Re: Group security

From: Kelly T. (KellyT_at_discussions.microsoft.com)
Date: 10/21/05

  • Next message: Sonny: "Re: Missing Group for local admin group" 
    Date: Fri, 21 Oct 2005 13:57:02 -0700

    I did some more testing - created a couple of test users, groups and a new
    directory. Those all worked fine. Then, I stopped inheritance on one of my
    problem folders (copying the permissions), applied the changes, reapplied
    inheritance and permissions are working as expected. Thanks for your help!

    Kelly

    "Steven L Umbach" wrote:

    > It sounds like the users security token does not have the correct group
    > membership. Use whoami /groups to verify if it does or not. If not then it
    > is possible that changes to the domain global group have not propagated to
    > the domain controller used to authenticate the user. --- Steve
    >
    >
    >
    > "Kelly T." <KellyT@discussions.microsoft.com> wrote in message
    > news:82560828-D801-4FEF-AA58-377CB0C7B6E8@microsoft.com...
    > > We leave the share permissions as the default of Everyone - Full Control
    > > and
    > > restrict access through the NTFS permissions. Also, we don't use the deny
    > > permissions.
    > >
    > > Windows definitely is not giving the most permissive access if the user is
    > > part of 2 named groups. It's giving the most restrictive access.
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> Actually Windows will grant a user the most permissive permission when
    > >> they
    > >> are a member of multiple groups for NTFS or share permissions. The
    > >> exception
    > >> is that when a user has deny access based on group membership this can
    > >> trump
    > >> any allow permissions. Also if both share and folder/NTFS permissions
    > >> apply
    > >> to a user then the most restrictive of those two permissions will prevail
    > >> which is what you may be experiencing. In other works is a user has read
    > >> permissions to a share and full control permissions to the folder via
    > >> NTFS
    > >> permissions the user will only have read/list/execute to the folder over
    > >> the
    > >> network because the share permissions are more restrictive than the NTFS
    > >> permissions.
    > >>
    > >> When possible try to configure permissions without using deny keeping in
    > >> mind that the lack of permission is an implicit deny. Also when you are
    > >> configuring permissions be sure to logoff and logon again as the user if
    > >> group membership was changed for that user to refresh the user's access
    > >> token which contains the groups the user is a member of. The support tool
    > >> whoami can show the current groups that a logged on user is a member of
    > >> in
    > >> the access token if you have any question on that. --- Steve
    > >>
    > >>
    > >> "Kelly T." <Kelly T.@discussions.microsoft.com> wrote in message
    > >> news:C362B077-2EF2-4EFB-B959-FB6DEE696B97@microsoft.com...
    > >> > We have a file server (SRV1) that most of our data is on. The group
    > >> > Everyone
    > >> > has r/w access to most of the folders with inheritance turned on.
    > >> > Currently,
    > >> > named users have access to specific folders (SRV1\Data\IT) to grant
    > >> > them
    > >> > read/write access.
    > >> >
    > >> > We'd like to get away from granting access by named user and switch to
    > >> > using
    > >> > groups. The problem I'm running into is Windows grants the most
    > >> > restrictive
    > >> > policy when a user belongs to 2 groups. So, if Everyone has read
    > >> > access
    > >> > to
    > >> > the IT folder, but the group IT should have read/write, the user ends
    > >> > up
    > >> > with
    > >> > read only access.
    > >> >
    > >> > We'd like to make this transition transparent to our users, so taking
    > >> > away
    > >> > the Everyone group could be problematic. Are there any reports/tools
    > >> > to
    > >> > tell
    > >> > which users have accessed certain folders or a way around this conflict
    > >> > between the Everyone group and other named groups?
    > >> >
    > >> > Thanks!
    > >> >
    > >> > Kelly
    > >>
    > >>
    > >>
    >
    >
    >

  • Next message: Sonny: "Re: Missing Group for local admin group"

    Relevant Pages

    • Re: How can I restrict access to our network?
      ... Can someone verify that if I am going to set NTFS permissions what user ... > So re-ghosted the errant machine and rebuilt all our files and adopted ... > again to restrict access by the forth computer. ...
      (microsoft.public.windowsxp.network_web)
    • RE: NTFS Security
      ... I am looking at securing some USB memory sticks, to allow all domain users ... but to restrict access from non-domain ... Going one step further and setting special permissions deny take ...
      (Focus-Microsoft)
    • Re: A new reader? Welcome to alt.os.linux, read this first if youre new here (FAQ)
      ... insulting. ... CARRY ANY PARTICULAR NEWS GROUPS. ... remains you did restrict access on your private nntp server and ... guess the name "Matt" is pretty unique and you have permissions ...
      (alt.os.linux)
    • Re: NTFS Security
      ... the operating system of the computer trying to read the data. ... system permissions with removable media are like the "honors system". ... > I am looking at securing some USB memory sticks, to allow all domain users ... > access on domain networked computers, but to restrict access from non-domain ...
      (Focus-Microsoft)
    • Cannot remove "read only" attribute
      ... >permissions in order to restrict access for some users. ... >folders even though I had Administrator rights. ... rename the new account as you like. ...
      (microsoft.public.windowsxp.security_admin)