|
Posted by AllenM on March 31, 2006, 1:53 pm
Please log in for more thread options That is not true. Reread your statement. "and do not grant full control to
non-administrators at the NTFS level, users should not be able to change
permissions"
This is not true because I would be able to change permissions without
granting FULL control by doing what I said. Perhaps you forgot to include
the "unless" at the end of your statement. Do a google search on NTFS
Folder/File permissions. They have some great articles you can use to learn
more about NTFS permissions.
Now reread what I said.
"YOU CAN ASSIGN ANY GROUP OR USER THE RIGHT TO "CHANGE PERMISSIONS" WITHOUT
GIVING THEM FULL CONTROL OR MAKING THEM A MEMBER OF AN ADMINISTRATIVE GROUP.
But I'm not going to argue it any furthur as this does not help the poster
resolve his issues.
"Bill" <it_professional_0812 at yahoo.com> wrote in message
> There is nothing incorrect about this statement: "If you set "Everyone -
> Full Control" at
> the share level, and do not grant full control to non-administrators at
> the
> NTFS level, users should not be able to change permissions."
>
> While it is true that you can assign special permissions to allow
> non-administrators to change permissions, if the group is not granted full
> control on the standard tab, they cannot change NTFS permissions, period.
>
>> Let me try to break this down to help better understand so that I may
>> provide some helpful input here.
>>
>> 1. "I have a folder called test under another folder called as Documents.
>> Documents folder is shared. I have given full permissions for everyone
>> group since i am
>> going to control the folder accesses via NTFS permissions."
>>
>> THIS IS CORRECT. WHENEVER YOU WANT TO SHARE A FOLDER IT IS GOOD PRACTICE
>> TO ASSIGN "EVERYONE" FULL ACCES AT THE SHARE LEVEL AND RESTRICT FOLDER
>> ACCESS USING NTFS FOLDER/FILE PERMISSIONS.
>>
>> 2. So for test folder i have assigned the permissions only for that
>> particular group and adminstrator.
>>
>> WHAT ARE THE PERMISSIONS YOU ASSIGNED TO THE ADMINISTRATORS AND THIS
>> PARTICULAR GROUP?
>>
>> 3. When i login from client machine and check the permissons via security
>> tab for any folder under test folder i am able to change permissions from
>> client side directly.
>>
>> WHO ARE YOU LOGGING IN AS?
>>
>> 4. I have tried all sorts of combinations but to my surprise none worked.
>> I dont know what is going wrong here.
>>
>> WHAT ARE THESE COMBINATIONS? i TAKE IT YOU ARE TRYING TO "NOT" ALLOW THIS
>> PARTICULAR GROUP THE RIGHT TO CHANGE PERMISSIONS? IS THIS A CORRECT
>> STATEMENT?
>>
>> 5. Bill's statement is incorrect. "If you set "Everyone - Full Control"
>> at the share level, and do not grant full control to non-administrators
>> at the NTFS level, users should not be able to change permissions."
>>
>> YOU CAN ASSIGN ANY GROUP OR USER THE RIGHT TO "CHANGE PERMISSIONS"
>> WITHOUT GIVING THEM FULL CONTROL OR MAKING THEM A MEMBER OF AN
>> ADMINISTRATIVE GROUP. YOU CAN ASSIGN THEM "SPECIAL PERMISSIONS". IN OTHER
>> WORDS, FOR EXAMPLE, I CAN ASSIGN A GROUP OR USER READ/WRITE ONLY AND GIVE
>> THEM "SPECIAL PERMISSIONS" TO "CHANGE PERMISSIONS". THIS CAN BE DONE FROM
>> THE "ADVANCE" FEATURES.
>>
>>
>>
>>
>>
>> "Bill" <it_professional_0812 at yahoo.com> wrote in message
>>> I'll ask the dumb question - are you logging in as yourself, or as the
>>> "restricted" user?
>>>
>>> If you set "Everyone - Full Control" at the share level, and do not
>>> grant full control to non-administrators at the NTFS level, users should
>>> not be able to change permissions.
>>>
>>>> Hi group,
>>>>
>>>> Hope you can help me with this one. I dont know what am i doing wrong.
>>>>
>>>> OS is windows 2003 in AD environment. This configuration is done on the
>>>> server side:
>>>>
>>>> I have a folder called test under another folder called as Documents.
>>>> Documents folder is
>>>> shared. I have given full permissions for everyone group since i am
>>>> going to control the folder accesses via NTFS permissions. So for test
>>>> folder i have assigned the permissions
>>>> only for that particular group and adminstrator.
>>>>
>>>> When i login from client machine and check the permissons via security
>>>> tab for any folder
>>>> under test folder i am able to change permissions from client side
>>>> directly. I have tried
>>>> all sorts of combinations but to my surprise none worked. I dont know
>>>> what is going wrong here.
>>>>
>>>> Any sort of inputs will be of great help. Thanks in advance.
>>>>
>>>> Thanks,
>>>>
>>>> Tornado.
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap