Re: Security and Sharing

Finally!! Somebody has explained this so that I can understand!! Thanks a
million Roger, it makes crystal clear sense now!!

"Roger Abell [MVP]" wrote:

A user must have both share level and filesystem level permissions if they
are to access over the network.
When they are logged in locally only the filesystem permissions are needed.
When they access over the network they can do anything that the filesystem
allows to them provided that the share level permissions are not less.
For example, your scenario had a couple of categories of users, but none
of them will be setting permissions, so they will not use permissions
greater
than change (i.e. full). If the filesystem set things so that your
categories of
accounts could do exactly and only what you want when logged in locally,
then granting them change at the share level would let them do everything
they are allowed at the filesystem (but nothing else as the filesystem will
not allow it). If at the share level you were to only give them read, then
even though the filesystem would let them do more they could not do any
more then read when the access is over the network.
The share level permissions set an upper limit on what can be done over
the network, provided that the filesystem allows it. The share level
permissions never cause an account to be able to do more than the
filesystem allows to the account.
In your scenario you want one category of account to be able to have
"read and file scan rights". I am not sure what you mean by the second.
If you want then to be able to read files and browse the folder structure
then you would grant then List and Read on the filesystem, and you
would grant them at least Read at the share level.
The other category is not quite as simple. If you had not say they
should not be able to delete then at the uppermost folder you could just
grant them List and grant them Modify Subfolders and Files (you need
to click advanced after you grant Modify in order to reduce it from
This folder, subfolders and files to just Subfolders and files)
In order for this category of user to use all of their filesystem perms
over the network they would need at least Change share level perms.
Now, you said they should not be able to delete. You can accomplish
that a couply ways. One is to use the advanced view of the filesystem
perms just described and remove the check mark on the deletes.
However this might not be what you expect as some things, like
renames, actually require delete.

Roger


"Rockitman" <Rockitman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:46041F0A-C954-498C-98E9-6142C28A2BEA@xxxxxxxxxxxxxxxx
I am trying very very hard to understand all of this and am failing
miserably.

I have a d: drive. I have created a folder called docs. I want group A
to have read and file scan rights to this folder and all of it's
subfolders.
I also have a user, who will be responsible for creating folders under
this
Docs folder, placing files in these folders, and possibly renaming them as
well as the folders themselves, in case she makes a mistake. I just don't
want her to have any delete rights.
So, with this scenario, can you please explain in detail how I would go
about doing this? Please explain in DETAIL. Do I need to create a
share?
Why?? "S. Pidgorny <MVP>" wrote:

There are also prmissions on file system. Permissions on share only
controls
and potentially limit operations through the network sharing mechanism;
permissions on file system are required as well.

Thisnk of share permission as a visa. In any country, there are citizens
that don't require a visa (full control), those who come with visas
(read),
and people without visas or on a blacklist (both have no access).
However,
when they are already in the country, different controls apply.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Rockitman" <Rockitman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:28711AB6-FABC-48F8-B36D-9C28E440CB05@xxxxxxxxxxxxxxxx
I have a folder that I've created a share on. How come there are more
security permissions than share permissions?

I don't understand this stuff. I want a group to be able to write
files
to
the directory but if I give them Write rights in Security it doesn't
work.

When I go to share permissions, there are very limited rights
available,
Full Control, Read, and Change. Where are the write rights??






.

Relevant Pages

  • Re: XP Home: selective folder sharing
    ... Adding Test made no difference for sharing the Test folder in XP Safe Mode. ... In Control Panel/Network on the 98SE machine, I found the network login set ... click the Permissions button to ...
    (microsoft.public.windowsxp.network_web)
  • Re: Security and Sharing
    ... When they are logged in locally only the filesystem permissions are ... allows to them provided that the share level permissions are not less. ... "read and file scan rights". ... If you want then to be able to read files and browse the folder structure ...
    (microsoft.public.security)
  • Re: How do I add a network user to the security permissions on a shared XP folder?
    ... can't figure out what way to setup the permissions. ... user account on the fileserver computer with the same name as my own ... allowed them to list folder contents only. ... Next I allowed the NETWORK ...
    (microsoft.public.windows.server.networking)
  • Re: My F#@!&$% Network Problem Possibly Solved
    ... The kind of features Pro adds were not things I perceived as ... permissions for shared folders are usually set in two separate ... folder, choosing properties, going to the sharing tab and clicking ... "Allow network users to change my files." ...
    (rec.audio.pro)
  • Re: How do I add a network user to the security permissions on a shared XP folder?
    ... can't figure out what way to setup the permissions. ... allowed them to list folder contents only. ... Next I allowed the NETWORK ... credentials.You really don't need the Network group. ...
    (microsoft.public.windows.server.networking)