Re: Group security

From: Kelly T. (KellyT_at_discussions.microsoft.com)
Date: 10/21/05


Date: Fri, 21 Oct 2005 11:50:07 -0700

We leave the share permissions as the default of Everyone - Full Control and
restrict access through the NTFS permissions. Also, we don't use the deny
permissions.

Windows definitely is not giving the most permissive access if the user is
part of 2 named groups. It's giving the most restrictive access.

"Steven L Umbach" wrote:

> Actually Windows will grant a user the most permissive permission when they
> are a member of multiple groups for NTFS or share permissions. The exception
> is that when a user has deny access based on group membership this can trump
> any allow permissions. Also if both share and folder/NTFS permissions apply
> to a user then the most restrictive of those two permissions will prevail
> which is what you may be experiencing. In other works is a user has read
> permissions to a share and full control permissions to the folder via NTFS
> permissions the user will only have read/list/execute to the folder over the
> network because the share permissions are more restrictive than the NTFS
> permissions.
>
> When possible try to configure permissions without using deny keeping in
> mind that the lack of permission is an implicit deny. Also when you are
> configuring permissions be sure to logoff and logon again as the user if
> group membership was changed for that user to refresh the user's access
> token which contains the groups the user is a member of. The support tool
> whoami can show the current groups that a logged on user is a member of in
> the access token if you have any question on that. --- Steve
>
>
> "Kelly T." <Kelly T.@discussions.microsoft.com> wrote in message
> news:C362B077-2EF2-4EFB-B959-FB6DEE696B97@microsoft.com...
> > We have a file server (SRV1) that most of our data is on. The group
> > Everyone
> > has r/w access to most of the folders with inheritance turned on.
> > Currently,
> > named users have access to specific folders (SRV1\Data\IT) to grant them
> > read/write access.
> >
> > We'd like to get away from granting access by named user and switch to
> > using
> > groups. The problem I'm running into is Windows grants the most
> > restrictive
> > policy when a user belongs to 2 groups. So, if Everyone has read access
> > to
> > the IT folder, but the group IT should have read/write, the user ends up
> > with
> > read only access.
> >
> > We'd like to make this transition transparent to our users, so taking away
> > the Everyone group could be problematic. Are there any reports/tools to
> > tell
> > which users have accessed certain folders or a way around this conflict
> > between the Everyone group and other named groups?
> >
> > Thanks!
> >
> > Kelly
>
>
>



Relevant Pages

  • Re: Assigning User Policy
    ... in that already applied policies were exempted after ntfs deny permissions ... > have already been configured will still be applied even after setting NTFS ... > permissions to deny read access to the group you are trying to exclude. ...
    (microsoft.public.win2000.security)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)
  • Re: Restricting user access to one file only
    ... > Using Windows XP, how can I restrict a user's access on ... NTFS permissions for their login ID and by doing Start, Run, MMC and add the ... You could also try using the Quotas feature to restrict how much space they ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)
  • Re: Save me from my stupidity
    ... NTFS from FAT. ... The "normal" permissions for the folder in Windows 2000 ... > sysroot/sys32/GroupPolicy and set Deny on full for Administrators. ... > Admins: allow unset; deny unset ...
    (microsoft.public.security)