulnerability?
| >>
| >>
| >> "Jason Tan (MSFT)" <v-jasont@xxxxxxxxxxxxxxxxxxxx> wrote in message
| >> news:%23g1IqUoRGHA.6940@xxxxxxxxxxxxxxxxxxxxxxxx
| >> > Hello,
| >> >
| >> > Thanks for posting!
| >> >
| >> > Share access permissions are combined from any permissions that are
| >> > granted
| >> > directly to the user and those that are granted to any groups of
which
| > the
| >> > user is a member. For example, assume that the user named Frank is a
| >> > member
| >> > of both the Accounting group and the Managers group. On one shared
| > folder,
| >> > Frank has Read permission, and the Accounting group has Change
| > permission.
| >> > Because Frank is also a member of the Accounting group, his effective
| >> > permissions are Read and Change.
| >> >
| >> > The exception to this rule is if there is an explicit Deny
permission
| >> > on
| >> > the folder or file. This occurs because Deny permissions are
enumerated
| >> > first when Windows determines whether or not a particular user can
| > perform
| >> > a particular task. For example, if Frank is a member of a group that
| >> > has
| >> > Deny selected for the Read permission, he cannot read the file or
| > folder,
| >> > even if other permissions allow him to do so. Therefore, you should
| > avoid
| >> > using explicit Deny permissions (that is, do not click to select a
| >> > check
| >> > box in the Deny column) unless there is no other way to get the
| >> > specific
| >> > level of permissions that you need.
| >> >
| >> > Share permissions and the file and folder permissions that can be
| > applied
| >> > to resources on a drive that uses the NTFS file system are both
applied
| > if
| >> > a user connects to a shared resource over the network. If the share
| >> > permissions appear as if they should allow for a particular level of
| >> > access, but the user experiences problems actually achieving that
level
| > of
| >> > access, check the file and folder permissions to make sure that they
do
| >> > not
| >> > prevent access.
| >> >
| >> > Please refer to the following article for detailed information
| >> >
| >> > How To Share Files and Folders over the Network in a Windows Server
| >> > 2003
| >> > Domain Environment
| >> > <http://support.microsoft.com/default.aspx?scid=kb;EN-US;324267>
| >> >
| >> > Hope the information helps. If there is anything that is unclear,
| >> > please
| >> > feel free to let me know.
| >> >
| >> > Best Regards,
| >> >
| >> > Jason Tan
| >> >
| >> > Microsoft Online Partner Support
| >> > Get Secure! - www.microsoft.com/security
| >> >
| >> > =====================================================
| >> >
| >> > When responding to posts, please "Reply to Group" via your
newsreader
| >> > so
| >> > that others may learn and benefit from your issue.
| >> >
| >> > =====================================================
| >> > This posting is provided "AS IS" with no warranties, and confers no
| >> > rights.
| >> >
| >> >
| >> >
| >> > --------------------
| >> > | From: "Pegasus \(MVP\)" <I.can@xxxxxxx>
| >> > | References: <OQQK91jRGHA.5924@xxxxxxxxxxxxxxxxxxxx>
| >> > | Subject: Re: share level & ntfs permissions
| >> > | Date: Mon, 13 Mar 2006 13:15:03 +1100
| >> > | Lines: 38
| >> > | X-Priority: 3
| >> > | X-MSMail-Priority: Normal
| >> > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1506
| >> > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
| >> > | Message-ID: <epw3xPkRGHA.4976@xxxxxxxxxxxxxxxxxxxx>
| >> > | Newsgroups: microsoft.public.windows.file_system
| >> > | NNTP-Posting-Host: 220-253-11-44.vic.netspace.net.au 220.253.11.44
| >> > | Path:
TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| >> > | Xref: TK2MSFTNGXA03.phx.gbl
microsoft.public.windows.file_system:8347
| >> > | X-Tomcat-NG: microsoft.public.windows.file_system
| >> > |
| >> > |
| >> > | "John Smith" <someone@xxxxxxxxxxxxx> wrote in message
| >> > | news:OQQK91jRGHA.5924@xxxxxxxxxxxxxxxxxxxxxxx
| >> > | > Hi all,
| >> > | > I'm attempting to do my lab but i've run into a problem with
Share
| >> > Level
| >> > | and
| >> > | > NTFS File permissions.
| >> > | >
| >> > | > Here's my setup
| >> > | > 1. One domain, with one domain controller that hosts DNS, DHCP,
and
| >> > File
| >> > | > Server Services (Contoso.Com).
| >> > | > 1. One XP PRO SP2 Client Machine
| >> > | >
| >> > | > Now the book says, "Share level permissions should be used in
| >> > conjunction
| >> > | > with NTFS permisssions, not instead of them. The 2 levels of
| > security
| >> > work
| >> > | > together. Users who access the share will have a combination of
the
| >> > more
| >> > | > restrictive permissions that have been set."
| >> > | >
| >> > | > I setup my Test user account with a share level permission of
Read,
| >> > and
| >> > | the
| >> > | > NTFS file permission FUll Control. When i login to my domain from
| > the
| >> > XP
| >> > | Pro
| >> > | > client, and access the resource i'm still able to delete, and
| >> > change
| >> > | > anything in the folder when i should only be allowed to read.
| >> > Inheritance
| >> > | is
| >> > | > setup properly, but the effective permissions show FULL Control
for
| >> > | resource
| >> > | > that i'm trying to access for the test user account. What am i
| >> > doing
| >> > wrong
| >> > | > ??
| >> > |
| >> > | I don't know what book you quote but most sysadmins will
| >> > | set the share permissions to "Full Control" for everyone and
| >> > | set appropriate NTFS permissions. I see no advantage in
| >> > | having two permission schemes that will possibly contradict
| >> > | each other. Furthermore, NTFS permissions are so much more
| >> > | powerful than share permissions!
| >> > |
| >> > |
| >> > |
| >> >
| >>
| >>
| >
| >
|
|
|

.



Relevant Pages

  • Re: XP Home: selective folder sharing
    ... Adding Test made no difference for sharing the Test folder in XP Safe Mode. ... In Control Panel/Network on the 98SE machine, I found the network login set ... click the Permissions button to ...
    (microsoft.public.windowsxp.network_web)
  • Re: How do I add a network user to the security permissions on a shared XP folder?
    ... can't figure out what way to setup the permissions. ... user account on the fileserver computer with the same name as my own ... allowed them to list folder contents only. ... Next I allowed the NETWORK ...
    (microsoft.public.windows.server.networking)
  • Re: Security and Sharing
    ... When they are logged in locally only the filesystem permissions are needed. ... When they access over the network they can do anything that the filesystem ... If you want then to be able to read files and browse the folder structure ...
    (microsoft.public.security)
  • Re: My F#@!&$% Network Problem Possibly Solved
    ... The kind of features Pro adds were not things I perceived as ... permissions for shared folders are usually set in two separate ... folder, choosing properties, going to the sharing tab and clicking ... "Allow network users to change my files." ...
    (rec.audio.pro)
  • Re: How do I add a network user to the security permissions on a shared XP folder?
    ... can't figure out what way to setup the permissions. ... allowed them to list folder contents only. ... Next I allowed the NETWORK ... credentials.You really don't need the Network group. ...
    (microsoft.public.windows.server.networking)