|
Posted by Greg on May 18, 2006, 1:16 pm
Please log in for more thread options
I have a Share with the Domain Users group assigned Read access. In the
subfolders I have individual user accounts assigned with Various NTFS File
Permissions= Change, Write, even Full Control. None of these users can do
anything in the subfolders unless I go back to the Share Folder Permissions,
and grant Change, or Full Control. What am I overlooking here? This is on
Windows 2003
|
|
Posted by Greg on May 18, 2006, 1:19 pm
Please log in for more thread options
I also wanted to mention I don't have the "DENY" option checked for anything.
"Greg" wrote:
> I have a Share with the Domain Users group assigned Read access. In the
> subfolders I have individual user accounts assigned with Various NTFS File
> Permissions= Change, Write, even Full Control. None of these users can do
> anything in the subfolders unless I go back to the Share Folder Permissions,
> and grant Change, or Full Control. What am I overlooking here? This is on
> Windows 2003
|
|
Posted by Karl Levinson on May 18, 2006, 1:47 pm
Please log in for more thread options This is working as expected. When Share permissions and NTFS file
permissions are different, you only get the most restrictive of the two. In
your example, people would only be able to Read at most when accessing those
files through the network. Because NTFS file permissions are so much more
granular than Share permissions, most people usually assign that share Full
Control [or the highest level of permissions required across the network] to
Everyone or better yet to Authenticated Users, and then scale back the
permissions granularly using NTFS file and folder permissions.
>I have a Share with the Domain Users group assigned Read access. In the
> subfolders I have individual user accounts assigned with Various NTFS File
> Permissions= Change, Write, even Full Control. None of these users can do
> anything in the subfolders unless I go back to the Share Folder
> Permissions,
> and grant Change, or Full Control. What am I overlooking here? This is on
> Windows 2003
|
|
Posted by Miha Pihler [MVP] on May 18, 2006, 1:52 pm
Please log in for more thread options Hi,
What you are seeing is correct result (by design). You have to take maximum
permissions from NTFS (e.g. write) and maximum permission from share (e.g.
read). Now _most_ restrictive permission from both (in above case read) will
be enforced on users accessing this share.
--
Mike
Microsoft MVP - Windows Security
>I have a Share with the Domain Users group assigned Read access. In the
> subfolders I have individual user accounts assigned with Various NTFS File
> Permissions= Change, Write, even Full Control. None of these users can do
> anything in the subfolders unless I go back to the Share Folder
> Permissions,
> and grant Change, or Full Control. What am I overlooking here? This is on
> Windows 2003
|
|
Posted by Greg on May 18, 2006, 2:17 pm
Please log in for more thread options Wow, thank you for the quick repsonse, I could have sworn that on MS suppport
page if a user has read on one share and write in a subfolder, Write would be
the dominant one, but I remember now that it is SHARE and NTFS permissions
that will do most restrictive, I let the support article confuse me, and
thank you for reminding me. If I do give domain users Write or Full Control
on the share permissions, will I have to go to each subfolder in the share
and imply DENY on NTFS shares I don't want certain users access to? I guess
the simple question is will I stop Write or Full Access rights granted from
the SHARE permissons, by sying don't inherit this from upper folder?
THank you both for your quick responses and expertise
"Miha Pihler [MVP]" wrote:
> Hi,
>
> What you are seeing is correct result (by design). You have to take maximum
> permissions from NTFS (e.g. write) and maximum permission from share (e.g.
> read). Now _most_ restrictive permission from both (in above case read) will
> be enforced on users accessing this share.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> >I have a Share with the Domain Users group assigned Read access. In the
> > subfolders I have individual user accounts assigned with Various NTFS File
> > Permissions= Change, Write, even Full Control. None of these users can do
> > anything in the subfolders unless I go back to the Share Folder
> > Permissions,
> > and grant Change, or Full Control. What am I overlooking here? This is on
> > Windows 2003
>
>
>
|
| Similar Threads | Posted | | NTFS Permissions for public share | October 5, 2006, 2:08 pm |
| NTFS/Share Permissions design for DFS (Usr->GL[Job Role]->DL[Resource]) | October 28, 2006, 9:57 am |
| ntfs permissions, ownership, adding permissions | January 13, 2006, 2:03 pm |
| Everyone Share Permissions | June 24, 2008, 11:42 am |
| Extract share permissions | November 9, 2005, 8:16 pm |
| Share permissions - cross-domain | May 1, 2006, 11:47 am |
| Administrator Group Share Permissions | July 27, 2006, 11:25 am |
| NTFS Permissions | February 20, 2006, 7:11 pm |
| NTFS Permissions | August 16, 2006, 4:44 am |
| NTFS Permissions and subfolders | December 14, 2005, 2:06 pm |
|
XML Sitemap