While I agree with using NTFS permissions to control access to folders and
files in a shared folder and setting Share Permissions to Everyone (or
Authenticated Users if you prefer) Full Control, you might want to review
the example in your second paragraph.
Share Permissions work the same way that NTFS permissions do - they are
additive - a given user gets the sum of all the permissions granted to them
by all the groups they are members of, not the least permission as you
stated (assuming I understand what you said correctly). With Share
permissions, there are only three possibilities, so the situation is simple:
- if the user is a member of a group that is granted Share Permission of
Full Control or Change, then, if the NTFS permissions grant them Modify,
they will be able to change things in the share regardless of what other
groups they may be members of that only have Share Permissions of Read. The
only thing that changes this is if there is a "Deny" permission setting
anywhere - Deny always takes precedence over any Allow permissions.
As far as I'm aware, this has always been the case and is unlikely to change
in the future.
I'm not sure what "Andrew"'s problem was caused by, but perhaps there is a
communication/terminology issue and the following steps will clarify things
for him.
Try this:
On an XP SP2 computer that is a domain member (e.g. XPSP2), logon with an
administrative user account
1. open Windows Explorer and create a new Folder (e.g. c:\Test) in a
convenient place
2. right click the folder, select Sharing and Security...; on the Sharing
tab
a. select the Share this folder radio button
b. click Permissions
c. observe that the Share Permissions (default) are Everyone - Read - as
expected for XP SP2
d. click Cancel
3. select the Security tab
4. set the permissions to:
- Administrators - Full Control
- SYSTEM - Full Control
- Users - Modify
click OK; (saves the changes and closes the Properties dialog)
I'm assuming that the local Users group on this computer (XPSP2) contains at
least some domain user accounts (e.g. brucen) - the default is Domain Users
(as it has been forever)
On another computer in the same domain (e.g. XPTest), logon with a domain
user account that is also a member of the local Users group of the first
computer (e.g. brucen)
5. in Start, Run, key \\xpsp2\test
6. observe that Windows Explorer opens showing the Test folder associated
with the Test share - this folder is currently empty
7. attempt to create a file or a folder or both - this fails - access is
denied
On the first computer (e.g. XPSP2):
8. right click the shard folder (e.g. c:\test), select Sharing and
Security...; on the Sharing tab
a. click Permissions
b. click Add
c. add a domain group that contains the user account you logged on at
the second computer with (e.g. Domain Users), and grant that group Full
Control.
d. the Share Permissions will now look like:
Everyone - Read
Domain Users - Full Control
e. click OK
On the second computer (e.g. XPTest):
9. add a file through the share - works
10. add a folder through the share - works
The above was just to test the theory - normally I would just add Full
Control to Everyone in the Share Permissions.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Paul in Detroit" <PaulG@yahoo.com> wrote in message
news:uXnwJoVyHHA.5584@TK2MSFTNGP02.phx.gbl...
> SBS Rocker,
> I do agree with you because I consider myself a throwback from the old NT
> days and that is the way I have always done it and consider to be the
> industry best practices method. Also the link you provided Dragos confirms
> the industry best practices. That said I do believe you may be a bit harsh
> in explaining it to Dragos. This NG is here to assist and help those who
> posts questions and issues and not to belittle and discourage others
> because of their lack of knowledge or experience.
>
> Dragos,
> SBS Rocker is correct and the reason being is because how Share
> permissions "superceed" NTFS permissions with the "most restrictive"
> access. In your case I think you are trying to secure your folder access
> using the Share permissions. If you do this you will find yourself doing
> more administrative work than necessary. The reason you users cannot write
> to that folder even though you gave them FULL "NTFS" permissions is
> because what resides in your Share permissions. You can give Joe Bob FULL
> share permissions and FULL NTFS permissions but that that is not going to
> work as long as their is a group that includes Joe Bob in the Share
> permissions will lesser access. I'm assuming the group EVERYONE=Read in
> still in your share permissions. That is what is preventing Joe Bob from
> writng to that folder because share permissions will alow the most
> restrictive access overriding his FULL share permissions.
> Take SBS Rockers advice. All you need at the Share level is Everyone or
> Authenticated Users = FULL. control your security at the NTFS permssions.
>
>
> "SBS Rocker" <noreply@NoDomain.com> wrote in message
> news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl...
>>A good article for those who don't understand how Shares work in
>>conjunction with NTFS permissions. Take note on the last paragraph.....
>>
>> http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%2Fpr%2F286434
>>
>> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
>> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...
>>> hi,
>>> i dont agree with the best practices to give everyone full permisions on
>>> the
>>> share. Best practices is to check and add the groups proper there.
>>>
>>> --
>>> Dragos CAMARA
>>> MCSA Windows 2003 server
>>>
>>>
>>> "SBS Rocker" wrote:
>>>
>>>> I think I may know what your problems are. You say..........
>>>>
>>>> "I gave the user Full Control NTFS AND Folder Share permissions."
>>>> does the group Everyone=READ on the Share permissions still there ? If
>>>> so
>>>> you need to remove the user=FULL and change Everyone=FULL on the share
>>>> permissions. No need to add a user to the share permissions and give
>>>> him
>>>> FULL access. By industry best practices when creating a Share the
>>>> default
>>>> would be Everyone=FULL.
>>>>
>>>>
>>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message
>>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...
>>>> >I gave the user Full Control NTFS AND Folder Share permissions.
>>>> >
>>>> > Even if I'm logged on as Administrator, I still can't push anything
>>>> > down,
>>>> > but I can pull files across without any issues.
>>>> >
>>>> > I'm stumped.
>>>> >
>>>> > "SBS Rocker" wrote:
>>>> >
>>>> >> What are the share permissions? When you say you gave the user FULL
>>>> >> control
>>>> >> do you mean FULL NTFS permissions?
>>>> >>
>>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message
>>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
>>>> >> >I shared a directory with one of our Windows 2003 servers and gave
>>>> >> >a
>>>> >> >user
>>>> >> > Full Control accesss to that directory. However, from his
>>>> >> > computer
>>>> >> > where
>>>> >> > he
>>>> >> > is logged on, he can't copy and paste anything to that directory.
>>>> >> > If
>>>> >> > he
>>>> >> > remote desktop's into the server and logs on as himself, he can
>>>> >> > browse
>>>> >> > to
>>>> >> > another network share and pull the file over without any problems.
>>>> >> >
>>>> >> > I never had this problem in Windows 2000. How do I configure a
>>>> >> > directory
>>>> >> > on
>>>> >> > a Windows 2003 server so that people can "push" files to that
>>>> >> > folder
>>>> >> > without
>>>> >> > logging onto the server locally and "pulling" the files over?
>>>> >>
>>>> >>
>>>> >>
>>>>
>>>>
>>>>
>>
>>
>
>