Re: Share permissions conflicting with NTFS permissions



THank you, it is much clearer to me now

Greg


"Miha Pihler [MVP]" wrote:


Hi,

"Greg" <Greg@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A1CCCCC8-554C-435B-84E9-50EE70DA4CCF@xxxxxxxxxxxxxxxx
Wow, thank you for the quick repsonse, I could have sworn that on MS
suppport
page if a user has read on one share and write in a subfolder, Write would
be
the dominant one, but I remember now that it is SHARE and NTFS permissions
that will do most restrictive, I let the support article confuse me, and
thank you for reminding me. If I do give domain users Write or Full
Control
on the share permissions

In most cases permission of Change on the share should be enough. Still it
is very good idea as you suggest to remove Everyone and e.g. add Domain
Users group share permissions.

will I have to go to each subfolder in the share
and imply DENY on NTFS shares I don't want certain users access to?

My advice here would be to create a new group called e.g. "IT Write access
to data folder". Now throw all users that need access to this folder to this
new group and add NTFS permissions of Write to this group. Remove all other
groups or users from NTFS permissions.
If there are people that need only read access create another group called
e.g. "IT Read Only access to data folder" and add it to NTFS permissions
with appropriate permissions (Read Only).

I guess
the simple question is will I stop Write or Full Access rights granted
from
the SHARE permissons, by sying don't inherit this from upper folder?

As mentioned before -- create new groups, remove the ones that are added to
the folder. You can remove them by removing Inherit attribute on the
folder... Now only groups that you added will have access to the
share/folder.

THank you both for your quick responses and expertise

--
Mike
Microsoft MVP - Windows Security

"Miha Pihler [MVP]" wrote:

Hi,

What you are seeing is correct result (by design). You have to take
maximum
permissions from NTFS (e.g. write) and maximum permission from share
(e.g.
read). Now _most_ restrictive permission from both (in above case read)
will
be enforced on users accessing this share.

--
Mike
Microsoft MVP - Windows Security

"Greg" <Greg@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4FBB7576-559A-4169-90F8-DB3C6EAEF57D@xxxxxxxxxxxxxxxx
I have a Share with the Domain Users group assigned Read access. In the
subfolders I have individual user accounts assigned with Various NTFS
File
Permissions= Change, Write, even Full Control. None of these users can
do
anything in the subfolders unless I go back to the Share Folder
Permissions,
and grant Change, or Full Control. What am I overlooking here? This is
on
Windows 2003






.



Relevant Pages