RE: Need help understanding file rights

On a general basis when I have created shares for this purpose, I set the
Network Share rights to "Change" for Authenticated Users and remove
Everyone. On the NTFS settings the root directory containing you user folders
is set to "Read & Execute". Each directory for the user would then be set to
"modify" for the appropriate username. If you want them to also be able to
grant access to other users then set the NtFS permission to "Full Control"

In most cases the least restrictive permission will apply, unles the
permission level is set to "DENY". This is the first item checked in the
Access Control List (ACL) and if set no further permissions are checked.

I usually allow Admin access as "full control" firest and the set the other
permissions. When you uncheck the "Allow inheritable permissions.." you will
get a prompt to copy the current set of permissions. So set any permissions
that will apply to the entire diredtory tree first.

"Patrick Hunter" wrote:

> I'm having some trouble understanding how Windows server does file rights. I
> created a share and then created department and user home directories under
> it. I created users and they had full rights to their home directory,
> however, they were read-only. Then I read that I needed to grant full control
> to everyone to the share itself. However, this opened up the directories so
> that everyone could write to wherever they wanted. My understanding is that I
> now need to adjust NTFS rights to provide full access to user's home
> directories and nowhere else (Who came up with this system? Novell does it so
> much better). Unfortunately, I don't have a clue how to do that correctly. I
> look at the security tab for the folders, and I see a number of different
> system groups listed there with various rights. I don't know what to add or
> remove to the various directories. What I want is to allow users full access
> to their home directories only and still be able to backup the server.
> Unfortunately, there doesn't seem to be a guide anywhere that can help me
> with this task. If anybody could assist me, I would greatly appreciate it.
.

Relevant Pages

  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... Restricted Admins group to mitigate against what you propose Deji. ... also need to make sure the DAs in question cannot elevate their rights to EA, ... > By adding the Deny Write Permissions ACE, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Find Code Needs Help
    ... then select space as the delimiter. ... Rights (read, full control, etc) are part of my Permissions data. ... What I need to do is pull the Rights ...
    (microsoft.public.excel.programming)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Find Code Needs Help
    ... Rights (read, full control, etc) are part of my Permissions data. ... What I need to do is pull the Rights ... SearchOrder, SearchDirection, etc. but that did not work either. ...
    (microsoft.public.excel.programming)
  • Re: Prevent changes to Administrator password
    ... Have you thought about delegating the exact permissions needed instead of using DA or restructing your forest? ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > Restricted Admins group to mitigate against what you propose Deji. ...
    (microsoft.public.windows.server.active_directory)