Re: Share Permissions: Deny behaviour

Hi Toni,

Yep, that's what I thought was happening. A bit rubbish I feel. I would
have thought that if you are setting explicit deny change then it would
prevent the user getting anything more than read access. In fact, am I
right in thinking that it's the reverse? It means that the user is
allowed nothing less than Full Control (if he has full control set in a
group somewhere)? If so that seems a bit ridiculous! What is the logic
behind it?

So how does Deny work on NTFS permissions? In the same way? I feel
there is a lack of documentation on exactly what the Deny permissions
do.

So in the scenario I mentioned what is the correct solution? Is the
only way to take the user out of the group, or can you do it with NTFS
Deny permissions somehow?

Cheers,

James


T. Uranjek wrote:
Hi!

Surely I should be able to Deny Change without Denying Read?

If you are talking about explicit Deny, then your answer is "No"!

You can use three different share pemissions:
- Read: View files and subdirectories. Execute applications. No changes can
be made.
- Change: Includes read permissions and the ability to add, delete or change
files or subdirectories (includes Read)
- Full Control: Can perform any and all functions on all files and folders
within the share. (includes Change)

You could use implicit deny to prevent users from changing files in shared
folders (explanation: use only Read share pemission), OR tighten up security
with NTFS permissions.

HTH

Toni



"JimLad" <jamesdbirch@xxxxxxxxxxx> wrote in message
news:1162556398.353267.159200@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I've just done an exam and one question on share permissions foxed me.
I don't understand the DENY behaviour.

Scenario: Group Users has Change permissions on a share. For some
reason, we want one of the members of this group John to only have read
permissions on the share. Removing him from the group is not an option.

Is it possible to achieve this with just Share Permissions? I don't
understand the DENY behaviour. When I check the Deny Change box for the
user, it also checks the Deny Read box. I don't know why it does this!
I know that Change has all the permissions of Read in the Allow
behaviour but why would it behave the same way for the Deny behaviour?
Surely I should be able to Deny Change without Denying Read?

Can someone shed some light on this behaviour for me? And also provide
the correct solution?

Cheers,

James


.

Relevant Pages

  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)
  • Re: how to restrict users to search in their own Organizational Unit
    ... decided a script can make it possible to accomplish, ... You could also TRY removing the "Authenticated Users" ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTFS Security Question.
    ... I was not sure that deleting the special permissions would work but you ... Since Windows 2000 deny NTFS permission does not work ... originally configured "closer" to the object in the chain of folders. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)