Re: Security permissons
- From: "Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 31 Mar 2009 17:08:12 -0400
"luv2bike2" <luv2bike2@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:E8DBCD3E-FB58-4537-8F7F-759C8480C64D@xxxxxxxxxxxxxxxx
Just recently my office was switched to our parent companies domain, i
received new servers and a consultant company installed the OS and other apps
on the server, moved over our data from the old server to the new server and
i was told that i will need to set the permissions on the new file server.
Below is a description of how the AD permissions are set on the new server:
at the top of the d: drive, the security permissions are set as follows:
Administrators (server-name\administrators) full control, modify etc.
Creator Owner Special permissions
Everyone Special permissions
System Full control, modify etc
Users (file-server\users) Read & Excute, List Folders Contents, Read and
Special Permissions
There is a folder (I will call Common) on the D: drive and the secuity
permissions are set as follows;
Administrators (server-name\administrators) full control, modify etc.
Creator Owner Special permissions
System Full control, modify etc
Users (file-server\users) Read & Excute, List Folders Contents, Read and
Special Permissions
(Everyone is not included here)
Under the Common folder there is another folder that I will call "All Files"
and the security permissions are set as follows:
Administrators (server-name\administrators) full control, modify etc.
Creator Owner Special permissions
Everyone Modify, Read & Excute, list folder contents, Read, Write
System Full control, modify etc
Users (file-server\users) Read & Excute, List Folders Contents, Read and
Special Permissions
The problem I have come across is:
users are able to "write" "modify" files in the "All files" directory and
they should only have read & excute, list folders contents and Read at the
top of the "all files" directory. Does the Everyone security permissions
over rule the Users sercurity permissions and give the all but full control?
--
Thank you,
It's not that it "overrules," rather that an account gets what is called a LR (least restrictive) combination of all permissions applied to it within the ACL. So if a user account called "Joe" is part of the Sales Group, and is also part of Everyone by default (as everyone has pointed out so far for you), and Sales has Read & Execute, but Everyone has Full Control, then Joe will get Full Control + Read and Execute as his effective security permissions.
Now if the user is accessing it through a share, then the share permissions within the ACL of the share are also combined using LR to provide the effective share permissions. However the system will combine the effective Share permissions and the effective Security permissions using the Most Restrictive rule. This means that if Joe has the efective permission of Full Control under the security tab (as outlined above), and his effective share permissions are Read Only, then his overall effective permissions accessing it across the network through the share is Read Only.
I hope that helps.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
.
- References:
- Security permissons
- From: luv2bike2
- Security permissons
- Prev by Date: Re: Useful CreateUser script for Any and All
- Next by Date: Re: Useful CreateUser script for Any and All
- Previous by thread: Re: Security permissons
- Next by thread: Re: Active Directory Indices
- Index(es):
Relevant Pages
|
