Re: Directory Permissions - What gives?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

While I agree with using NTFS permissions to control access to folders and files in a shared folder and setting Share Permissions to Everyone (or Authenticated Users if you prefer) Full Control, you might want to review the example in your second paragraph.

Share Permissions work the same way that NTFS permissions do - they are additive - a given user gets the sum of all the permissions granted to them by all the groups they are members of, not the least permission as you stated (assuming I understand what you said correctly). With Share permissions, there are only three possibilities, so the situation is simple:
- if the user is a member of a group that is granted Share Permission of Full Control or Change, then, if the NTFS permissions grant them Modify, they will be able to change things in the share regardless of what other groups they may be members of that only have Share Permissions of Read. The only thing that changes this is if there is a "Deny" permission setting anywhere - Deny always takes precedence over any Allow permissions.

As far as I'm aware, this has always been the case and is unlikely to change in the future.

I'm not sure what "Andrew"'s problem was caused by, but perhaps there is a communication/terminology issue and the following steps will clarify things for him.

Try this:

On an XP SP2 computer that is a domain member (e.g. XPSP2), logon with an administrative user account

1. open Windows Explorer and create a new Folder (e.g. c:\Test) in a convenient place
2. right click the folder, select Sharing and Security...; on the Sharing tab
a. select the Share this folder radio button
b. click Permissions
c. observe that the Share Permissions (default) are Everyone - Read - as expected for XP SP2
d. click Cancel
3. select the Security tab
4. set the permissions to:
- Administrators - Full Control
- SYSTEM - Full Control
- Users - Modify
click OK; (saves the changes and closes the Properties dialog)

I'm assuming that the local Users group on this computer (XPSP2) contains at least some domain user accounts (e.g. brucen) - the default is Domain Users (as it has been forever)

On another computer in the same domain (e.g. XPTest), logon with a domain user account that is also a member of the local Users group of the first computer (e.g. brucen)

5. in Start, Run, key \\xpsp2\test
6. observe that Windows Explorer opens showing the Test folder associated with the Test share - this folder is currently empty
7. attempt to create a file or a folder or both - this fails - access is denied

On the first computer (e.g. XPSP2):

8. right click the shard folder (e.g. c:\test), select Sharing and Security...; on the Sharing tab
a. click Permissions
b. click Add
c. add a domain group that contains the user account you logged on at the second computer with (e.g. Domain Users), and grant that group Full Control.
d. the Share Permissions will now look like:

Everyone - Read
Domain Users - Full Control
e. click OK

On the second computer (e.g. XPTest):

9. add a file through the share - works
10. add a folder through the share - works

The above was just to test the theory - normally I would just add Full Control to Everyone in the Share Permissions.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Paul in Detroit" <PaulG@xxxxxxxxx> wrote in message news:uXnwJoVyHHA.5584@xxxxxxxxxxxxxxxxxxxxxxx
SBS Rocker,
I do agree with you because I consider myself a throwback from the old NT days and that is the way I have always done it and consider to be the industry best practices method. Also the link you provided Dragos confirms the industry best practices. That said I do believe you may be a bit harsh in explaining it to Dragos. This NG is here to assist and help those who posts questions and issues and not to belittle and discourage others because of their lack of knowledge or experience.

Dragos,
SBS Rocker is correct and the reason being is because how Share permissions "superceed" NTFS permissions with the "most restrictive" access. In your case I think you are trying to secure your folder access using the Share permissions. If you do this you will find yourself doing more administrative work than necessary. The reason you users cannot write to that folder even though you gave them FULL "NTFS" permissions is because what resides in your Share permissions. You can give Joe Bob FULL share permissions and FULL NTFS permissions but that that is not going to work as long as their is a group that includes Joe Bob in the Share permissions will lesser access. I'm assuming the group EVERYONE=Read in still in your share permissions. That is what is preventing Joe Bob from writng to that folder because share permissions will alow the most restrictive access overriding his FULL share permissions.
Take SBS Rockers advice. All you need at the Share level is Everyone or Authenticated Users = FULL. control your security at the NTFS permssions.


"SBS Rocker" <noreply@xxxxxxxxxxxx> wrote in message news:eiFGQcVyHHA.276@xxxxxxxxxxxxxxxxxxxxxxx
A good article for those who don't understand how Shares work in conjunction with NTFS permissions. Take note on the last paragraph.....

http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434

"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@xxxxxxxxxxxxxxxx
hi,
i dont agree with the best practices to give everyone full permisions on the
share. Best practices is to check and add the groups proper there.

--
Dragos CAMARA
MCSA Windows 2003 server


"SBS Rocker" wrote:

I think I may know what your problems are. You say..........

"I gave the user Full Control NTFS AND Folder Share permissions."
does the group Everyone=READ on the Share permissions still there ? If so
you need to remove the user=FULL and change Everyone=FULL on the share
permissions. No need to add a user to the share permissions and give him
FULL access. By industry best practices when creating a Share the default
would be Everyone=FULL.


"Andrew" <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9D378ED8-BCBA-40FD-A231-29B22CB11366@xxxxxxxxxxxxxxxx
>I gave the user Full Control NTFS AND Folder Share permissions.
>
> Even if I'm logged on as Administrator, I still can't push anything > down,
> but I can pull files across without any issues.
>
> I'm stumped.
>
> "SBS Rocker" wrote:
>
>> What are the share permissions? When you say you gave the user FULL
>> control
>> do you mean FULL NTFS permissions?
>>
>> "Andrew" <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@xxxxxxxxxxxxxxxx
>> >I shared a directory with one of our Windows 2003 servers and gave >> >a
>> >user
>> > Full Control accesss to that directory. However, from his >> > computer
>> > where
>> > he
>> > is logged on, he can't copy and paste anything to that directory. >> > If
>> > he
>> > remote desktop's into the server and logs on as himself, he can >> > browse
>> > to
>> > another network share and pull the file over without any problems.
>> >
>> > I never had this problem in Windows 2000. How do I configure a
>> > directory
>> > on
>> > a Windows 2003 server so that people can "push" files to that >> > folder
>> > without
>> > logging onto the server locally and "pulling" the files over?
>>
>>
>>








.

Relevant Pages