RE: Share permissions question

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

David,
Thank you again. The rights are all assigned to groups. Thought I was
getting off easy with only about fifty groups and fifty or so shares - so far.
Brian

"David Davis" wrote:

> You got it! Welcome to the wunderful world of permissions. Always remember,
> when possible assign rights to groups, not individual users, and to assign
> permissions in a fashion so that they can inherit. I.e creating lots of
> custom permissions on individual folders can become a nightmare to admin.
>
> Good Luck.
> --
> David Davis [MCSE, CCNA, Security +]
>
>
>
> "BrianB" wrote:
>
> > Looks like I have some work ahead of me removing inherited permissions from
> > the Shares for all the sub-folders of the main folder.
> > I tested giving users Full Control Share permissions to the main folder and
> > confirmed that didn't change their Security Special permissions. But, they
> > could then explore sub-folders they had no assigned Shares to use or even
> > list. This was fixed by unchecking the "Allow inheritable permissions from
> > the parent"
> > option, choosing Copy, and removing the USERS-ofServer group from list of
> > users for the sub-folder Shares.
> > Let me know if I'm way off on this.
> > Thanks for all your help and time!
> >
> > "David Davis" wrote:
> >
> > > Not at all. By setting the NTFS permissions to the required setting, you have
> > > already accomplished this. The "Sharing" permissions are only enforced if a
> > > user accesses the folder via a network share and even then it is applied in
> > > conjunction with the NTFS (Security) settings. The NTFS settings are
> > > absolute, at the file level, and will be enforced either way. For instance,
> > > if you take a folder and set the NTFS permissions to "Read Only" for user "A"
> > > but the Sharing permissions were set to allow user "A" to have full control,
> > > User "A" would only have "Read Only" Access.
> > >
> > > The sharing permissions settings is a legacy, backward compatability
> > > feature. Back before NTFS the only file system was FAT and FAT32. These
> > > legacy file systems did not allow you to set ACLs on the files themselves.
> > > Therefore when they were shared across the network, there had to be a means
> > > of protecting them. NTFS negates the need for sharing permissions as you can
> > > set the ACL at the file level.
> > > --
> > > David Davis [MCSE, CCNA, Security +]
> > >
> > >
> > >
> > > "BrianB" wrote:
> > >
> > > > David,
> > > > Sorry if I'm being dense and thank you for your time.
> > > > Currently users have only Security Special Permissions (Traverse folder,
> > > > List folder, Read attributes, Read extended attributes, and Read permissions)
> > > > to one main folder. They have Share permissions to certain sub-folders of
> > > > that main folder. Each user has access to between three and seven out of
> > > > about fifty sub-folders. Users should not have the ability to create folders
> > > > at the main folder. Wouldn't giving them the Share permissions suggested
> > > > below let them do that?
> > > > They only need to map to that main folder to enter their particular set of
> > > > sub-folders.
> > > > Thanks
> > > >
> > > > "David Davis" wrote:
> > > >
> > > > > There are two types of permissions: NTFS which is set using the Security tab
> > > > > on the folder properties. These permissions are file level permissions and
> > > > > will always be enforced regardless of how they are accessed. The other
> > > > > permissions are sharing permissions which is set using the Sharing tab of the
> > > > > folder properties. Sharing permissions only come into play if the folder is
> > > > > being accessed over the network, via a share.
> > > > >
> > > > > To avoid having to manage multiple sets of permissions for shared folders,
> > > > > it is best practice to set sharing permissions to everyone, full control and
> > > > > set your NTFS permissions to the level access you desire your users to have.
> > > > > This will ensure that the same set of rules apply no matter which avenue your
> > > > > users take to access.
> > > > > --
> > > > > David Davis [MCSE, CCNA, Security +]
> > > > >
> > > > >
> > > > >
> > > > > "BrianB" wrote:
> > > > >
> > > > > > David,
> > > > > > Sorry, I'm new to AD, wouldn't that give users full rights to the folder?
> > > > > > They should only be able to look at the list of sub-folders then go to the
> > > > > > the sub-folders they have more extensive permissions to use.
> > > > > > Thanks
> > > > > >
> > > > > > "David Davis" wrote:
> > > > > >
> > > > > > > Are your sharing permissions set to everyone, full control?
> > > > > > > --
> > > > > > > David Davis [MCSE, CCNA, Security +]
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "BrianB" wrote:
> > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > With the Advanced Security Settings Permissions (Traverse folder, List
> > > > > > > > folder, Read attributes, Read extended attributes, and Read permissions -
> > > > > > > > This folder only) why can't users map to a folder?
> > > > > > > > All inheritable permissions and Replace permission entries are not checked.
> > > > > > > >
> > > > > > > > Users need to map to this folder then choose a sub-folder from a list.
> > > > > > > > Users have Share permissions to use only some of the sub-folders and should
> > > > > > > > not be able to browse or use the sub-folders they do not have other Share
> > > > > > > > permissions to use.
> > > > > > > > Users can map a drive to the sub-folders they have permissions to but we
> > > > > > > > want to map a drive to the main folder so we don't end up mapping multiple
> > > > > > > > drives per user.
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > BrianB
.

Relevant Pages

  • Re: Folder Security
    ... You have a server with shares and you ... in question from their own or other machines on the network. ... there a way to secure folder access by which machine is trying to access ... permissions apply only to network users. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to Hide Folders and Files under Windows 2003
    ... I recommend that you create hidden shares and set both the Share and NTFS ... permissions such that only the relevant security groups have permission to ... You can also set the folder permissions so that only particular security ...
    (microsoft.public.windows.file_system)
  • RE: Share Permissions
    ... Subject: Share Permissions ... Create personal folders - No problem, NTFS rights on a folder for user ... Create shares - As far as I can tell, ...
    (Focus-Microsoft)
  • Re: Windows 2003 server- permissions and sharing
    ... > understand how shares and permissions work. ... > for these folders but have not shared the folder out. ... since Windows 2000 Microsoft has decided to move away from ...
    (microsoft.public.windows.server.general)
  • Re: Permission to home folder
    ... Shares should be created by administrators and permissions ... >>> the shared folder. ... Set its NTFS permissions so that SVarma can use it but no-one else. ...
    (microsoft.public.win2000.general)