Re: Everyone take ownership

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/14/05 

Date: Mon, 13 Jun 2005 23:00:13 -0700

The share permissions are viewed/set when using an admin
interface on the machine that is sharing-out (or with a remote
tool allowing the same).

After the drive is mapped one sees the NTFS permissions as
these have been set on the actual storage.

An account will have access to the extent NTFS permissions
are granted (and not denied) directly to the account and/or to
any group in which the account is a member, but when the
access is over the network the account will have these only
to the extent that they do not exceed the share level permissons
granted and not denied to the account. The share level permissions
will never increase permissions beyond what is within the NTFS
permissions, they will only allow all the NTFS grants less denies
or the share level permissions might reduce these.

The effective permissions tab will show what access would
be allowed to a principal due to the existing grants and denies
but, as the description states, this only considers direct group
memberships - so long chains of group nesting and share level
permissions imposed on a then current mapping are not taken
into account.

If the permissions are inherited from the parent folder, and
you have access only to the share as a mapped drive then
there is no real way for you to affect what is being inherited.

As you have said that only GroupA and GroupB have any
grants to them, and there are no other grants showing only
in the Advanced view, then we have something of a mystery.

Can you open a cmd prompt and issue
cacls X: > c:\perms.txt
where X: is the letter to which the share has been mapped
and c:\perms.txt is any file to which you want the output
redirected. The content of this file will have all NTFS
setting in effect on the mapped folder.

In order to Take ownership and account would need to
either be in GroupA or GroupB (which have grants of Full)
based on what you have said, that there are no other grants.
Posting here the results stored into that c:\perms.txt file
would help us verify that this is so. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"AnttiH" <gumfire@despammed.com> wrote in message
news:xwtre.10$Hp3.8@read3.inet.fi...
> Roger Abell wrote:
> > In your initial posting you spoke of share permissions, which
> > are found with the Permission button on the Sharing tab in the
> > properties of a folder.  It is now apparent that you are speaking
> > of the NTFS permissions of the folder.
> >
> > Yes, defining a folder to have just a specific, intended set
> > of NTFS permissions is possible.  Uncheck the box in the
> > NTFS Security dialog that indicates the folder is allowed
> > to inherit from its parent folder.  Also, use the Advanced
> > tab to see whether there are any grants or denies that are
> > special and being masked from view in the generic permission
> > view of the settings.
> >
>
> Thanks for your response.
> The folder in question is shared over network, but apparently NTFS
> permissions are affecting it. It is shared from W2000 Server. I have no
> further detail of this, I can click properties for the folder then
> security tab and there.
>
> There are no Advanced permissions besides the ones that I have set in
> the "generic" permissions page.
> What does the last "Effective Permissions" mean? When I select a group
> from our AD with the select.. button they have NO "Effective
> Permissions", but when I select a certain user, he has all permissions,
> even though he is NOT listed on any of the permissions tabs?
>
> This person used to be in a group which had permission into the folder,
> can this be cached somehow?
>
> Cheers,
>
> AnttiH