Sign in with
Sign up | Sign in
Your question

Win 2003 - Share can be read with no NTFS permission?

Tags:
  • NTFS
  • Permissions
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
October 26, 2004 10:55:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
I apoligise in advance if this is the wrong newsgroup - I could not
find one for win2003.

Scenario:

I have small test domain with couple of machines.

1. On a member win2003 server machine '2K3Client' I created folder
"c:\ShareA"
2. I shared folder "ShareA", with default permissions.

This shows permissions as such:

Share permissions
=================
Everyone - Read


NTFS Security permissions
==========================
Administrators(2K3Client\Administrators) - Full
SYSTEM - Full
Users (2K3Client\Users) - Read,List, Special.


Question:
------------
I log into another machine as a test user, with no special
privelleges.
I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
view
the contents of that folder.

I do not understand why I can see contents of folder if there are no
NTFS permissions to allow this? Can someone please explain?

Many thanks in advance,

Patrick.

More about : win 2003 share read ntfs permission

Anonymous
October 27, 2004 7:37:51 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You show that users have read/list permissions to that folder. Since you are
in a domain, that is enough to allow another domain user to access the
folder from another domain computer. --- Steve

"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
> Hi,
> I apoligise in advance if this is the wrong newsgroup - I could not
> find one for win2003.
>
> Scenario:
>
> I have small test domain with couple of machines.
>
> 1. On a member win2003 server machine '2K3Client' I created folder
> "c:\ShareA"
> 2. I shared folder "ShareA", with default permissions.
>
> This shows permissions as such:
>
> Share permissions
> =================
> Everyone - Read
>
>
> NTFS Security permissions
> ==========================
> Administrators(2K3Client\Administrators) - Full
> SYSTEM - Full
> Users (2K3Client\Users) - Read,List, Special.
>
>
> Question:
> ------------
> I log into another machine as a test user, with no special
> privelleges.
> I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
> view
> the contents of that folder.
>
> I do not understand why I can see contents of folder if there are no
> NTFS permissions to allow this? Can someone please explain?
>
> Many thanks in advance,
>
> Patrick.
October 27, 2004 2:05:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have setup a similar setup, with a new share with default
permissions in W3K (read). Add a test user with R X L R ntfs
permissions. I logon with a workstation on that domain as test user
and try to create a folder and file in the share with no success. If I
add change to the share permissions I can create a folder and file in
the share. I thought the least restrictive permissions were applied
between shares and NTFS?
On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>You show that users have read/list permissions to that folder. Since you are
>in a domain, that is enough to allow another domain user to access the
>folder from another domain computer. --- Steve
>
>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>> Hi,
>> I apoligise in advance if this is the wrong newsgroup - I could not
>> find one for win2003.
>>
>> Scenario:
>>
>> I have small test domain with couple of machines.
>>
>> 1. On a member win2003 server machine '2K3Client' I created folder
>> "c:\ShareA"
>> 2. I shared folder "ShareA", with default permissions.
>>
>> This shows permissions as such:
>>
>> Share permissions
>> =================
>> Everyone - Read
>>
>>
>> NTFS Security permissions
>> ==========================
>> Administrators(2K3Client\Administrators) - Full
>> SYSTEM - Full
>> Users (2K3Client\Users) - Read,List, Special.
>>
>>
>> Question:
>> ------------
>> I log into another machine as a test user, with no special
>> privelleges.
>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
>> view
>> the contents of that folder.
>>
>> I do not understand why I can see contents of folder if there are no
>> NTFS permissions to allow this? Can someone please explain?
>>
>> Many thanks in advance,
>>
>> Patrick.
>
October 27, 2004 3:52:34 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If I setup a sharecalled share2 with full share permissions and add a
group called testgroup and put a user called test in that group and
give the group R permissions on the folder. I then logon at a WS with
the user Test who is a domain user default rights on the domain and
administrative rights on the WS, I have Read rights on any
folders\files that were created by the admin on the server in share2.
I cannot delete these. I can create a file and in the NTFS permissions
I have Read rights on the testgroup group and it also puts in the test
user with full rights. where do the full rights come from. If I just
want a share that users can only read, not write or modify how can I
do that?
On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:

>I have setup a similar setup, with a new share with default
>permissions in W3K (read). Add a test user with R X L R ntfs
>permissions. I logon with a workstation on that domain as test user
>and try to create a folder and file in the share with no success. If I
>add change to the share permissions I can create a folder and file in
>the share. I thought the least restrictive permissions were applied
>between shares and NTFS?
>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
><n9rou@n0-spam-for-me-comcast.net> wrote:
>
>>You show that users have read/list permissions to that folder. Since you are
>>in a domain, that is enough to allow another domain user to access the
>>folder from another domain computer. --- Steve
>>
>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>> Hi,
>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>> find one for win2003.
>>>
>>> Scenario:
>>>
>>> I have small test domain with couple of machines.
>>>
>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>> "c:\ShareA"
>>> 2. I shared folder "ShareA", with default permissions.
>>>
>>> This shows permissions as such:
>>>
>>> Share permissions
>>> =================
>>> Everyone - Read
>>>
>>>
>>> NTFS Security permissions
>>> ==========================
>>> Administrators(2K3Client\Administrators) - Full
>>> SYSTEM - Full
>>> Users (2K3Client\Users) - Read,List, Special.
>>>
>>>
>>> Question:
>>> ------------
>>> I log into another machine as a test user, with no special
>>> privelleges.
>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
>>> view
>>> the contents of that folder.
>>>
>>> I do not understand why I can see contents of folder if there are no
>>> NTFS permissions to allow this? Can someone please explain?
>>>
>>> Many thanks in advance,
>>>
>>> Patrick.
>>
Anonymous
October 27, 2004 10:55:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I think your problem may be that the user you are testing with is a local
administrator on the computer where the share exists. The administrators
group may have full control permissions to the folder. Try removing your
test user from the local administrators group and try again after logging
off and logging back on. If the creator/owner is present, the user that
creates the file will receive those permissions which usually are full
control.

To create a share where you want users to only read files give the users
group only read permissions to the share and read/list for ntfs folder
permissions and make sure the users are not members of another group that
has more than read permissions to the share/folder. --- Steve


"Pat" <nobody@nobody.com> wrote in message
news:qjgvn0pq346u0i8qem51j089k5iopghplk@4ax.com...
> If I setup a sharecalled share2 with full share permissions and add a
> group called testgroup and put a user called test in that group and
> give the group R permissions on the folder. I then logon at a WS with
> the user Test who is a domain user default rights on the domain and
> administrative rights on the WS, I have Read rights on any
> folders\files that were created by the admin on the server in share2.
> I cannot delete these. I can create a file and in the NTFS permissions
> I have Read rights on the testgroup group and it also puts in the test
> user with full rights. where do the full rights come from. If I just
> want a share that users can only read, not write or modify how can I
> do that?
> On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:
>
>>I have setup a similar setup, with a new share with default
>>permissions in W3K (read). Add a test user with R X L R ntfs
>>permissions. I logon with a workstation on that domain as test user
>>and try to create a folder and file in the share with no success. If I
>>add change to the share permissions I can create a folder and file in
>>the share. I thought the least restrictive permissions were applied
>>between shares and NTFS?
>>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
>><n9rou@n0-spam-for-me-comcast.net> wrote:
>>
>>>You show that users have read/list permissions to that folder. Since you
>>>are
>>>in a domain, that is enough to allow another domain user to access the
>>>folder from another domain computer. --- Steve
>>>
>>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>>> Hi,
>>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>>> find one for win2003.
>>>>
>>>> Scenario:
>>>>
>>>> I have small test domain with couple of machines.
>>>>
>>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>>> "c:\ShareA"
>>>> 2. I shared folder "ShareA", with default permissions.
>>>>
>>>> This shows permissions as such:
>>>>
>>>> Share permissions
>>>> =================
>>>> Everyone - Read
>>>>
>>>>
>>>> NTFS Security permissions
>>>> ==========================
>>>> Administrators(2K3Client\Administrators) - Full
>>>> SYSTEM - Full
>>>> Users (2K3Client\Users) - Read,List, Special.
>>>>
>>>>
>>>> Question:
>>>> ------------
>>>> I log into another machine as a test user, with no special
>>>> privelleges.
>>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
>>>> view
>>>> the contents of that folder.
>>>>
>>>> I do not understand why I can see contents of folder if there are no
>>>> NTFS permissions to allow this? Can someone please explain?
>>>>
>>>> Many thanks in advance,
>>>>
>>>> Patrick.
>>>
>
October 28, 2004 11:56:35 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The share is on my DC, my test user had local Admin rights on the WS.
I removed the test user from the local Admin group and logged off and
on. I can create a folder on the share. It gives the user group R and
the test user Full control inherited from the parent folder. On the
share on the DC, I have Share permissions= Full control and R for the
test group. How is the test user inheriting full permissions?

On Wed, 27 Oct 2004 18:55:51 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>I think your problem may be that the user you are testing with is a local
>administrator on the computer where the share exists. The administrators
>group may have full control permissions to the folder. Try removing your
>test user from the local administrators group and try again after logging
>off and logging back on. If the creator/owner is present, the user that
>creates the file will receive those permissions which usually are full
>control.
>
>To create a share where you want users to only read files give the users
>group only read permissions to the share and read/list for ntfs folder
>permissions and make sure the users are not members of another group that
>has more than read permissions to the share/folder. --- Steve
>
>
>"Pat" <nobody@nobody.com> wrote in message
>news:qjgvn0pq346u0i8qem51j089k5iopghplk@4ax.com...
>> If I setup a sharecalled share2 with full share permissions and add a
>> group called testgroup and put a user called test in that group and
>> give the group R permissions on the folder. I then logon at a WS with
>> the user Test who is a domain user default rights on the domain and
>> administrative rights on the WS, I have Read rights on any
>> folders\files that were created by the admin on the server in share2.
>> I cannot delete these. I can create a file and in the NTFS permissions
>> I have Read rights on the testgroup group and it also puts in the test
>> user with full rights. where do the full rights come from. If I just
>> want a share that users can only read, not write or modify how can I
>> do that?
>> On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:
>>
>>>I have setup a similar setup, with a new share with default
>>>permissions in W3K (read). Add a test user with R X L R ntfs
>>>permissions. I logon with a workstation on that domain as test user
>>>and try to create a folder and file in the share with no success. If I
>>>add change to the share permissions I can create a folder and file in
>>>the share. I thought the least restrictive permissions were applied
>>>between shares and NTFS?
>>>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
>>><n9rou@n0-spam-for-me-comcast.net> wrote:
>>>
>>>>You show that users have read/list permissions to that folder. Since you
>>>>are
>>>>in a domain, that is enough to allow another domain user to access the
>>>>folder from another domain computer. --- Steve
>>>>
>>>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>>>> Hi,
>>>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>>>> find one for win2003.
>>>>>
>>>>> Scenario:
>>>>>
>>>>> I have small test domain with couple of machines.
>>>>>
>>>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>>>> "c:\ShareA"
>>>>> 2. I shared folder "ShareA", with default permissions.
>>>>>
>>>>> This shows permissions as such:
>>>>>
>>>>> Share permissions
>>>>> =================
>>>>> Everyone - Read
>>>>>
>>>>>
>>>>> NTFS Security permissions
>>>>> ==========================
>>>>> Administrators(2K3Client\Administrators) - Full
>>>>> SYSTEM - Full
>>>>> Users (2K3Client\Users) - Read,List, Special.
>>>>>
>>>>>
>>>>> Question:
>>>>> ------------
>>>>> I log into another machine as a test user, with no special
>>>>> privelleges.
>>>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
>>>>> view
>>>>> the contents of that folder.
>>>>>
>>>>> I do not understand why I can see contents of folder if there are no
>>>>> NTFS permissions to allow this? Can someone please explain?
>>>>>
>>>>> Many thanks in advance,
>>>>>
>>>>> Patrick.
>>>>
>>
>
Anonymous
October 29, 2004 6:22:19 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Apparently the test user has full control permissions in the parent folder?
If you create a folder and do not want to use inherited permissions go into
the advanced page for security and uncheck inherit permissions form the
parent folder at which time you will be prompted to either remove or copy
existing permissions. When checking permissions on the parent folder also
check advanced permissions to see if the user has permissions there also
which may not be apparent from the main security page.. --- Steve


"Pat" <nobody@nobody.com> wrote in message
news:95m1o05hfi9v4l2h4ft2p7vlh0le0gj17v@4ax.com...
> The share is on my DC, my test user had local Admin rights on the WS.
> I removed the test user from the local Admin group and logged off and
> on. I can create a folder on the share. It gives the user group R and
> the test user Full control inherited from the parent folder. On the
> share on the DC, I have Share permissions= Full control and R for the
> test group. How is the test user inheriting full permissions?
>
> On Wed, 27 Oct 2004 18:55:51 GMT, "Steven L Umbach"
> <n9rou@n0-spam-for-me-comcast.net> wrote:
>
>>I think your problem may be that the user you are testing with is a local
>>administrator on the computer where the share exists. The administrators
>>group may have full control permissions to the folder. Try removing your
>>test user from the local administrators group and try again after logging
>>off and logging back on. If the creator/owner is present, the user that
>>creates the file will receive those permissions which usually are full
>>control.
>>
>>To create a share where you want users to only read files give the users
>>group only read permissions to the share and read/list for ntfs folder
>>permissions and make sure the users are not members of another group that
>>has more than read permissions to the share/folder. --- Steve
>>
>>
>>"Pat" <nobody@nobody.com> wrote in message
>>news:qjgvn0pq346u0i8qem51j089k5iopghplk@4ax.com...
>>> If I setup a sharecalled share2 with full share permissions and add a
>>> group called testgroup and put a user called test in that group and
>>> give the group R permissions on the folder. I then logon at a WS with
>>> the user Test who is a domain user default rights on the domain and
>>> administrative rights on the WS, I have Read rights on any
>>> folders\files that were created by the admin on the server in share2.
>>> I cannot delete these. I can create a file and in the NTFS permissions
>>> I have Read rights on the testgroup group and it also puts in the test
>>> user with full rights. where do the full rights come from. If I just
>>> want a share that users can only read, not write or modify how can I
>>> do that?
>>> On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:
>>>
>>>>I have setup a similar setup, with a new share with default
>>>>permissions in W3K (read). Add a test user with R X L R ntfs
>>>>permissions. I logon with a workstation on that domain as test user
>>>>and try to create a folder and file in the share with no success. If I
>>>>add change to the share permissions I can create a folder and file in
>>>>the share. I thought the least restrictive permissions were applied
>>>>between shares and NTFS?
>>>>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
>>>><n9rou@n0-spam-for-me-comcast.net> wrote:
>>>>
>>>>>You show that users have read/list permissions to that folder. Since
>>>>>you
>>>>>are
>>>>>in a domain, that is enough to allow another domain user to access the
>>>>>folder from another domain computer. --- Steve
>>>>>
>>>>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>>>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>>>>> Hi,
>>>>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>>>>> find one for win2003.
>>>>>>
>>>>>> Scenario:
>>>>>>
>>>>>> I have small test domain with couple of machines.
>>>>>>
>>>>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>>>>> "c:\ShareA"
>>>>>> 2. I shared folder "ShareA", with default permissions.
>>>>>>
>>>>>> This shows permissions as such:
>>>>>>
>>>>>> Share permissions
>>>>>> =================
>>>>>> Everyone - Read
>>>>>>
>>>>>>
>>>>>> NTFS Security permissions
>>>>>> ==========================
>>>>>> Administrators(2K3Client\Administrators) - Full
>>>>>> SYSTEM - Full
>>>>>> Users (2K3Client\Users) - Read,List, Special.
>>>>>>
>>>>>>
>>>>>> Question:
>>>>>> ------------
>>>>>> I log into another machine as a test user, with no special
>>>>>> privelleges.
>>>>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
>>>>>> view
>>>>>> the contents of that folder.
>>>>>>
>>>>>> I do not understand why I can see contents of folder if there are no
>>>>>> NTFS permissions to allow this? Can someone please explain?
>>>>>>
>>>>>> Many thanks in advance,
>>>>>>
>>>>>> Patrick.
>>>>>
>>>
>>
>
November 1, 2004 2:24:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It was picking up Full control permissions from creator owner. if a
user belongs to two groups,it is going to have least restrictive
permissons from both groups?

On Fri, 29 Oct 2004 02:22:19 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>Apparently the test user has full control permissions in the parent folder?
>If you create a folder and do not want to use inherited permissions go into
>the advanced page for security and uncheck inherit permissions form the
>parent folder at which time you will be prompted to either remove or copy
>existing permissions. When checking permissions on the parent folder also
>check advanced permissions to see if the user has permissions there also
>which may not be apparent from the main security page.. --- Steve
>
>
>"Pat" <nobody@nobody.com> wrote in message
>news:95m1o05hfi9v4l2h4ft2p7vlh0le0gj17v@4ax.com...
>> The share is on my DC, my test user had local Admin rights on the WS.
>> I removed the test user from the local Admin group and logged off and
>> on. I can create a folder on the share. It gives the user group R and
>> the test user Full control inherited from the parent folder. On the
>> share on the DC, I have Share permissions= Full control and R for the
>> test group. How is the test user inheriting full permissions?
>>
>> On Wed, 27 Oct 2004 18:55:51 GMT, "Steven L Umbach"
>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>
>>>I think your problem may be that the user you are testing with is a local
>>>administrator on the computer where the share exists. The administrators
>>>group may have full control permissions to the folder. Try removing your
>>>test user from the local administrators group and try again after logging
>>>off and logging back on. If the creator/owner is present, the user that
>>>creates the file will receive those permissions which usually are full
>>>control.
>>>
>>>To create a share where you want users to only read files give the users
>>>group only read permissions to the share and read/list for ntfs folder
>>>permissions and make sure the users are not members of another group that
>>>has more than read permissions to the share/folder. --- Steve
>>>
>>>
>>>"Pat" <nobody@nobody.com> wrote in message
>>>news:qjgvn0pq346u0i8qem51j089k5iopghplk@4ax.com...
>>>> If I setup a sharecalled share2 with full share permissions and add a
>>>> group called testgroup and put a user called test in that group and
>>>> give the group R permissions on the folder. I then logon at a WS with
>>>> the user Test who is a domain user default rights on the domain and
>>>> administrative rights on the WS, I have Read rights on any
>>>> folders\files that were created by the admin on the server in share2.
>>>> I cannot delete these. I can create a file and in the NTFS permissions
>>>> I have Read rights on the testgroup group and it also puts in the test
>>>> user with full rights. where do the full rights come from. If I just
>>>> want a share that users can only read, not write or modify how can I
>>>> do that?
>>>> On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:
>>>>
>>>>>I have setup a similar setup, with a new share with default
>>>>>permissions in W3K (read). Add a test user with R X L R ntfs
>>>>>permissions. I logon with a workstation on that domain as test user
>>>>>and try to create a folder and file in the share with no success. If I
>>>>>add change to the share permissions I can create a folder and file in
>>>>>the share. I thought the least restrictive permissions were applied
>>>>>between shares and NTFS?
>>>>>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
>>>>><n9rou@n0-spam-for-me-comcast.net> wrote:
>>>>>
>>>>>>You show that users have read/list permissions to that folder. Since
>>>>>>you
>>>>>>are
>>>>>>in a domain, that is enough to allow another domain user to access the
>>>>>>folder from another domain computer. --- Steve
>>>>>>
>>>>>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>>>>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>>>>>> Hi,
>>>>>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>>>>>> find one for win2003.
>>>>>>>
>>>>>>> Scenario:
>>>>>>>
>>>>>>> I have small test domain with couple of machines.
>>>>>>>
>>>>>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>>>>>> "c:\ShareA"
>>>>>>> 2. I shared folder "ShareA", with default permissions.
>>>>>>>
>>>>>>> This shows permissions as such:
>>>>>>>
>>>>>>> Share permissions
>>>>>>> =================
>>>>>>> Everyone - Read
>>>>>>>
>>>>>>>
>>>>>>> NTFS Security permissions
>>>>>>> ==========================
>>>>>>> Administrators(2K3Client\Administrators) - Full
>>>>>>> SYSTEM - Full
>>>>>>> Users (2K3Client\Users) - Read,List, Special.
>>>>>>>
>>>>>>>
>>>>>>> Question:
>>>>>>> ------------
>>>>>>> I log into another machine as a test user, with no special
>>>>>>> privelleges.
>>>>>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
>>>>>>> view
>>>>>>> the contents of that folder.
>>>>>>>
>>>>>>> I do not understand why I can see contents of folder if there are no
>>>>>>> NTFS permissions to allow this? Can someone please explain?
>>>>>>>
>>>>>>> Many thanks in advance,
>>>>>>>
>>>>>>> Patrick.
>>>>>>
>>>>
>>>
>>
>
Anonymous
November 1, 2004 7:50:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

A user will have the most permissive NTFS permissions applied based on group
membership unless deny permissions are assigned to the user either
explicitly or via group membership in which case deny usually takes
precedence though an explicit allow permission will override an inherited
deny permission. You can remove creator owner from the permissions of the
folder. For root folder you may need to do that in the advanced security
page. -- Steve


"Pat" <nobody@nobody.com> wrote in message
news:kmoco01m1i2ivv88nl07rrg89anmjubadc@4ax.com...
> It was picking up Full control permissions from creator owner. if a
> user belongs to two groups,it is going to have least restrictive
> permissons from both groups?
>
> On Fri, 29 Oct 2004 02:22:19 GMT, "Steven L Umbach"
> <n9rou@n0-spam-for-me-comcast.net> wrote:
>
>>Apparently the test user has full control permissions in the parent
>>folder?
>>If you create a folder and do not want to use inherited permissions go
>>into
>>the advanced page for security and uncheck inherit permissions form the
>>parent folder at which time you will be prompted to either remove or copy
>>existing permissions. When checking permissions on the parent folder also
>>check advanced permissions to see if the user has permissions there also
>>which may not be apparent from the main security page.. --- Steve
>>
>>
>>"Pat" <nobody@nobody.com> wrote in message
>>news:95m1o05hfi9v4l2h4ft2p7vlh0le0gj17v@4ax.com...
>>> The share is on my DC, my test user had local Admin rights on the WS.
>>> I removed the test user from the local Admin group and logged off and
>>> on. I can create a folder on the share. It gives the user group R and
>>> the test user Full control inherited from the parent folder. On the
>>> share on the DC, I have Share permissions= Full control and R for the
>>> test group. How is the test user inheriting full permissions?
>>>
>>> On Wed, 27 Oct 2004 18:55:51 GMT, "Steven L Umbach"
>>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>>
>>>>I think your problem may be that the user you are testing with is a
>>>>local
>>>>administrator on the computer where the share exists. The administrators
>>>>group may have full control permissions to the folder. Try removing your
>>>>test user from the local administrators group and try again after
>>>>logging
>>>>off and logging back on. If the creator/owner is present, the user that
>>>>creates the file will receive those permissions which usually are full
>>>>control.
>>>>
>>>>To create a share where you want users to only read files give the users
>>>>group only read permissions to the share and read/list for ntfs folder
>>>>permissions and make sure the users are not members of another group
>>>>that
>>>>has more than read permissions to the share/folder. --- Steve
>>>>
>>>>
>>>>"Pat" <nobody@nobody.com> wrote in message
>>>>news:qjgvn0pq346u0i8qem51j089k5iopghplk@4ax.com...
>>>>> If I setup a sharecalled share2 with full share permissions and add a
>>>>> group called testgroup and put a user called test in that group and
>>>>> give the group R permissions on the folder. I then logon at a WS with
>>>>> the user Test who is a domain user default rights on the domain and
>>>>> administrative rights on the WS, I have Read rights on any
>>>>> folders\files that were created by the admin on the server in share2.
>>>>> I cannot delete these. I can create a file and in the NTFS permissions
>>>>> I have Read rights on the testgroup group and it also puts in the test
>>>>> user with full rights. where do the full rights come from. If I just
>>>>> want a share that users can only read, not write or modify how can I
>>>>> do that?
>>>>> On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:
>>>>>
>>>>>>I have setup a similar setup, with a new share with default
>>>>>>permissions in W3K (read). Add a test user with R X L R ntfs
>>>>>>permissions. I logon with a workstation on that domain as test user
>>>>>>and try to create a folder and file in the share with no success. If I
>>>>>>add change to the share permissions I can create a folder and file in
>>>>>>the share. I thought the least restrictive permissions were applied
>>>>>>between shares and NTFS?
>>>>>>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
>>>>>><n9rou@n0-spam-for-me-comcast.net> wrote:
>>>>>>
>>>>>>>You show that users have read/list permissions to that folder. Since
>>>>>>>you
>>>>>>>are
>>>>>>>in a domain, that is enough to allow another domain user to access
>>>>>>>the
>>>>>>>folder from another domain computer. --- Steve
>>>>>>>
>>>>>>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>>>>>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>>>>>>> Hi,
>>>>>>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>>>>>>> find one for win2003.
>>>>>>>>
>>>>>>>> Scenario:
>>>>>>>>
>>>>>>>> I have small test domain with couple of machines.
>>>>>>>>
>>>>>>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>>>>>>> "c:\ShareA"
>>>>>>>> 2. I shared folder "ShareA", with default permissions.
>>>>>>>>
>>>>>>>> This shows permissions as such:
>>>>>>>>
>>>>>>>> Share permissions
>>>>>>>> =================
>>>>>>>> Everyone - Read
>>>>>>>>
>>>>>>>>
>>>>>>>> NTFS Security permissions
>>>>>>>> ==========================
>>>>>>>> Administrators(2K3Client\Administrators) - Full
>>>>>>>> SYSTEM - Full
>>>>>>>> Users (2K3Client\Users) - Read,List, Special.
>>>>>>>>
>>>>>>>>
>>>>>>>> Question:
>>>>>>>> ------------
>>>>>>>> I log into another machine as a test user, with no special
>>>>>>>> privelleges.
>>>>>>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I
>>>>>>>> can
>>>>>>>> view
>>>>>>>> the contents of that folder.
>>>>>>>>
>>>>>>>> I do not understand why I can see contents of folder if there are
>>>>>>>> no
>>>>>>>> NTFS permissions to allow this? Can someone please explain?
>>>>>>>>
>>>>>>>> Many thanks in advance,
>>>>>>>>
>>>>>>>> Patrick.
>>>>>>>
>>>>>
>>>>
>>>
>>
>
November 3, 2004 9:12:29 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for all the help Steve.

On Mon, 01 Nov 2004 16:50:02 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>A user will have the most permissive NTFS permissions applied based on group
>membership unless deny permissions are assigned to the user either
>explicitly or via group membership in which case deny usually takes
>precedence though an explicit allow permission will override an inherited
>deny permission. You can remove creator owner from the permissions of the
>folder. For root folder you may need to do that in the advanced security
>page. -- Steve
>
>
>"Pat" <nobody@nobody.com> wrote in message
>news:kmoco01m1i2ivv88nl07rrg89anmjubadc@4ax.com...
>> It was picking up Full control permissions from creator owner. if a
>> user belongs to two groups,it is going to have least restrictive
>> permissons from both groups?
>>
>> On Fri, 29 Oct 2004 02:22:19 GMT, "Steven L Umbach"
>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>
>>>Apparently the test user has full control permissions in the parent
>>>folder?
>>>If you create a folder and do not want to use inherited permissions go
>>>into
>>>the advanced page for security and uncheck inherit permissions form the
>>>parent folder at which time you will be prompted to either remove or copy
>>>existing permissions. When checking permissions on the parent folder also
>>>check advanced permissions to see if the user has permissions there also
>>>which may not be apparent from the main security page.. --- Steve
>>>
>>>
>>>"Pat" <nobody@nobody.com> wrote in message
>>>news:95m1o05hfi9v4l2h4ft2p7vlh0le0gj17v@4ax.com...
>>>> The share is on my DC, my test user had local Admin rights on the WS.
>>>> I removed the test user from the local Admin group and logged off and
>>>> on. I can create a folder on the share. It gives the user group R and
>>>> the test user Full control inherited from the parent folder. On the
>>>> share on the DC, I have Share permissions= Full control and R for the
>>>> test group. How is the test user inheriting full permissions?
>>>>
>>>> On Wed, 27 Oct 2004 18:55:51 GMT, "Steven L Umbach"
>>>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>>>
>>>>>I think your problem may be that the user you are testing with is a
>>>>>local
>>>>>administrator on the computer where the share exists. The administrators
>>>>>group may have full control permissions to the folder. Try removing your
>>>>>test user from the local administrators group and try again after
>>>>>logging
>>>>>off and logging back on. If the creator/owner is present, the user that
>>>>>creates the file will receive those permissions which usually are full
>>>>>control.
>>>>>
>>>>>To create a share where you want users to only read files give the users
>>>>>group only read permissions to the share and read/list for ntfs folder
>>>>>permissions and make sure the users are not members of another group
>>>>>that
>>>>>has more than read permissions to the share/folder. --- Steve
>>>>>
>>>>>
>>>>>"Pat" <nobody@nobody.com> wrote in message
>>>>>news:qjgvn0pq346u0i8qem51j089k5iopghplk@4ax.com...
>>>>>> If I setup a sharecalled share2 with full share permissions and add a
>>>>>> group called testgroup and put a user called test in that group and
>>>>>> give the group R permissions on the folder. I then logon at a WS with
>>>>>> the user Test who is a domain user default rights on the domain and
>>>>>> administrative rights on the WS, I have Read rights on any
>>>>>> folders\files that were created by the admin on the server in share2.
>>>>>> I cannot delete these. I can create a file and in the NTFS permissions
>>>>>> I have Read rights on the testgroup group and it also puts in the test
>>>>>> user with full rights. where do the full rights come from. If I just
>>>>>> want a share that users can only read, not write or modify how can I
>>>>>> do that?
>>>>>> On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:
>>>>>>
>>>>>>>I have setup a similar setup, with a new share with default
>>>>>>>permissions in W3K (read). Add a test user with R X L R ntfs
>>>>>>>permissions. I logon with a workstation on that domain as test user
>>>>>>>and try to create a folder and file in the share with no success. If I
>>>>>>>add change to the share permissions I can create a folder and file in
>>>>>>>the share. I thought the least restrictive permissions were applied
>>>>>>>between shares and NTFS?
>>>>>>>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
>>>>>>><n9rou@n0-spam-for-me-comcast.net> wrote:
>>>>>>>
>>>>>>>>You show that users have read/list permissions to that folder. Since
>>>>>>>>you
>>>>>>>>are
>>>>>>>>in a domain, that is enough to allow another domain user to access
>>>>>>>>the
>>>>>>>>folder from another domain computer. --- Steve
>>>>>>>>
>>>>>>>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>>>>>>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>>>>>>>> Hi,
>>>>>>>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>>>>>>>> find one for win2003.
>>>>>>>>>
>>>>>>>>> Scenario:
>>>>>>>>>
>>>>>>>>> I have small test domain with couple of machines.
>>>>>>>>>
>>>>>>>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>>>>>>>> "c:\ShareA"
>>>>>>>>> 2. I shared folder "ShareA", with default permissions.
>>>>>>>>>
>>>>>>>>> This shows permissions as such:
>>>>>>>>>
>>>>>>>>> Share permissions
>>>>>>>>> =================
>>>>>>>>> Everyone - Read
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NTFS Security permissions
>>>>>>>>> ==========================
>>>>>>>>> Administrators(2K3Client\Administrators) - Full
>>>>>>>>> SYSTEM - Full
>>>>>>>>> Users (2K3Client\Users) - Read,List, Special.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Question:
>>>>>>>>> ------------
>>>>>>>>> I log into another machine as a test user, with no special
>>>>>>>>> privelleges.
>>>>>>>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I
>>>>>>>>> can
>>>>>>>>> view
>>>>>>>>> the contents of that folder.
>>>>>>>>>
>>>>>>>>> I do not understand why I can see contents of folder if there are
>>>>>>>>> no
>>>>>>>>> NTFS permissions to allow this? Can someone please explain?
>>>>>>>>>
>>>>>>>>> Many thanks in advance,
>>>>>>>>>
>>>>>>>>> Patrick.
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
!