Archived from groups: microsoft.public.win2000.security (
More info?)
Thanks for all the help Steve.
On Mon, 01 Nov 2004 16:50:02 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:
>A user will have the most permissive NTFS permissions applied based on group
>membership unless deny permissions are assigned to the user either
>explicitly or via group membership in which case deny usually takes
>precedence though an explicit allow permission will override an inherited
>deny permission. You can remove creator owner from the permissions of the
>folder. For root folder you may need to do that in the advanced security
>page. -- Steve
>
>
>"Pat" <nobody@nobody.com> wrote in message
>news:kmoco01m1i2ivv88nl07rrg89anmjubadc@4ax.com...
>> It was picking up Full control permissions from creator owner. if a
>> user belongs to two groups,it is going to have least restrictive
>> permissons from both groups?
>>
>> On Fri, 29 Oct 2004 02:22:19 GMT, "Steven L Umbach"
>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>
>>>Apparently the test user has full control permissions in the parent
>>>folder?
>>>If you create a folder and do not want to use inherited permissions go
>>>into
>>>the advanced page for security and uncheck inherit permissions form the
>>>parent folder at which time you will be prompted to either remove or copy
>>>existing permissions. When checking permissions on the parent folder also
>>>check advanced permissions to see if the user has permissions there also
>>>which may not be apparent from the main security page.. --- Steve
>>>
>>>
>>>"Pat" <nobody@nobody.com> wrote in message
>>>news:95m1o05hfi9v4l2h4ft2p7vlh0le0gj17v@4ax.com...
>>>> The share is on my DC, my test user had local Admin rights on the WS.
>>>> I removed the test user from the local Admin group and logged off and
>>>> on. I can create a folder on the share. It gives the user group R and
>>>> the test user Full control inherited from the parent folder. On the
>>>> share on the DC, I have Share permissions= Full control and R for the
>>>> test group. How is the test user inheriting full permissions?
>>>>
>>>> On Wed, 27 Oct 2004 18:55:51 GMT, "Steven L Umbach"
>>>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>>>
>>>>>I think your problem may be that the user you are testing with is a
>>>>>local
>>>>>administrator on the computer where the share exists. The administrators
>>>>>group may have full control permissions to the folder. Try removing your
>>>>>test user from the local administrators group and try again after
>>>>>logging
>>>>>off and logging back on. If the creator/owner is present, the user that
>>>>>creates the file will receive those permissions which usually are full
>>>>>control.
>>>>>
>>>>>To create a share where you want users to only read files give the users
>>>>>group only read permissions to the share and read/list for ntfs folder
>>>>>permissions and make sure the users are not members of another group
>>>>>that
>>>>>has more than read permissions to the share/folder. --- Steve
>>>>>
>>>>>
>>>>>"Pat" <nobody@nobody.com> wrote in message
>>>>>news:qjgvn0pq346u0i8qem51j089k5iopghplk@4ax.com...
>>>>>> If I setup a sharecalled share2 with full share permissions and add a
>>>>>> group called testgroup and put a user called test in that group and
>>>>>> give the group R permissions on the folder. I then logon at a WS with
>>>>>> the user Test who is a domain user default rights on the domain and
>>>>>> administrative rights on the WS, I have Read rights on any
>>>>>> folders\files that were created by the admin on the server in share2.
>>>>>> I cannot delete these. I can create a file and in the NTFS permissions
>>>>>> I have Read rights on the testgroup group and it also puts in the test
>>>>>> user with full rights. where do the full rights come from. If I just
>>>>>> want a share that users can only read, not write or modify how can I
>>>>>> do that?
>>>>>> On Wed, 27 Oct 2004 10:05:31 -0400, Pat <nobody@nobody.com> wrote:
>>>>>>
>>>>>>>I have setup a similar setup, with a new share with default
>>>>>>>permissions in W3K (read). Add a test user with R X L R ntfs
>>>>>>>permissions. I logon with a workstation on that domain as test user
>>>>>>>and try to create a folder and file in the share with no success. If I
>>>>>>>add change to the share permissions I can create a folder and file in
>>>>>>>the share. I thought the least restrictive permissions were applied
>>>>>>>between shares and NTFS?
>>>>>>>On Wed, 27 Oct 2004 03:37:51 GMT, "Steven L Umbach"
>>>>>>><n9rou@n0-spam-for-me-comcast.net> wrote:
>>>>>>>
>>>>>>>>You show that users have read/list permissions to that folder. Since
>>>>>>>>you
>>>>>>>>are
>>>>>>>>in a domain, that is enough to allow another domain user to access
>>>>>>>>the
>>>>>>>>folder from another domain computer. --- Steve
>>>>>>>>
>>>>>>>>"Patrick Saunders" <psaunder@comcen.com.au> wrote in message
>>>>>>>>news:7bfe00fe.0410261755.11d2fffa@posting.google.com...
>>>>>>>>> Hi,
>>>>>>>>> I apoligise in advance if this is the wrong newsgroup - I could not
>>>>>>>>> find one for win2003.
>>>>>>>>>
>>>>>>>>> Scenario:
>>>>>>>>>
>>>>>>>>> I have small test domain with couple of machines.
>>>>>>>>>
>>>>>>>>> 1. On a member win2003 server machine '2K3Client' I created folder
>>>>>>>>> "c:\ShareA"
>>>>>>>>> 2. I shared folder "ShareA", with default permissions.
>>>>>>>>>
>>>>>>>>> This shows permissions as such:
>>>>>>>>>
>>>>>>>>> Share permissions
>>>>>>>>> =================
>>>>>>>>> Everyone - Read
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NTFS Security permissions
>>>>>>>>> ==========================
>>>>>>>>> Administrators(2K3Client\Administrators) - Full
>>>>>>>>> SYSTEM - Full
>>>>>>>>> Users (2K3Client\Users) - Read,List, Special.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Question:
>>>>>>>>> ------------
>>>>>>>>> I log into another machine as a test user, with no special
>>>>>>>>> privelleges.
>>>>>>>>> I can navigate to the share "ShareA" on Machine "2k3Client" AND I
>>>>>>>>> can
>>>>>>>>> view
>>>>>>>>> the contents of that folder.
>>>>>>>>>
>>>>>>>>> I do not understand why I can see contents of folder if there are
>>>>>>>>> no
>>>>>>>>> NTFS permissions to allow this? Can someone please explain?
>>>>>>>>>
>>>>>>>>> Many thanks in advance,
>>>>>>>>>
>>>>>>>>> Patrick.
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>