Re: Group security

From: Kelly T. (KellyT_at_discussions.microsoft.com)
Date: 10/21/05


Date: Fri, 21 Oct 2005 11:50:07 -0700

We leave the share permissions as the default of Everyone - Full Control and
restrict access through the NTFS permissions. Also, we don't use the deny
permissions.

Windows definitely is not giving the most permissive access if the user is
part of 2 named groups. It's giving the most restrictive access.

"Steven L Umbach" wrote:

> Actually Windows will grant a user the most permissive permission when they
> are a member of multiple groups for NTFS or share permissions. The exception
> is that when a user has deny access based on group membership this can trump
> any allow permissions. Also if both share and folder/NTFS permissions apply
> to a user then the most restrictive of those two permissions will prevail
> which is what you may be experiencing. In other works is a user has read
> permissions to a share and full control permissions to the folder via NTFS
> permissions the user will only have read/list/execute to the folder over the
> network because the share permissions are more restrictive than the NTFS
> permissions.
>
> When possible try to configure permissions without using deny keeping in
> mind that the lack of permission is an implicit deny. Also when you are
> configuring permissions be sure to logoff and logon again as the user if
> group membership was changed for that user to refresh the user's access
> token which contains the groups the user is a member of. The support tool
> whoami can show the current groups that a logged on user is a member of in
> the access token if you have any question on that. --- Steve
>
>
> "Kelly T." <Kelly T.@discussions.microsoft.com> wrote in message
> news:C362B077-2EF2-4EFB-B959-FB6DEE696B97@microsoft.com...
> > We have a file server (SRV1) that most of our data is on. The group
> > Everyone
> > has r/w access to most of the folders with inheritance turned on.
> > Currently,
> > named users have access to specific folders (SRV1\Data\IT) to grant them
> > read/write access.
> >
> > We'd like to get away from granting access by named user and switch to
> > using
> > groups. The problem I'm running into is Windows grants the most
> > restrictive
> > policy when a user belongs to 2 groups. So, if Everyone has read access
> > to
> > the IT folder, but the group IT should have read/write, the user ends up
> > with
> > read only access.
> >
> > We'd like to make this transition transparent to our users, so taking away
> > the Everyone group could be problematic. Are there any reports/tools to
> > tell
> > which users have accessed certain folders or a way around this conflict
> > between the Everyone group and other named groups?
> >
> > Thanks!
> >
> > Kelly
>
>
>