Re: Setting Security/Permissions on a Folder??

From: John T. (JohnT@hotmailX.com)
Date: 07/01/02 

From: "John T." <JohnT@hotmailX.com>
Date: Mon, 1 Jul 2002 11:01:19 -0400

"Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
news:#8PBK8LICHA.676@tkmsftngp08...
> "John T." <JohnT@hotmailX.com> wrote in message
> news:#nibvuGICHA.2568@tkmsftngp09...
> > I'm trying to do something that should be very simple but is anything
but.
> > On my peer-to-peer Windows XP Pro network I want to share a folder from
my
> > hard drive in such a way that all other users have only read and execute
> on
> > all files in the folder and its sub-folders. I have the advanced sharing
> > options turned on and I want to learn how to use them.
> >
> > First of all, I am confused by sharing permissions and security
> permissions.
> > What is the difference between them and must I configure both? Then
> there's
> > the allow and deny flags... and their involment in inheritance of
> "objects".
> > For starters, what is an "object"? Why is this so freakin' complicated?
> >
> > Can someone please direct me to a concise explanation of this stuff.
> >
> >
>
> There are short paths through all of this, and long.
> The long are to support detailed variations.
>
> OK - you say you have advanced sharing turned on,
> and I will assume this means you have shut off the
> Simplified sharing in the Folder Options View tab.
>
> When they say objects, relative to the filesystem,
> they mean files, directories, shortcuts, etc. - basically
> anything you see when looking at the filesystem.
>
> The two levels of permissions, the share level and
> the filesystem level, interact as follows:
> NTFS filesystem security sets the maximum allowed
> whether access is with local login or over the network.
> Share level security sets the maximum allowed when
> accessing over the network, but share will always be
> reduced to be no more than the filesystem security allows.
>
> Overall permissions are calculated for the account that
> is attempting access. If you know that the NTFS level
> security controls access sufficiently well, then you can
> leave the share level at its default of Everyone Full Control.
> With that config, any network access will get all that the
> NTFS allows to the accessing account.
>
> If you do not know for sure what the NTFS is granting,
> and as you say you just want the network accessors to
> have read and execute, then set the share level to Read.
> With this config, the account will have Read and Execute
> where the NTFS allows at least that much - but the network
> access account will not receive anything more even though
> the NTFS may allow more.
>
> With your stated objective, you probably should set the share
> level permissions to grant Read to the Users group, and then
> make available limited accounts for use in access over the
> network.
>
> That was not too concise, but then it is a rich system allowing
> much flexibility. I will risk lengthening this a little now, as you
> mentioned this: An accounts access is calculated by summing
> together all Grants made to it or to any group of which it is a
> member, and then subtracting out anything Denied to it or any
> of its groups. This can be useful for example if you want to
> grant Change to all Users, except John (who would be Denied).
>
>
> --
> Roger Abell
> MS MVP (Windows Platform), MCSE, MCDBA
> Associate Expert - Windows XP ExpertZone
> http://www.microsoft.com/windowsxp/expertzone

Thanks Roger. What I've done is to set the security on the folder to
Everyone: Full Control, with no other users specified. I've then set the
sharing to allow read access only. This works but what I'm not clear about
is why I have the option to deny change and full control on the sharing tab
if by not choosing "allow" I have effectively denied those permissions. What
do those options override?

Relevant Pages

  • Re: XP Repairing System.
    ... neglecting the fact that the 'so called' security ... then run internet from non-admin account. ... can then utilises the security features and ADS of NTFS to secure itself ... policy settings not available for FAT32, ...
    (uk.comp.homebuilt)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • RE: USB memory supporting NTFS?
    ... I haven't had any problem reformatting a Targus 128 MB USB drive with NTFS ... I think you should be able to use any format on any of the different drives ... Better Management for Network Security ...
    (Focus-Microsoft)
  • Re: xp pro asks for password
    ... With the Guest Account Enabled ... Norton Internet Security 2005 ... >permission to use this network resource. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Why does Everyone have Full Control of everthing?
    ... Analysis snap-in to apply the Setup Security template to my machine, ... Perhaps I should have only applied the file permissions ... using the personal account created at setup. ... >list of default NTFS permissions for Windows 2000. ...
    (microsoft.public.windowsxp.general)