|
Posted by Greg on May 18, 2006, 3:15 pm
Please log in for more thread options
THank you, it is much clearer to me now
Greg
"Miha Pihler [MVP]" wrote:
>
> Hi,
>
> > Wow, thank you for the quick repsonse, I could have sworn that on MS
> > suppport
> > page if a user has read on one share and write in a subfolder, Write would
> > be
> > the dominant one, but I remember now that it is SHARE and NTFS permissions
> > that will do most restrictive, I let the support article confuse me, and
> > thank you for reminding me. If I do give domain users Write or Full
> > Control
> > on the share permissions
>
> In most cases permission of Change on the share should be enough. Still it
> is very good idea as you suggest to remove Everyone and e.g. add Domain
> Users group share permissions.
>
> > will I have to go to each subfolder in the share
> > and imply DENY on NTFS shares I don't want certain users access to?
>
> My advice here would be to create a new group called e.g. "IT Write access
> to data folder". Now throw all users that need access to this folder to this
> new group and add NTFS permissions of Write to this group. Remove all other
> groups or users from NTFS permissions.
> If there are people that need only read access create another group called
> e.g. "IT Read Only access to data folder" and add it to NTFS permissions
> with appropriate permissions (Read Only).
>
> > I guess
> > the simple question is will I stop Write or Full Access rights granted
> > from
> > the SHARE permissons, by sying don't inherit this from upper folder?
>
> As mentioned before -- create new groups, remove the ones that are added to
> the folder. You can remove them by removing Inherit attribute on the
> folder... Now only groups that you added will have access to the
> share/folder.
>
> > THank you both for your quick responses and expertise
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi,
> >>
> >> What you are seeing is correct result (by design). You have to take
> >> maximum
> >> permissions from NTFS (e.g. write) and maximum permission from share
> >> (e.g.
> >> read). Now _most_ restrictive permission from both (in above case read)
> >> will
> >> be enforced on users accessing this share.
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> >I have a Share with the Domain Users group assigned Read access. In the
> >> > subfolders I have individual user accounts assigned with Various NTFS
> >> > File
> >> > Permissions= Change, Write, even Full Control. None of these users can
> >> > do
> >> > anything in the subfolders unless I go back to the Share Folder
> >> > Permissions,
> >> > and grant Change, or Full Control. What am I overlooking here? This is
> >> > on
> >> > Windows 2003
> >>
> >>
> >>
>
>
>
| 
XML Sitemap