Security and Permissions

Archived from groups: microsoft.public.win2000.security (More info?)

Can some explain (simply) how Share, folder and sub folder
permissions work because evrything I do in my domain
simply does not work?

All users have access to everything regardless of what
permissions I set.

I leave the network for up to and hour, log on as a test
user and they still have access to everthing even though I
specify access to only a select no. of shares.

Currently I have a share - SHARE A with Subfolders SB1-
SB3.

Each SB folder is a project which only a select few can
have access to.

If I have groups GP1 -3 for each SB folder what
permissions should I have for:

1. the Share
2. the Share folder (Security)
3. the SB folders in the share.

Hope someone can help.

TIA.
10 answers Last reply
More about security permissions
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Are you configuring ntfs permissions also? You also might try to use three top shares
    instead as SB1, SB2, and SB3. However you do it, give system and administrators full
    control ntfs permissions and then add the appropriate user group with the needed ntfs
    permissions to each folder. If you are sharing one top folder then give
    administrators full control and users change permissions to the share. If you use
    three top shares then give administrators full control and the appropriate group
    change control to each folder. Ntfs permissions are in a folders properties/security
    page. When you test results be sure to logon as a user and not as an administrator
    and log off and back on after a change to share or ntfs permissions. For a network
    users, their permission to a share will be the most restrictive of either the share
    or ntfs permissions. The link below may help. --- Steve

    http://support.microsoft.com/default.aspx?kbid=300691

    "jmos" <anonymous@discussions.microsoft.com> wrote in message
    news:c31101c47a3a$5130eff0$a301280a@phx.gbl...
    > Can some explain (simply) how Share, folder and sub folder
    > permissions work because evrything I do in my domain
    > simply does not work?
    >
    > All users have access to everything regardless of what
    > permissions I set.
    >
    > I leave the network for up to and hour, log on as a test
    > user and they still have access to everthing even though I
    > specify access to only a select no. of shares.
    >
    > Currently I have a share - SHARE A with Subfolders SB1-
    > SB3.
    >
    > Each SB folder is a project which only a select few can
    > have access to.
    >
    > If I have groups GP1 -3 for each SB folder what
    > permissions should I have for:
    >
    > 1. the Share
    > 2. the Share folder (Security)
    > 3. the SB folders in the share.
    >
    > Hope someone can help.
    >
    > TIA.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you Steven
    Yes I am including the NTFS Permissions.

    What I'm doing is this:

    1. Create a group (Share Group) and and GP 1-3 to it.

    Share Permissions -> Domain Admin -> Full Control
    -> Share Group -> Change

    Share NTFS -> Domain Admin -> Full Control
    -> Share Group -> Modify (Special)

    Share Sub folders no Inheritance

    Share Sub Folder 1-> Domain Admin -> Full Control
    NTFS -> Group1 -> Modify (Special)

    Share Sub Folder 2-> Domain Admin -> Full Control
    NTFS -> Group2 -> Modify (Special)

    Share Sub Folder 3-> Domain Admin -> Full Control
    NTFS -> Group3 -> Modify (Special)

    User Joe appears only in Group1
    User Mary appears in Group 1 and 3

    Now my understanding is that for user Joe they would get
    the most restrictive of both the Share and the NTFS of the
    share AND that the NTFS of the Sub Folder overrides the
    securities of the forementioned i.e only access to Share
    Sub folder 1. The same would apply to User Mary i.e access
    to only Sub Folders 1 and 3 not 2.

    Am I right in saying this?

    If so why is this not currently working in my domain and
    what else should I do or be looking for?

    Many thanks for your reply

    JMOS


    >-----Original Message-----
    >Are you configuring ntfs permissions also? You also might
    try to use three top shares
    >instead as SB1, SB2, and SB3. However you do it, give
    system and administrators full
    >control ntfs permissions and then add the appropriate
    user group with the needed ntfs
    >permissions to each folder. If you are sharing one top
    folder then give
    >administrators full control and users change permissions
    to the share. If you use
    >three top shares then give administrators full control
    and the appropriate group
    >change control to each folder. Ntfs permissions are in a
    folders properties/security
    >page. When you test results be sure to logon as a user
    and not as an administrator
    >and log off and back on after a change to share or ntfs
    permissions. For a network
    >users, their permission to a share will be the most
    restrictive of either the share
    >or ntfs permissions. The link below may help. --- Steve
    >
    >http://support.microsoft.com/default.aspx?kbid=300691
    >
    >"jmos" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:c31101c47a3a$5130eff0$a301280a@phx.gbl...
    >> Can some explain (simply) how Share, folder and sub
    folder
    >> permissions work because evrything I do in my domain
    >> simply does not work?
    >>
    >> All users have access to everything regardless of what
    >> permissions I set.
    >>
    >> I leave the network for up to and hour, log on as a test
    >> user and they still have access to everthing even
    though I
    >> specify access to only a select no. of shares.
    >>
    >> Currently I have a share - SHARE A with Subfolders SB1-
    >> SB3.
    >>
    >> Each SB folder is a project which only a select few can
    >> have access to.
    >>
    >> If I have groups GP1 -3 for each SB folder what
    >> permissions should I have for:
    >>
    >> 1. the Share
    >> 2. the Share folder (Security)
    >> 3. the SB folders in the share.
    >>
    >> Hope someone can help.
    >>
    >> TIA.
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    At first glance it looks as if you are doing everything correct. Are you saying that
    Joe and Mary can access the data and write and delete files in all the subfolders or
    what kind of access are they getting to them that you find unexpected? --- Steve

    "jmos" <anonymous@discussions.microsoft.com> wrote in message
    news:03e801c47a74$622c1e30$a601280a@phx.gbl...
    > Thank you Steven
    > Yes I am including the NTFS Permissions.
    >
    > What I'm doing is this:
    >
    > 1. Create a group (Share Group) and and GP 1-3 to it.
    >
    > Share Permissions -> Domain Admin -> Full Control
    > -> Share Group -> Change
    >
    > Share NTFS -> Domain Admin -> Full Control
    > -> Share Group -> Modify (Special)
    >
    > Share Sub folders no Inheritance
    >
    > Share Sub Folder 1-> Domain Admin -> Full Control
    > NTFS -> Group1 -> Modify (Special)
    >
    > Share Sub Folder 2-> Domain Admin -> Full Control
    > NTFS -> Group2 -> Modify (Special)
    >
    > Share Sub Folder 3-> Domain Admin -> Full Control
    > NTFS -> Group3 -> Modify (Special)
    >
    > User Joe appears only in Group1
    > User Mary appears in Group 1 and 3
    >
    > Now my understanding is that for user Joe they would get
    > the most restrictive of both the Share and the NTFS of the
    > share AND that the NTFS of the Sub Folder overrides the
    > securities of the forementioned i.e only access to Share
    > Sub folder 1. The same would apply to User Mary i.e access
    > to only Sub Folders 1 and 3 not 2.
    >
    > Am I right in saying this?
    >
    > If so why is this not currently working in my domain and
    > what else should I do or be looking for?
    >
    > Many thanks for your reply
    >
    > JMOS
    >
    >
    > >-----Original Message-----
    > >Are you configuring ntfs permissions also? You also might
    > try to use three top shares
    > >instead as SB1, SB2, and SB3. However you do it, give
    > system and administrators full
    > >control ntfs permissions and then add the appropriate
    > user group with the needed ntfs
    > >permissions to each folder. If you are sharing one top
    > folder then give
    > >administrators full control and users change permissions
    > to the share. If you use
    > >three top shares then give administrators full control
    > and the appropriate group
    > >change control to each folder. Ntfs permissions are in a
    > folders properties/security
    > >page. When you test results be sure to logon as a user
    > and not as an administrator
    > >and log off and back on after a change to share or ntfs
    > permissions. For a network
    > >users, their permission to a share will be the most
    > restrictive of either the share
    > >or ntfs permissions. The link below may help. --- Steve
    > >
    > >http://support.microsoft.com/default.aspx?kbid=300691
    > >
    > >"jmos" <anonymous@discussions.microsoft.com> wrote in
    > message
    > >news:c31101c47a3a$5130eff0$a301280a@phx.gbl...
    > >> Can some explain (simply) how Share, folder and sub
    > folder
    > >> permissions work because evrything I do in my domain
    > >> simply does not work?
    > >>
    > >> All users have access to everything regardless of what
    > >> permissions I set.
    > >>
    > >> I leave the network for up to and hour, log on as a test
    > >> user and they still have access to everthing even
    > though I
    > >> specify access to only a select no. of shares.
    > >>
    > >> Currently I have a share - SHARE A with Subfolders SB1-
    > >> SB3.
    > >>
    > >> Each SB folder is a project which only a select few can
    > >> have access to.
    > >>
    > >> If I have groups GP1 -3 for each SB folder what
    > >> permissions should I have for:
    > >>
    > >> 1. the Share
    > >> 2. the Share folder (Security)
    > >> 3. the SB folders in the share.
    > >>
    > >> Hope someone can help.
    > >>
    > >> TIA.
    > >
    > >
    > >.
    > >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes,
    What's happening is that in the case of both Joe and Mary
    they have access to all the sub folders in the share and
    that's what I do not want. They shoud only have access to
    certain sub folders in the share but generally have access
    to the share i.e to get to the sub folders.


    >-----Original Message-----
    >At first glance it looks as if you are doing everything
    correct. Are you saying that
    >Joe and Mary can access the data and write and delete
    files in all the subfolders or
    >what kind of access are they getting to them that you
    find unexpected? --- Steve
    >
    >"jmos" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:03e801c47a74$622c1e30$a601280a@phx.gbl...
    >> Thank you Steven
    >> Yes I am including the NTFS Permissions.
    >>
    >> What I'm doing is this:
    >>
    >> 1. Create a group (Share Group) and and GP 1-3 to it.
    >>
    >> Share Permissions -> Domain Admin -> Full Control
    >> -> Share Group -> Change
    >>
    >> Share NTFS -> Domain Admin -> Full Control
    >> -> Share Group -> Modify (Special)
    >>
    >> Share Sub folders no Inheritance
    >>
    >> Share Sub Folder 1-> Domain Admin -> Full Control
    >> NTFS -> Group1 -> Modify (Special)
    >>
    >> Share Sub Folder 2-> Domain Admin -> Full Control
    >> NTFS -> Group2 -> Modify (Special)
    >>
    >> Share Sub Folder 3-> Domain Admin -> Full Control
    >> NTFS -> Group3 -> Modify (Special)
    >>
    >> User Joe appears only in Group1
    >> User Mary appears in Group 1 and 3
    >>
    >> Now my understanding is that for user Joe they would get
    >> the most restrictive of both the Share and the NTFS of
    the
    >> share AND that the NTFS of the Sub Folder overrides the
    >> securities of the forementioned i.e only access to Share
    >> Sub folder 1. The same would apply to User Mary i.e
    access
    >> to only Sub Folders 1 and 3 not 2.
    >>
    >> Am I right in saying this?
    >>
    >> If so why is this not currently working in my domain and
    >> what else should I do or be looking for?
    >>
    >> Many thanks for your reply
    >>
    >> JMOS
    >>
    >>
    >> >-----Original Message-----
    >> >Are you configuring ntfs permissions also? You also
    might
    >> try to use three top shares
    >> >instead as SB1, SB2, and SB3. However you do it, give
    >> system and administrators full
    >> >control ntfs permissions and then add the appropriate
    >> user group with the needed ntfs
    >> >permissions to each folder. If you are sharing one top
    >> folder then give
    >> >administrators full control and users change
    permissions
    >> to the share. If you use
    >> >three top shares then give administrators full control
    >> and the appropriate group
    >> >change control to each folder. Ntfs permissions are in
    a
    >> folders properties/security
    >> >page. When you test results be sure to logon as a user
    >> and not as an administrator
    >> >and log off and back on after a change to share or ntfs
    >> permissions. For a network
    >> >users, their permission to a share will be the most
    >> restrictive of either the share
    >> >or ntfs permissions. The link below may help. ---
    Steve
    >> >
    >> >http://support.microsoft.com/default.aspx?kbid=300691
    >> >
    >> >"jmos" <anonymous@discussions.microsoft.com> wrote in
    >> message
    >> >news:c31101c47a3a$5130eff0$a301280a@phx.gbl...
    >> >> Can some explain (simply) how Share, folder and sub
    >> folder
    >> >> permissions work because evrything I do in my domain
    >> >> simply does not work?
    >> >>
    >> >> All users have access to everything regardless of
    what
    >> >> permissions I set.
    >> >>
    >> >> I leave the network for up to and hour, log on as a
    test
    >> >> user and they still have access to everthing even
    >> though I
    >> >> specify access to only a select no. of shares.
    >> >>
    >> >> Currently I have a share - SHARE A with Subfolders
    SB1-
    >> >> SB3.
    >> >>
    >> >> Each SB folder is a project which only a select few
    can
    >> >> have access to.
    >> >>
    >> >> If I have groups GP1 -3 for each SB folder what
    >> >> permissions should I have for:
    >> >>
    >> >> 1. the Share
    >> >> 2. the Share folder (Security)
    >> >> 3. the SB folders in the share.
    >> >>
    >> >> Hope someone can help.
    >> >>
    >> >> TIA.
    >> >
    >> >
    >> >.
    >> >
    >
    >
    >.
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    I've found another post which states that what I'm looking for can be done.

    Subject: Re: Permissions on Shared Files 7/16/2004 9:30 AM PST
    By: Keith Langmead

    In actuality I have had this work in the past but since I've added a couple
    of other shares to the network and tried to simplify securities (explain
    below) poeple now have access to everything which gets me wondering if there
    is a corruption somewhere.

    Everything else looks fine and the Event viewer shows exceptionally clean
    logs. Nothing else seems to be effected.

    Most other shares are working correctly and they are mapped to local drives.

    My simplification of securities was to add all project security groups to
    one large group to manage the share and ntfs permissions easily otherwise I
    could spend hours just ensuring permissions were correct.

    Is there anything else I could do or look into to solve this issue. I use a
    test user to test the securities out and the only groups they are members of
    are:

    Domain Users -> primary
    Group 1 -> Sub Folder Group

    Share Group -> By implication of Group 1 being a member of Share Group.

    This is exactly the same as in other shares which works well. However
    something has gone wrong somewhere in setting up new shares and everyone has
    access to all data regardless of the permissions I set.

    Note all Shares are on the same volume.

    Please Help

    TIA

    "jmos" wrote:

    > Yes,
    > What's happening is that in the case of both Joe and Mary
    > they have access to all the sub folders in the share and
    > that's what I do not want. They shoud only have access to
    > certain sub folders in the share but generally have access
    > to the share i.e to get to the sub folders.
    >
    >
    >
    > >-----Original Message-----
    > >At first glance it looks as if you are doing everything
    > correct. Are you saying that
    > >Joe and Mary can access the data and write and delete
    > files in all the subfolders or
    > >what kind of access are they getting to them that you
    > find unexpected? --- Steve
    > >
    > >"jmos" <anonymous@discussions.microsoft.com> wrote in
    > message
    > >news:03e801c47a74$622c1e30$a601280a@phx.gbl...
    > >> Thank you Steven
    > >> Yes I am including the NTFS Permissions.
    > >>
    > >> What I'm doing is this:
    > >>
    > >> 1. Create a group (Share Group) and and GP 1-3 to it.
    > >>
    > >> Share Permissions -> Domain Admin -> Full Control
    > >> -> Share Group -> Change
    > >>
    > >> Share NTFS -> Domain Admin -> Full Control
    > >> -> Share Group -> Modify (Special)
    > >>
    > >> Share Sub folders no Inheritance
    > >>
    > >> Share Sub Folder 1-> Domain Admin -> Full Control
    > >> NTFS -> Group1 -> Modify (Special)
    > >>
    > >> Share Sub Folder 2-> Domain Admin -> Full Control
    > >> NTFS -> Group2 -> Modify (Special)
    > >>
    > >> Share Sub Folder 3-> Domain Admin -> Full Control
    > >> NTFS -> Group3 -> Modify (Special)
    > >>
    > >> User Joe appears only in Group1
    > >> User Mary appears in Group 1 and 3
    > >>
    > >> Now my understanding is that for user Joe they would get
    > >> the most restrictive of both the Share and the NTFS of
    > the
    > >> share AND that the NTFS of the Sub Folder overrides the
    > >> securities of the forementioned i.e only access to Share
    > >> Sub folder 1. The same would apply to User Mary i.e
    > access
    > >> to only Sub Folders 1 and 3 not 2.
    > >>
    > >> Am I right in saying this?
    > >>
    > >> If so why is this not currently working in my domain and
    > >> what else should I do or be looking for?
    > >>
    > >> Many thanks for your reply
    > >>
    > >> JMOS
    > >>
    > >>
    > >> >-----Original Message-----
    > >> >Are you configuring ntfs permissions also? You also
    > might
    > >> try to use three top shares
    > >> >instead as SB1, SB2, and SB3. However you do it, give
    > >> system and administrators full
    > >> >control ntfs permissions and then add the appropriate
    > >> user group with the needed ntfs
    > >> >permissions to each folder. If you are sharing one top
    > >> folder then give
    > >> >administrators full control and users change
    > permissions
    > >> to the share. If you use
    > >> >three top shares then give administrators full control
    > >> and the appropriate group
    > >> >change control to each folder. Ntfs permissions are in
    > a
    > >> folders properties/security
    > >> >page. When you test results be sure to logon as a user
    > >> and not as an administrator
    > >> >and log off and back on after a change to share or ntfs
    > >> permissions. For a network
    > >> >users, their permission to a share will be the most
    > >> restrictive of either the share
    > >> >or ntfs permissions. The link below may help. ---
    > Steve
    > >> >
    > >> >http://support.microsoft.com/default.aspx?kbid=300691
    > >> >
    > >> >"jmos" <anonymous@discussions.microsoft.com> wrote in
    > >> message
    > >> >news:c31101c47a3a$5130eff0$a301280a@phx.gbl...
    > >> >> Can some explain (simply) how Share, folder and sub
    > >> folder
    > >> >> permissions work because evrything I do in my domain
    > >> >> simply does not work?
    > >> >>
    > >> >> All users have access to everything regardless of
    > what
    > >> >> permissions I set.
    > >> >>
    > >> >> I leave the network for up to and hour, log on as a
    > test
    > >> >> user and they still have access to everthing even
    > >> though I
    > >> >> specify access to only a select no. of shares.
    > >> >>
    > >> >> Currently I have a share - SHARE A with Subfolders
    > SB1-
    > >> >> SB3.
    > >> >>
    > >> >> Each SB folder is a project which only a select few
    > can
    > >> >> have access to.
    > >> >>
    > >> >> If I have groups GP1 -3 for each SB folder what
    > >> >> permissions should I have for:
    > >> >>
    > >> >> 1. the Share
    > >> >> 2. the Share folder (Security)
    > >> >> 3. the SB folders in the share.
    > >> >>
    > >> >> Hope someone can help.
    > >> >>
    > >> >> TIA.
    > >> >
    > >> >
    > >> >.
    > >> >
    > >
    > >
    > >.
    > >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    I've found another post which states that what I'm looking for can be done.

    Subject: Re: Permissions on Shared Files 7/16/2004 9:30 AM PST
    By: Keith Langmead

    In actuality I have had this work in the past but since I've added a couple
    of other shares to the network and tried to simplify securities (explain
    below) poeple now have access to everything which gets me wondering if there
    is a corruption somewhere.

    Everything else looks fine and the Event viewer shows exceptionally clean
    logs. Nothing else seems to be effected.

    Most other shares are working correctly and they are mapped to local drives.

    My simplification of securities was to add all project security groups to
    one large group to manage the share and ntfs permissions easily otherwise I
    could spend hours just ensuring permissions were correct.

    Is there anything else I could do or look into to solve this issue. I use a
    test user to test the securities out and the only groups they are members of
    are:

    Domain Users -> primary
    Group 1 -> Sub Folder Group

    Share Group -> By implication of Group 1 being a member of Share Group.

    This is exactly the same as in other shares which works well. However
    something has gone wrong somewhere in setting up new shares and everyone has
    access to all data regardless of the permissions I set.

    Note all Shares are on the same volume.

    Please Help

    TIA


    "jmos" wrote:

    > Yes,
    > What's happening is that in the case of both Joe and Mary
    > they have access to all the sub folders in the share and
    > that's what I do not want. They shoud only have access to
    > certain sub folders in the share but generally have access
    > to the share i.e to get to the sub folders.
    >
    >
    >
    > >-----Original Message-----
    > >At first glance it looks as if you are doing everything
    > correct. Are you saying that
    > >Joe and Mary can access the data and write and delete
    > files in all the subfolders or
    > >what kind of access are they getting to them that you
    > find unexpected? --- Steve
    > >
    > >"jmos" <anonymous@discussions.microsoft.com> wrote in
    > message
    > >news:03e801c47a74$622c1e30$a601280a@phx.gbl...
    > >> Thank you Steven
    > >> Yes I am including the NTFS Permissions.
    > >>
    > >> What I'm doing is this:
    > >>
    > >> 1. Create a group (Share Group) and and GP 1-3 to it.
    > >>
    > >> Share Permissions -> Domain Admin -> Full Control
    > >> -> Share Group -> Change
    > >>
    > >> Share NTFS -> Domain Admin -> Full Control
    > >> -> Share Group -> Modify (Special)
    > >>
    > >> Share Sub folders no Inheritance
    > >>
    > >> Share Sub Folder 1-> Domain Admin -> Full Control
    > >> NTFS -> Group1 -> Modify (Special)
    > >>
    > >> Share Sub Folder 2-> Domain Admin -> Full Control
    > >> NTFS -> Group2 -> Modify (Special)
    > >>
    > >> Share Sub Folder 3-> Domain Admin -> Full Control
    > >> NTFS -> Group3 -> Modify (Special)
    > >>
    > >> User Joe appears only in Group1
    > >> User Mary appears in Group 1 and 3
    > >>
    > >> Now my understanding is that for user Joe they would get
    > >> the most restrictive of both the Share and the NTFS of
    > the
    > >> share AND that the NTFS of the Sub Folder overrides the
    > >> securities of the forementioned i.e only access to Share
    > >> Sub folder 1. The same would apply to User Mary i.e
    > access
    > >> to only Sub Folders 1 and 3 not 2.
    > >>
    > >> Am I right in saying this?
    > >>
    > >> If so why is this not currently working in my domain and
    > >> what else should I do or be looking for?
    > >>
    > >> Many thanks for your reply
    > >>
    > >> JMOS
    > >>
    > >>
    > >> >-----Original Message-----
    > >> >Are you configuring ntfs permissions also? You also
    > might
    > >> try to use three top shares
    > >> >instead as SB1, SB2, and SB3. However you do it, give
    > >> system and administrators full
    > >> >control ntfs permissions and then add the appropriate
    > >> user group with the needed ntfs
    > >> >permissions to each folder. If you are sharing one top
    > >> folder then give
    > >> >administrators full control and users change
    > permissions
    > >> to the share. If you use
    > >> >three top shares then give administrators full control
    > >> and the appropriate group
    > >> >change control to each folder. Ntfs permissions are in
    > a
    > >> folders properties/security
    > >> >page. When you test results be sure to logon as a user
    > >> and not as an administrator
    > >> >and log off and back on after a change to share or ntfs
    > >> permissions. For a network
    > >> >users, their permission to a share will be the most
    > >> restrictive of either the share
    > >> >or ntfs permissions. The link below may help. ---
    > Steve
    > >> >
    > >> >http://support.microsoft.com/default.aspx?kbid=300691
    > >> >
    > >> >"jmos" <anonymous@discussions.microsoft.com> wrote in
    > >> message
    > >> >news:c31101c47a3a$5130eff0$a301280a@phx.gbl...
    > >> >> Can some explain (simply) how Share, folder and sub
    > >> folder
    > >> >> permissions work because evrything I do in my domain
    > >> >> simply does not work?
    > >> >>
    > >> >> All users have access to everything regardless of
    > what
    > >> >> permissions I set.
    > >> >>
    > >> >> I leave the network for up to and hour, log on as a
    > test
    > >> >> user and they still have access to everthing even
    > >> though I
    > >> >> specify access to only a select no. of shares.
    > >> >>
    > >> >> Currently I have a share - SHARE A with Subfolders
    > SB1-
    > >> >> SB3.
    > >> >>
    > >> >> Each SB folder is a project which only a select few
    > can
    > >> >> have access to.
    > >> >>
    > >> >> If I have groups GP1 -3 for each SB folder what
    > >> >> permissions should I have for:
    > >> >>
    > >> >> 1. the Share
    > >> >> 2. the Share folder (Security)
    > >> >> 3. the SB folders in the share.
    > >> >>
    > >> >> Hope someone can help.
    > >> >>
    > >> >> TIA.
    > >> >
    > >> >
    > >> >.
    > >> >
    > >
    > >
    > >.
    > >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    "jmos" <anonymous@discussions.microsoft.com> said

    > Thank you Steven
    > Yes I am including the NTFS Permissions.
    >
    > What I'm doing is this:
    >
    > 1. Create a group (Share Group) and and GP 1-3 to it.
    >
    > Share Permissions -> Domain Admin -> Full Control
    > -> Share Group -> Change
    >
    > Share NTFS -> Domain Admin -> Full Control
    > -> Share Group -> Modify (Special)
    >
    > Share Sub folders no Inheritance
    >
    > Share Sub Folder 1-> Domain Admin -> Full Control
    > NTFS -> Group1 -> Modify (Special)
    >
    > Share Sub Folder 2-> Domain Admin -> Full Control
    > NTFS -> Group2 -> Modify (Special)
    >
    > Share Sub Folder 3-> Domain Admin -> Full Control
    > NTFS -> Group3 -> Modify (Special)
    >
    > User Joe appears only in Group1
    > User Mary appears in Group 1 and 3
    >
    > Now my understanding is that for user Joe they would get
    > the most restrictive of both the Share and the NTFS of the
    > share AND that the NTFS of the Sub Folder overrides the
    > securities of the forementioned i.e only access to Share
    > Sub folder 1. The same would apply to User Mary i.e access
    > to only Sub Folders 1 and 3 not 2.
    >
    > Am I right in saying this?
    >
    > If so why is this not currently working in my domain and
    > what else should I do or be looking for?
    >

    Make it easy on yourself and forget about the share permissions. Set them to
    full access for everyone and use NTFS permissions to lock down the level of
    access you want.

    Create your root directory, share it and set the share permissions to full
    control for everyone. You don't need to share each folder individually. The
    users and admins can access them through \\server\share\folder1 , \\server
    \share\folder2 etc.
    Next click the 'Security' tab (this is where you set the NTFS permissions)
    and give the Domain Admins group full control and the Everyone read and
    execute permissions (this will put ticks in a few other boxes, which is
    normal). If the check boxes are greyed out you will need to click the
    'Advanced' button and disable inheritance.

    For each of the sub folders, set the NTFS permissions to 'Modify' for the
    groups you want to have access to that folder and 'Full control' for Domain
    Admins. Make sure the 'Everyone' group is not listed as having any
    permissions.

    Using share permissions just confuses everyone involved (which is what I
    think you've managed to do to yourself ;-) ) and also provides a false sense
    of security.
    You may think that you have set the share permissions OK but there could be
    another share higher up the directory structure that will give users full
    access if the NTFS permissions are not right. NTFS permissions can bypass
    share permissions if you don't access the directory via a particular share.
    Share level permissions can *never* over-ride NTFS permissions.
    Much better to set the permissions at the file system level. That way there
    can be no mistakes.

    --
    Andy.
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    You have "ntfs" permissions configured on the sub folders to give specific groups
    access and users not in any of those groups can access/write/and delete to those
    folders?? I have never seen that before. Be sure to check advanced permissions also
    for those folders for group permissions. In addition make sure that on the root/drive
    folder that users/everyone has no more that read/list/execute permissions. If you
    still can not get it to work try using three separate top level folders - one for
    each group you want to access. Make sure you are not testing access with existing
    user files because if creator owner is present in ntfs permissions, the user will be
    assigned creator owner permissions to the file if they are the owner of the file as
    shown in security/advanced - owner, even if they have no other permissions to the
    folder. --- Steve


    "jmos" <anonymous@discussions.microsoft.com> wrote in message
    news:069801c47ac7$98f26700$a501280a@phx.gbl...
    > Yes,
    > What's happening is that in the case of both Joe and Mary
    > they have access to all the sub folders in the share and
    > that's what I do not want. They shoud only have access to
    > certain sub folders in the share but generally have access
    > to the share i.e to get to the sub folders.
    >
    >
    >
    > >-----Original Message-----
    > >At first glance it looks as if you are doing everything
    > correct. Are you saying that
    > >Joe and Mary can access the data and write and delete
    > files in all the subfolders or
    > >what kind of access are they getting to them that you
    > find unexpected? --- Steve
    > >
    > >"jmos" <anonymous@discussions.microsoft.com> wrote in
    > message
    > >news:03e801c47a74$622c1e30$a601280a@phx.gbl...
    > >> Thank you Steven
    > >> Yes I am including the NTFS Permissions.
    > >>
    > >> What I'm doing is this:
    > >>
    > >> 1. Create a group (Share Group) and and GP 1-3 to it.
    > >>
    > >> Share Permissions -> Domain Admin -> Full Control
    > >> -> Share Group -> Change
    > >>
    > >> Share NTFS -> Domain Admin -> Full Control
    > >> -> Share Group -> Modify (Special)
    > >>
    > >> Share Sub folders no Inheritance
    > >>
    > >> Share Sub Folder 1-> Domain Admin -> Full Control
    > >> NTFS -> Group1 -> Modify (Special)
    > >>
    > >> Share Sub Folder 2-> Domain Admin -> Full Control
    > >> NTFS -> Group2 -> Modify (Special)
    > >>
    > >> Share Sub Folder 3-> Domain Admin -> Full Control
    > >> NTFS -> Group3 -> Modify (Special)
    > >>
    > >> User Joe appears only in Group1
    > >> User Mary appears in Group 1 and 3
    > >>
    > >> Now my understanding is that for user Joe they would get
    > >> the most restrictive of both the Share and the NTFS of
    > the
    > >> share AND that the NTFS of the Sub Folder overrides the
    > >> securities of the forementioned i.e only access to Share
    > >> Sub folder 1. The same would apply to User Mary i.e
    > access
    > >> to only Sub Folders 1 and 3 not 2.
    > >>
    > >> Am I right in saying this?
    > >>
    > >> If so why is this not currently working in my domain and
    > >> what else should I do or be looking for?
    > >>
    > >> Many thanks for your reply
    > >>
    > >> JMOS
    > >>
    > >>
    > >> >-----Original Message-----
    > >> >Are you configuring ntfs permissions also? You also
    > might
    > >> try to use three top shares
    > >> >instead as SB1, SB2, and SB3. However you do it, give
    > >> system and administrators full
    > >> >control ntfs permissions and then add the appropriate
    > >> user group with the needed ntfs
    > >> >permissions to each folder. If you are sharing one top
    > >> folder then give
    > >> >administrators full control and users change
    > permissions
    > >> to the share. If you use
    > >> >three top shares then give administrators full control
    > >> and the appropriate group
    > >> >change control to each folder. Ntfs permissions are in
    > a
    > >> folders properties/security
    > >> >page. When you test results be sure to logon as a user
    > >> and not as an administrator
    > >> >and log off and back on after a change to share or ntfs
    > >> permissions. For a network
    > >> >users, their permission to a share will be the most
    > >> restrictive of either the share
    > >> >or ntfs permissions. The link below may help. ---
    > Steve
    > >> >
    > >> >http://support.microsoft.com/default.aspx?kbid=300691
    > >> >
    > >> >"jmos" <anonymous@discussions.microsoft.com> wrote in
    > >> message
    > >> >news:c31101c47a3a$5130eff0$a301280a@phx.gbl...
    > >> >> Can some explain (simply) how Share, folder and sub
    > >> folder
    > >> >> permissions work because evrything I do in my domain
    > >> >> simply does not work?
    > >> >>
    > >> >> All users have access to everything regardless of
    > what
    > >> >> permissions I set.
    > >> >>
    > >> >> I leave the network for up to and hour, log on as a
    > test
    > >> >> user and they still have access to everthing even
    > >> though I
    > >> >> specify access to only a select no. of shares.
    > >> >>
    > >> >> Currently I have a share - SHARE A with Subfolders
    > SB1-
    > >> >> SB3.
    > >> >>
    > >> >> Each SB folder is a project which only a select few
    > can
    > >> >> have access to.
    > >> >>
    > >> >> If I have groups GP1 -3 for each SB folder what
    > >> >> permissions should I have for:
    > >> >>
    > >> >> 1. the Share
    > >> >> 2. the Share folder (Security)
    > >> >> 3. the SB folders in the share.
    > >> >>
    > >> >> Hope someone can help.
    > >> >>
    > >> >> TIA.
    > >> >
    > >> >
    > >> >.
    > >> >
    > >
    > >
    > >.
    > >
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you Andrew it worked first time.

    The share permissions are misleading and I'm not sure that having both share
    and NTFS is worth it.

    Beyond your advice, where the changes did not work, the result was achieved
    by removing the share and NTFS permissions and then re establishing
    everything again. This seems to *unclogg* the securities and re establish
    with new ones.

    Thank you though.

    "Andrew Mitchell" wrote:

    > "jmos" <anonymous@discussions.microsoft.com> said
    >
    > > Thank you Steven
    > > Yes I am including the NTFS Permissions.
    > >
    > > What I'm doing is this:
    > >
    > > 1. Create a group (Share Group) and and GP 1-3 to it.
    > >
    > > Share Permissions -> Domain Admin -> Full Control
    > > -> Share Group -> Change
    > >
    > > Share NTFS -> Domain Admin -> Full Control
    > > -> Share Group -> Modify (Special)
    > >
    > > Share Sub folders no Inheritance
    > >
    > > Share Sub Folder 1-> Domain Admin -> Full Control
    > > NTFS -> Group1 -> Modify (Special)
    > >
    > > Share Sub Folder 2-> Domain Admin -> Full Control
    > > NTFS -> Group2 -> Modify (Special)
    > >
    > > Share Sub Folder 3-> Domain Admin -> Full Control
    > > NTFS -> Group3 -> Modify (Special)
    > >
    > > User Joe appears only in Group1
    > > User Mary appears in Group 1 and 3
    > >
    > > Now my understanding is that for user Joe they would get
    > > the most restrictive of both the Share and the NTFS of the
    > > share AND that the NTFS of the Sub Folder overrides the
    > > securities of the forementioned i.e only access to Share
    > > Sub folder 1. The same would apply to User Mary i.e access
    > > to only Sub Folders 1 and 3 not 2.
    > >
    > > Am I right in saying this?
    > >
    > > If so why is this not currently working in my domain and
    > > what else should I do or be looking for?
    > >
    >
    > Make it easy on yourself and forget about the share permissions. Set them to
    > full access for everyone and use NTFS permissions to lock down the level of
    > access you want.
    >
    > Create your root directory, share it and set the share permissions to full
    > control for everyone. You don't need to share each folder individually. The
    > users and admins can access them through \\server\share\folder1 , \\server
    > \share\folder2 etc.
    > Next click the 'Security' tab (this is where you set the NTFS permissions)
    > and give the Domain Admins group full control and the Everyone read and
    > execute permissions (this will put ticks in a few other boxes, which is
    > normal). If the check boxes are greyed out you will need to click the
    > 'Advanced' button and disable inheritance.
    >
    > For each of the sub folders, set the NTFS permissions to 'Modify' for the
    > groups you want to have access to that folder and 'Full control' for Domain
    > Admins. Make sure the 'Everyone' group is not listed as having any
    > permissions.
    >
    > Using share permissions just confuses everyone involved (which is what I
    > think you've managed to do to yourself ;-) ) and also provides a false sense
    > of security.
    > You may think that you have set the share permissions OK but there could be
    > another share higher up the directory structure that will give users full
    > access if the NTFS permissions are not right. NTFS permissions can bypass
    > share permissions if you don't access the directory via a particular share.
    > Share level permissions can *never* over-ride NTFS permissions.
    > Much better to set the permissions at the file system level. That way there
    > can be no mistakes.
    >
    > --
    > Andy.
    >
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    "=?Utf-8?B?am1vcw==?=" <jmos@discussions.microsoft.com> said

    > Thank you Andrew it worked first time.
    >

    No probs.

    > The share permissions are misleading and I'm not sure that having both
    > share and NTFS is worth it.
    >

    They're not only misleading, but can be downright dangerous.

    Suppose I create a directory, share it as 'dir1' and set NTFS and share
    permissions to full access for everyone.
    Another admin comes along later and creates a subdirectory of my directory,
    sharing it as 'dir2'. Wanting to secure their directory they set the share
    permissions to full access for only the domain admins group, not knowing that
    I have created a higher level share.

    That admin has done this thinking that only domain admins can now get to this
    directory, which is only true if it's accessed through \\server\dir2. Non
    domain admins will be prevented from doing this, but *any* user can browse to
    \\server\dir1\dir2 with no problems at all.
    It becomes even worse when DFS becomes involved as you have absolutely no
    idea what servers the other shares exist on.

    Setting the permissions at the NTFS level is as close to fool-proof as you
    can get. I am yet to see a situation where share level permissions are
    required (with the exception of FAT32 volumes which, IMHO, is a huge no-no
    anyway).

    --
    Andy
Ask a new question

Read More

Security Permissions Windows