Re: Group security
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/21/05
- Next message: Steven L Umbach: "Re: Authentication Auditing"
- Previous message: Brad Baker: "Authentication Auditing"
- In reply to: Kelly T.: "Re: Group security"
- Next in thread: Kelly T.: "Re: Group security"
- Reply: Kelly T.: "Re: Group security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Oct 2005 14:51:06 -0500
It sounds like the users security token does not have the correct group
membership. Use whoami /groups to verify if it does or not. If not then it
is possible that changes to the domain global group have not propagated to
the domain controller used to authenticate the user. --- Steve
"Kelly T." <KellyT@discussions.microsoft.com> wrote in message
news:82560828-D801-4FEF-AA58-377CB0C7B6E8@microsoft.com...
> We leave the share permissions as the default of Everyone - Full Control
> and
> restrict access through the NTFS permissions. Also, we don't use the deny
> permissions.
>
> Windows definitely is not giving the most permissive access if the user is
> part of 2 named groups. It's giving the most restrictive access.
>
> "Steven L Umbach" wrote:
>
>> Actually Windows will grant a user the most permissive permission when
>> they
>> are a member of multiple groups for NTFS or share permissions. The
>> exception
>> is that when a user has deny access based on group membership this can
>> trump
>> any allow permissions. Also if both share and folder/NTFS permissions
>> apply
>> to a user then the most restrictive of those two permissions will prevail
>> which is what you may be experiencing. In other works is a user has read
>> permissions to a share and full control permissions to the folder via
>> NTFS
>> permissions the user will only have read/list/execute to the folder over
>> the
>> network because the share permissions are more restrictive than the NTFS
>> permissions.
>>
>> When possible try to configure permissions without using deny keeping in
>> mind that the lack of permission is an implicit deny. Also when you are
>> configuring permissions be sure to logoff and logon again as the user if
>> group membership was changed for that user to refresh the user's access
>> token which contains the groups the user is a member of. The support tool
>> whoami can show the current groups that a logged on user is a member of
>> in
>> the access token if you have any question on that. --- Steve
>>
>>
>> "Kelly T." <Kelly T.@discussions.microsoft.com> wrote in message
>> news:C362B077-2EF2-4EFB-B959-FB6DEE696B97@microsoft.com...
>> > We have a file server (SRV1) that most of our data is on. The group
>> > Everyone
>> > has r/w access to most of the folders with inheritance turned on.
>> > Currently,
>> > named users have access to specific folders (SRV1\Data\IT) to grant
>> > them
>> > read/write access.
>> >
>> > We'd like to get away from granting access by named user and switch to
>> > using
>> > groups. The problem I'm running into is Windows grants the most
>> > restrictive
>> > policy when a user belongs to 2 groups. So, if Everyone has read
>> > access
>> > to
>> > the IT folder, but the group IT should have read/write, the user ends
>> > up
>> > with
>> > read only access.
>> >
>> > We'd like to make this transition transparent to our users, so taking
>> > away
>> > the Everyone group could be problematic. Are there any reports/tools
>> > to
>> > tell
>> > which users have accessed certain folders or a way around this conflict
>> > between the Everyone group and other named groups?
>> >
>> > Thanks!
>> >
>> > Kelly
>>
>>
>>
- Next message: Steven L Umbach: "Re: Authentication Auditing"
- Previous message: Brad Baker: "Authentication Auditing"
- In reply to: Kelly T.: "Re: Group security"
- Next in thread: Kelly T.: "Re: Group security"
- Reply: Kelly T.: "Re: Group security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
