Re: Need help with Shared drives and permissions

I believe by "default" at the root C:\ the permissions should be

Administrators - FULL
SYSTEM - FULL
Everyone - Special (Usually have Traverse and Read)
CREATOR OWNER - Special (Usually have Traverse and Read)
Users (local machine name) - READ or Special

Personally myself I edit the root. I remove Users and give Everyone - List
only. Reason being I just need for everyone to able to traverse down the
heiarchy. I also add Backup Operators - FULL at the root for obvious
reasons. I turn on "Inheritance" at the root as I do want all the above at
every level. Now when I get to a sub folder where it is strictly
confidential then of course I do not want Everyone to be able to just
traverse through that folder yet alone be able to view or see the folders.
At that point I turn off "Inheritance", copy the permissions and remove or
add at that point and turn on inheritance to all child objects down.
It's pretty much simple. You need to decide at each level whether or not you
need inheritance and where to turn it off.


"BrianG" <decc@xxxxxxxxxxx> wrote in message
news:1180639761.169395.140470@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On May 31, 12:48 pm, "AllenM" <B...@xxxxxxxxxxxxxxx> wrote:
Incorrect Brian. I think you are misunderstanding how "inheritance" works
and can be applied. If you check a sub folder and see that it is
inheriting
permissions from the parent folder yet on that sub folder you see a group
that wasn't listed in the parent folder that is ok. I can have a sub
folder
that inherits permissions from a parent folder and add a user or group.
This
user or group will not show in the parent folder because it is not
listed.
Now from this sub folder I can add a user or a group to lower sub folder
turn off inheritance and they will not show in the parent folder or the
first sub folder. Maybe I'm misunderstanding you but from what I read in
your last post I believe I explained what you are seeing.

C:\ Administrators - FULL, SYSTEM - FULL, Backup Operators - FULL,
Everyone - Special (Usually have Traverse and Read) These groups should
be
inherited to all Child Objects.

Sub Level 1 Folder: Administrators - FULL, SYSTEM - FULL, Backup
Operators - FULL, Everyone - Special (Usually have Traverse and Read)
<---
inherited from Parent Folder (C:)
Now from here I add DOMAIN/Test UsersAA- Modify. All permissions
are
still inherited to all Child Objects

Sub Level II Folder: Administrators - FULL, SYSTEM - FULL,
Backup Operators - FULL, Everyone - Special (Usually have Traverse and
Read), <--- inherited from Parent Folder (C:), DOMAIN/Test UsersAA-
Modify
<---- inherited from Sub Level I folder.
Now at this level let's say I do not want the DOMAIN/Test
Users
AA to have access to this Sub Level II folder yet I need to have
DOMAIN/TEST
UsersBB to have modify access here. I turn off inheritance. Copy the
inheritant permissions. Remove the DOMAIN/Test UsersAA group
and
Everyone - Special (Usually have Traverse and Read), <--- inherited from
Parent Folder (C:) and add the DOMAIN/TEST UsersBB. I turn on inheritance
to
all "child objects".
So now from this point on down permissions look like

Administrators - FULL, SYSTEM - FULL, Backup Operators -
FULL,
DOMAIN/Test UsersBB- Modify

"BrianG" <d...@xxxxxxxxxxx> wrote in message

news:1180619826.337726.205710@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On May 30, 3:48 pm, "AllenM" <B...@xxxxxxxxxxxxxxx> wrote:
You can find the source of the inheritance from checking the NTFS
permissions on the folder. If the option to change the permissions are
greyed out then that folder is inheriting. By default all folders
inherit.
You need to decide at what level you need to turn off inheritance.
Note:
You
should copy all inheritance before turning it off because most folders
do
need to inherit from the root.

"BrianG" <d...@xxxxxxxxxxx> wrote in message

news:1180548515.342192.146160@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I can't find the source of some inherited permissions to folders
located in D:. I thought maybe it was from the sharing of D: but
further digging shows that not to be the case. Is there a utility
that can print out or show in graphical terms all groups and each
groups members?

BrianG

Yeh, I can see the inherited permissions to the folder when I check
the advanced permissions of some of my users but the permissions
aren't granted at the parent folder (also the root). This means that
some of my user must be members of a group who have the permissions
but I've checked membership of all groups who I have granted
permissions to the folder and these users are not members. Again,
some sort of utility that would print or show in a graphical way all
groups and their corresponding members would be invaluable.

BrianG

AllenM-Thanks so much for the help and the detailed explanation on
inherited permissions.

What I'm seeing is all of my domain users having the following
effective permission on D: (root)
Traverse folder/Execute file
List folder/Read data
Read attributes
Read extended attributes
Read permissions
Since I can't find where these permission are granted can I then
assume correctly that these permissions are granted by default on an
administrative share? I just can't imagine MS assumes we want these
permissions inherited by all Sub Level folders by default.

If the above is indeed true, then to disable these inherited
permission at each Sub Level 1 folder I simply need to uncheck the
"Allow inheritable permissions..." option for each folder. Correct?

If the default permission assumption is not true then I still need to
figure out why my users have those permissions granted at D:

BrianG



.

Relevant Pages

  • Re: Authenticated users permissions
    ... In NTFS when you block inheritance at a folder, ... will turn them into the initial explicit permissions on the new inheritance ... > Authenticated Users access. ...
    (microsoft.public.security)
  • Re: programmatically change permissions on folder in windows?
    ... as seen in the Adv / Edit drill-in, then the new ACE ... if inheritance is blocked at some ... > programmatically change permissions on folder in windows ... > Then folder> security> Advanced> Permissions> Replace permission entries ...
    (microsoft.public.win2000.security)
  • Re: Need help with Shared drives and permissions
    ... If you check a sub folder and see that it is inheriting ... that inherits permissions from a parent folder and add a user or group. ... I turn off inheritance. ...
    (microsoft.public.windows.server.general)
  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)