Re: Rights
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Jan 2006 19:44:12 -0600
First see the link below on special permissions. It refers to XP but applies
to Windows 2000 also. It explains exactly what each "generic" permission can
do that you see on the main security page.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
It sounds like they need at least read/list/write permissions and maybe
modify that also allows the users to delete. It depends on exactly what kind
of changes they need to do and how the application handles these changes.
Office documents for instance require modify permissions because office
creates a temporary document that the user edits and it is written as the
new document and the old one is deleted if the user saves the document.
Start giving the group less permissions and if they can not do the task then
also give them modify permission.
Always assign permissions with the principle of least privilege in mind.
Everyone means well everyone including guest if that account is enabled on
the computer. Domain users would be better than everyone [assuming anonymous
access is not desired] and if you want only certain domain users to have
access create a domain global group, add the users you want to have access
in that group, and then give that group permissions to the share or add it
to a local group that has access to the share. During your testing if you
change a user's group membership be sure to logoff the user and then logon
again to get a new security token for the user reflecting their new group
membership which can be shown with the support tool whoami if you have any
question.
Just a minor point for the future. Rights are a task that a user can do on
the operating system such as logon locally and change system time and are
found in Local Security Policy/local policies/user rights. When referring to
folder/file access levels you are talking about "permissions" . A user/group
would also need the user right for "access this computer from the network"
in order to access a share and is helpful in securing network
esources. --- Steve
"George Schneider" <georgedschneider@xxxxxxxxxxxxxx> wrote in message
news:BC996E97-3ADD-41A9-820E-8FA0A96229EE@xxxxxxxxxxxxxxxx
>I have shared folders and I want to assign permissions to it. Is it better
> to assign the group everyone or Domain Users to a share? What is a better
> practice? I want to enable a group assigned right to a share to be able
> to
> create documents, make changes to a document, and read a document. Do
> they
> need the modify right?
.
- Prev by Date: Re: find system user is currently logged onto
- Next by Date: Re: find system user is currently logged onto
- Previous by thread: Re: find system user is currently logged onto
- Next by thread: Re: Rights
- Index(es):
Relevant Pages
|
|
