Re: Group security
From: Kelly T. (KellyT_at_discussions.microsoft.com)
Date: Fri, 21 Oct 2005 11:50:07 -0700
We leave the share permissions as the default of Everyone - Full Control and
restrict access through the NTFS permissions. Also, we don't use the deny
Windows definitely is not giving the most permissive access if the user is
part of 2 named groups. It's giving the most restrictive access.
"Steven L Umbach" wrote:
> Actually Windows will grant a user the most permissive permission when they
> are a member of multiple groups for NTFS or share permissions. The exception
> is that when a user has deny access based on group membership this can trump
> any allow permissions. Also if both share and folder/NTFS permissions apply
> to a user then the most restrictive of those two permissions will prevail
> which is what you may be experiencing. In other works is a user has read
> permissions to a share and full control permissions to the folder via NTFS
> permissions the user will only have read/list/execute to the folder over the
> network because the share permissions are more restrictive than the NTFS
> When possible try to configure permissions without using deny keeping in
> mind that the lack of permission is an implicit deny. Also when you are
> configuring permissions be sure to logoff and logon again as the user if
> group membership was changed for that user to refresh the user's access
> token which contains the groups the user is a member of. The support tool
> whoami can show the current groups that a logged on user is a member of in
> the access token if you have any question on that. --- Steve
> "Kelly T." <Kelly T.@discussions.microsoft.com> wrote in message
> > We have a file server (SRV1) that most of our data is on. The group
> > Everyone
> > has r/w access to most of the folders with inheritance turned on.
> > Currently,
> > named users have access to specific folders (SRV1\Data\IT) to grant them
> > read/write access.
> > We'd like to get away from granting access by named user and switch to
> > using
> > groups. The problem I'm running into is Windows grants the most
> > restrictive
> > policy when a user belongs to 2 groups. So, if Everyone has read access
> > to
> > the IT folder, but the group IT should have read/write, the user ends up
> > with
> > read only access.
> > We'd like to make this transition transparent to our users, so taking away
> > the Everyone group could be problematic. Are there any reports/tools to
> > tell
> > which users have accessed certain folders or a way around this conflict
> > between the Everyone group and other named groups?
> > Thanks!
> > Kelly