Re: Security and Sharing
- From: "Roger Abell [MVP]" <mvpnospam@xxxxxxx>
- Date: Sat, 9 Aug 2008 18:25:36 -0700
"Rockitman" <Rockitman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FE1D5F0B-68AB-4FAF-9ACD-7047E9FAAC11@xxxxxxxxxxxxxxxx
Finally!! Somebody has explained this so that I can understand!! Thanks
a
million Roger, it makes crystal clear sense now!!
Good it worked for you.
Another thing that might have helped is if you had followed up on the
replies
in the other thread you started, giving feedback of what did and what did
not make sense of the replies.
Roger
"Roger Abell [MVP]" wrote:
A user must have both share level and filesystem level permissions if
they
are to access over the network.
When they are logged in locally only the filesystem permissions are
needed.
When they access over the network they can do anything that the
filesystem
allows to them provided that the share level permissions are not less.
For example, your scenario had a couple of categories of users, but none
of them will be setting permissions, so they will not use permissions
greater
than change (i.e. full). If the filesystem set things so that your
categories of
accounts could do exactly and only what you want when logged in locally,
then granting them change at the share level would let them do everything
they are allowed at the filesystem (but nothing else as the filesystem
will
not allow it). If at the share level you were to only give them read,
then
even though the filesystem would let them do more they could not do any
more then read when the access is over the network.
The share level permissions set an upper limit on what can be done over
the network, provided that the filesystem allows it. The share level
permissions never cause an account to be able to do more than the
filesystem allows to the account.
In your scenario you want one category of account to be able to have
"read and file scan rights". I am not sure what you mean by the second.
If you want then to be able to read files and browse the folder structure
then you would grant then List and Read on the filesystem, and you
would grant them at least Read at the share level.
The other category is not quite as simple. If you had not say they
should not be able to delete then at the uppermost folder you could just
grant them List and grant them Modify Subfolders and Files (you need
to click advanced after you grant Modify in order to reduce it from
This folder, subfolders and files to just Subfolders and files)
In order for this category of user to use all of their filesystem perms
over the network they would need at least Change share level perms.
Now, you said they should not be able to delete. You can accomplish
that a couply ways. One is to use the advanced view of the filesystem
perms just described and remove the check mark on the deletes.
However this might not be what you expect as some things, like
renames, actually require delete.
Roger
"Rockitman" <Rockitman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:46041F0A-C954-498C-98E9-6142C28A2BEA@xxxxxxxxxxxxxxxx
I am trying very very hard to understand all of this and am failing
miserably.
I have a d: drive. I have created a folder called docs. I want
group A
to have read and file scan rights to this folder and all of it's
subfolders.
I also have a user, who will be responsible for creating folders under
this
Docs folder, placing files in these folders, and possibly renaming them
as
well as the folders themselves, in case she makes a mistake. I just
don't
want her to have any delete rights.
So, with this scenario, can you please explain in detail how I would
go
about doing this? Please explain in DETAIL. Do I need to create a
share?
Why?? "S. Pidgorny <MVP>" wrote:
There are also prmissions on file system. Permissions on share only
controls
and potentially limit operations through the network sharing
mechanism;
permissions on file system are required as well.
Thisnk of share permission as a visa. In any country, there are
citizens
that don't require a visa (full control), those who come with visas
(read),
and people without visas or on a blacklist (both have no access).
However,
when they are already in the country, different controls apply.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
"Rockitman" <Rockitman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:28711AB6-FABC-48F8-B36D-9C28E440CB05@xxxxxxxxxxxxxxxx
I have a folder that I've created a share on. How come there are
more
security permissions than share permissions?
I don't understand this stuff. I want a group to be able to write
files
to
the directory but if I give them Write rights in Security it doesn't
work.
When I go to share permissions, there are very limited rights
available,
Full Control, Read, and Change. Where are the write rights??
.
- References:
- Security and Sharing
- From: Rockitman
- Re: Security and Sharing
- From: Rockitman
- Re: Security and Sharing
- From: Roger Abell [MVP]
- Re: Security and Sharing
- From: Rockitman
- Security and Sharing
- Prev by Date: TROJAN INFO
- Next by Date: how to secedit export everything
- Previous by thread: Re: Security and Sharing
- Next by thread: Spam
- Index(es):
Relevant Pages
|
