Re: Groups and Folder Access
From: Herb Martin (news_at_LearnQuick.com)
Date: 12/29/04
- Next message: nospam_at_nospam.com: "AD with SFU and NIS"
- Previous message: Dean Wells [MVP]: "Re: Tomstone Life AD (New Tiwst That can not fine)"
- In reply to: ebferro: "Groups and Folder Access"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 28 Dec 2004 18:23:12 -0600
"ebferro" <ebferro@discussions.microsoft.com> wrote in message
news:E4D30101-0D72-48BC-B31F-7102A930DFC4@microsoft.com...
> I'm new to active directory and am sure this is a simple question but I
can't
> seem to find the answer anywhere. So, please forgive my ignorance.
If people didn't know the answers no one would ever
ask very much and this would be a very boring group.
<grin>
> When I create a user in my domain, the user becomes a member of the domain
> users group. If I want to grant this user access to only one folder on a
> file share in the domain, I thought I'd create a group called MDR2000 that
> would have access to the MDR2000 file share only.
Good.
> I can create the group
> just fine. However, when I go to the folder and attempt to give the group
> access to the folder, the system explains that MDR2000 belongs to an other
> group that has no priveleges to the file share and therefore even though I
> grant priveleges to the MDR2000 group, the deny priveleges that are
attached
> to the other group, which I presume is users, will still be in effect.
Not exactly.
First, although it is common terminology these days,
using the word "Folder" when discussing Permissions
is NOT a good way to discuss or even think about them.
Instead use "Share" (or "File Share") when you speak of
offering a resource on the network and use "Directory"
and File permissions when speaking of the NTFS permissions
on each such item (you can also say, "Share" and "NTFS"
permissions but it is IMPORTANT to separate the two
concepts because they are different and lead to confusion
if you confound them.)
Granting permissions to the directories and files (NTFS) is
one step, and granting permissions to the Share (if you need
network access) is a separate step.
Granting permissios to ONE GROUP does nothing to affect
the permissions given to another group -- they are cumulative
-- UNLESS one of the groups DENIES access.
So if you Deny "Users" you cannot grant access to (virtually)
anyone, even admins. But if you give (positive) permissions
to a group, and then to another group, then member of either
group get precisely what you grant -- or the combination if
they are members of both.
BTW:
"explains ....belongs to another group" -- makes no sense
as there is no such dialog or error to my knowledge. Be
very explcit about where you see this, when, and the speficic
wording.
> How
> do I grant priveleges to the MDR2000 file share to the MDR2000 group only?
Just do it and use NO "Deny" permissions.
Now the members will have permission to the share
in GENERAL but no actual permissions to any file or
directory (NTFS) on that share UNLESS you have also
given those NTFS permissions to them through the same
or another group to which they belong.
> Thanks in advance for any help that can be offered.
You can even call me if you are completely confused.
My phone is on my web site: www.LearnQuick.Com
(Just remind me when you do that.)
- Next message: nospam_at_nospam.com: "AD with SFU and NIS"
- Previous message: Dean Wells [MVP]: "Re: Tomstone Life AD (New Tiwst That can not fine)"
- In reply to: ebferro: "Groups and Folder Access"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
