Re: Share permissions conflicting with NTFS permissions

THank you, it is much clearer to me now


"Miha Pihler [MVP]" wrote:


"Greg" <Greg@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Wow, thank you for the quick repsonse, I could have sworn that on MS
page if a user has read on one share and write in a subfolder, Write would
the dominant one, but I remember now that it is SHARE and NTFS permissions
that will do most restrictive, I let the support article confuse me, and
thank you for reminding me. If I do give domain users Write or Full
on the share permissions

In most cases permission of Change on the share should be enough. Still it
is very good idea as you suggest to remove Everyone and e.g. add Domain
Users group share permissions.

will I have to go to each subfolder in the share
and imply DENY on NTFS shares I don't want certain users access to?

My advice here would be to create a new group called e.g. "IT Write access
to data folder". Now throw all users that need access to this folder to this
new group and add NTFS permissions of Write to this group. Remove all other
groups or users from NTFS permissions.
If there are people that need only read access create another group called
e.g. "IT Read Only access to data folder" and add it to NTFS permissions
with appropriate permissions (Read Only).

I guess
the simple question is will I stop Write or Full Access rights granted
the SHARE permissons, by sying don't inherit this from upper folder?

As mentioned before -- create new groups, remove the ones that are added to
the folder. You can remove them by removing Inherit attribute on the
folder... Now only groups that you added will have access to the

THank you both for your quick responses and expertise

Microsoft MVP - Windows Security

"Miha Pihler [MVP]" wrote:


What you are seeing is correct result (by design). You have to take
permissions from NTFS (e.g. write) and maximum permission from share
read). Now _most_ restrictive permission from both (in above case read)
be enforced on users accessing this share.

Microsoft MVP - Windows Security

"Greg" <Greg@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
I have a Share with the Domain Users group assigned Read access. In the
subfolders I have individual user accounts assigned with Various NTFS
Permissions= Change, Write, even Full Control. None of these users can
anything in the subfolders unless I go back to the Share Folder
and grant Change, or Full Control. What am I overlooking here? This is
Windows 2003


Relevant Pages