Re: Permissions on a file server- how to reconcile sharing and securit
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Mon, 11 Sep 2006 16:27:47 -0500
"zoombini666" <zoombini666@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DA1B80F6-7B38-473F-9221-B12057AB14DD@xxxxxxxxxxxxxxxx
Hey, I'm a newbie sysadmin for a small file server, and I can't figure out
how to get the permissions the way I want them.
I'm sharing various folders on a drive on the network, and I want users to
have read-only access to everything except their own folder.
The problem is, that users can't edit anything at all (even if I
explicitly
give them full control under the security tab) unless I give everyone full
control under the sharing tab.
That is correct. The Share permission refer to the MAXIMUM that
a user/group can do to ALL file on that share but say nothing about
what they can actually do to a SPECIFIC file which is done with
NTFS permissions (on the file system using Explorer etc.).
You must have "enough" permission in BOTH places.
But if that's checked, then I can't restrict
write access on individual folders using security.
Sure you can: Just give EACH person (or group) the permissions
they need in that directory tree, or even on a SPECIFIC file, and
set the Share permissions to "enough".
Change on the share might work unless you want people (including
Admins) to be able to perform security modifications (perms, auditing,
and ownership) through the share connection.
If you need to allow (some) to do those security operations then you
need Full Control on the SHARE for that user/group.
The only solution that I
can see right now is to create a seperate group for each user and manually
restrict control on all folders,
No, that is (perhaps now) the way to do it, although for individual
users' folders you can break the normal rule of using groups and just
give the permission directly (since there is no sense in a group for
'Jane' if no one will EVER be added to it -- this is different from a
group for "BookKeepers" even though 'Jane' might be the only
bookkeeper today, as someday you may hire her an assistance or
want to swap out bookkeepers.)
but that's horribly impractical. How can I
get this to work?
Originally, the idea would have been to create every parent folder
so that "Full Control" was granted to ALL new objects on the NTFS
file system, then you let the users create there own stuff and they
automatically get that Full Control.
You can possibly fix it now by using that Full Controll for "Creator-Owner"
(judiciously.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks,
-Matt
.
- Prev by Date: Re: Cannot validate trust - 2 forests
- Next by Date: Re: Logging OU movement
- Previous by thread: Re: Permissions on a file server- how to reconcile sharing and securit
- Next by thread: Re: Permissions on a file server- how to reconcile sharing and securit
- Index(es):
Relevant Pages
|
