Re: Setting Security/Permissions on a Folder??
From: Bill Duncan (Bill_Duncan@blockade.com)
Date: 07/03/02
- Next message: Jack Reed: "Re: Folder Access Settings in XP Home"
- Previous message: matd: "Re: security hole? any user can add a computer to the domain??"
- In reply to: John T.: "Re: Setting Security/Permissions on a Folder??"
- Next in thread: John T.: "Re: Setting Security/Permissions on a Folder??"
- Reply: John T.: "Re: Setting Security/Permissions on a Folder??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bill Duncan" <Bill_Duncan@blockade.com> Date: Wed, 3 Jul 2002 13:04:41 -0400
You may want to start with the help file. Here is an excerpt on
permissions:
"If neither Allow nor Deny is selected for a permission, then the group or
user may have obtained the permission through group membership. If the group
or user has not obtained the permission through membership in another group,
then the group or user is implicitly denied the permission. To explicitly
allow or deny the permission, click the appropriate check box."
Or check out the Microsoft Knowledge base or use your favorite search engine
to find information on this topic. File sharing/permissions is not as
simplistic as you might assume, and for very good reason.
"John T." <JohnT@hotmailX.com> wrote in message
news:##MrGARICHA.1476@tkmsftngp11...
> "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> news:#8PBK8LICHA.676@tkmsftngp08...
> > "John T." <JohnT@hotmailX.com> wrote in message
> > news:#nibvuGICHA.2568@tkmsftngp09...
> > > I'm trying to do something that should be very simple but is anything
> but.
> > > On my peer-to-peer Windows XP Pro network I want to share a folder
from
> my
> > > hard drive in such a way that all other users have only read and
execute
> > on
> > > all files in the folder and its sub-folders. I have the advanced
sharing
> > > options turned on and I want to learn how to use them.
> > >
> > > First of all, I am confused by sharing permissions and security
> > permissions.
> > > What is the difference between them and must I configure both? Then
> > there's
> > > the allow and deny flags... and their involment in inheritance of
> > "objects".
> > > For starters, what is an "object"? Why is this so freakin'
complicated?
> > >
> > > Can someone please direct me to a concise explanation of this stuff.
> > >
> > >
> >
> > There are short paths through all of this, and long.
> > The long are to support detailed variations.
> >
> > OK - you say you have advanced sharing turned on,
> > and I will assume this means you have shut off the
> > Simplified sharing in the Folder Options View tab.
> >
> > When they say objects, relative to the filesystem,
> > they mean files, directories, shortcuts, etc. - basically
> > anything you see when looking at the filesystem.
> >
> > The two levels of permissions, the share level and
> > the filesystem level, interact as follows:
> > NTFS filesystem security sets the maximum allowed
> > whether access is with local login or over the network.
> > Share level security sets the maximum allowed when
> > accessing over the network, but share will always be
> > reduced to be no more than the filesystem security allows.
> >
> > Overall permissions are calculated for the account that
> > is attempting access. If you know that the NTFS level
> > security controls access sufficiently well, then you can
> > leave the share level at its default of Everyone Full Control.
> > With that config, any network access will get all that the
> > NTFS allows to the accessing account.
> >
> > If you do not know for sure what the NTFS is granting,
> > and as you say you just want the network accessors to
> > have read and execute, then set the share level to Read.
> > With this config, the account will have Read and Execute
> > where the NTFS allows at least that much - but the network
> > access account will not receive anything more even though
> > the NTFS may allow more.
> >
> > With your stated objective, you probably should set the share
> > level permissions to grant Read to the Users group, and then
> > make available limited accounts for use in access over the
> > network.
> >
> > That was not too concise, but then it is a rich system allowing
> > much flexibility. I will risk lengthening this a little now, as you
> > mentioned this: An accounts access is calculated by summing
> > together all Grants made to it or to any group of which it is a
> > member, and then subtracting out anything Denied to it or any
> > of its groups. This can be useful for example if you want to
> > grant Change to all Users, except John (who would be Denied).
> >
> >
> > --
> > Roger Abell
> > MS MVP (Windows Platform), MCSE, MCDBA
> > Associate Expert - Windows XP ExpertZone
> > http://www.microsoft.com/windowsxp/expertzone
>
> Thanks Roger. What I've done is to set the security on the folder to
> Everyone: Full Control, with no other users specified. I've then set the
> sharing to allow read access only. This works but what I'm not clear about
> is why I have the option to deny change and full control on the sharing
tab
> if by not choosing "allow" I have effectively denied those permissions.
What
> do those options override?
>
>
- Next message: Jack Reed: "Re: Folder Access Settings in XP Home"
- Previous message: matd: "Re: security hole? any user can add a computer to the domain??"
- In reply to: John T.: "Re: Setting Security/Permissions on a Folder??"
- Next in thread: John T.: "Re: Setting Security/Permissions on a Folder??"
- Reply: John T.: "Re: Setting Security/Permissions on a Folder??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
