Re: Share Permissions: Deny behaviour

Hi!

You can not achieve required result only with Share premissions without
changing group membership.

HTH

Toni

"JimLad" <jamesdbirch@xxxxxxxxxxx> wrote in message
news:1162575182.141713.154060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Toni,

Going back to my scenario (see paragraph 2 of post). I can't see any
way of getting the permissions I want without removing the user from
the group. Can you?

Cheers,

James

T. Uranjek wrote:
Hi!

1. Deny overrides all other permissions (share or NTFS).
2. There are two types of Deny (again goes for share and NTFS). First is
explicit, when you actually select check box Deny for specific permission
(can not be overridden and should be used with caution). Second is
implicit
and can be understood as "lack of (allow) permission". If you do not have
explicit allow permission, then you're stuck with implicit deny.
3. When using combined shared and NTSF permission most restcrictive
permissions apply.

I cannot comment on your question as I didn't see it, but I would choose
answer with NTFS (not explicit, rather implicit deny).

HTH

Toni

"JimLad" <jamesdbirch@xxxxxxxxxxx> wrote in message
news:1162571414.292859.146600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Toni,

Yep, that's what I thought was happening. A bit rubbish I feel. I would
have thought that if you are setting explicit deny change then it would
prevent the user getting anything more than read access. In fact, am I
right in thinking that it's the reverse? It means that the user is
allowed nothing less than Full Control (if he has full control set in a
group somewhere)? If so that seems a bit ridiculous! What is the logic
behind it?

So how does Deny work on NTFS permissions? In the same way? I feel
there is a lack of documentation on exactly what the Deny permissions
do.

So in the scenario I mentioned what is the correct solution? Is the
only way to take the user out of the group, or can you do it with NTFS
Deny permissions somehow?

Cheers,

James


T. Uranjek wrote:
Hi!

Surely I should be able to Deny Change without Denying Read?

If you are talking about explicit Deny, then your answer is "No"!

You can use three different share pemissions:
- Read: View files and subdirectories. Execute applications. No
changes
can
be made.
- Change: Includes read permissions and the ability to add, delete or
change
files or subdirectories (includes Read)
- Full Control: Can perform any and all functions on all files and
folders
within the share. (includes Change)

You could use implicit deny to prevent users from changing files in
shared
folders (explanation: use only Read share pemission), OR tighten up
security
with NTFS permissions.

HTH

Toni



"JimLad" <jamesdbirch@xxxxxxxxxxx> wrote in message
news:1162556398.353267.159200@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I've just done an exam and one question on share permissions foxed
me.
I don't understand the DENY behaviour.

Scenario: Group Users has Change permissions on a share. For some
reason, we want one of the members of this group John to only have
read
permissions on the share. Removing him from the group is not an
option.

Is it possible to achieve this with just Share Permissions? I don't
understand the DENY behaviour. When I check the Deny Change box for
the
user, it also checks the Deny Read box. I don't know why it does
this!
I know that Change has all the permissions of Read in the Allow
behaviour but why would it behave the same way for the Deny
behaviour?
Surely I should be able to Deny Change without Denying Read?

Can someone shed some light on this behaviour for me? And also
provide
the correct solution?

Cheers,

James





.

Relevant Pages

  • Re: Assigning User Policy
    ... in that already applied policies were exempted after ntfs deny permissions ... > have already been configured will still be applied even after setting NTFS ... > permissions to deny read access to the group you are trying to exclude. ...
    (microsoft.public.win2000.security)
  • Re: Permissions inherited..from where?
    ... The difference is in Explicit and Inherited permissions. ... An Explicit Deny ... How to Get Service Account Access to All Mailboxes in Exchange ...
    (microsoft.public.exchange2000.admin)
  • Re: Save me from my stupidity
    ... NTFS from FAT. ... The "normal" permissions for the folder in Windows 2000 ... > sysroot/sys32/GroupPolicy and set Deny on full for Administrators. ... > Admins: allow unset; deny unset ...
    (microsoft.public.security)
  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)
  • Re: how to restrict users to search in their own Organizational Unit
    ... decided a script can make it possible to accomplish, ... You could also TRY removing the "Authenticated Users" ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ...
    (microsoft.public.windows.server.active_directory)