Re: Groups in WinXP
From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 01/15/03
- Next message: Jupiter Jones: "Re: making folder 'private'"
- Previous message: Mac Bochinski: "making folder 'private'"
- In reply to: phoenix: "Groups in WinXP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> Date: Tue, 14 Jan 2003 22:48:52 -0700
Hi Pablo,
How is the summer ? You should not apologize for your
English as it is better than many US youth that post here.
I will mention two possible solutions to your sharing, but
first let us be clear that for sharing from Pro there are two
places where there are permissions. One is on the share's
properties and the other is the NTFS permissions on what
is shared. Both must allow access, and the resulting access
is the least that is granted by both. In other words, if NTFS
say Full Control but share says only Read, then a user that
access via the share will only get Read even though they
would get Full if they accessed the filesystem directly.
OK, one more thing. NETWORK and INTERACTIVE are
not actually groups. These are best thought of a place holders.
At runtime these are replaced by the user account when the
login type is a network or a local console login respectively.
So, let us say that you have shared d:\admin1 with share
permissions of Everyone Change (you called it All, which
is close enough, but in the English version of Windows it is
Everyone). This means that any account, Guest included,
can access the share. Now then, can they access the actual
shared directory ? This depends on the NTFS permissions
on d:\admin1. If the NTFS permissions are Administrators
Full Control, and Users Change, then any account that is
in either Administrators or Users could access this over
the network and receive Change (Administrators would
get no more). I have not tried this next but it should work.
If the NTFS now instead of Users Change had NETWORK
Change, then any account that can authenticate to your
machine over the network should be given Change access
to this share. Further, in this case, when an account that is
not in Administrators is logged in locally that account should
not be granted access to d:\admin1 (Now this part needs to
be tested - what if that locally logged in user now maps a
drive to a share from that same machine ? They are now
logged in both locally and over the network. Will they now
have access to d:\admin1 directly ?)
The way things are more normally done is to separate things
into directories based on the kind of access permissions that
those things should have. By this, it would be more normal
to make a directory for those things that you want shared for
more than Administrators, rather than storing them in an area
that is set to only allow Administrators. But this overlooks
the curious twist you add, that you want the non-Admins to
have access only when over the network and not when logged
in locally. At the bottom of my thoughts on this, I feel that
no matter how you do this the people with non-Admin accounts
will be able to find a way around it. In worse case you are only
frustrating them by making them go over to the other machine
for a moment in order to get at what they can that way but
not while logged in. So this leaves me wondering why you
want to do this.
Sorry this was not in Spanish, forcing you to read through
so much English. Hopefully it is clear enough.
-- Roger "phoenix" <serio@vtr.net> wrote in message news:#46eAIAvCHA.2596@TK2MSFTNGP12... > Hi, i am from Chile, here we speak spanish so if i make a mistake writting > this in english i apologize. > > I have WinXP Pro and two drives with NTFS on my machine. I have two users, > one in the group Administrators > and the other one with special attributes in the group users. As my drives > are NTFS, i changed the groups and users > allowed to see and browse the folders of me second drive (D:), there's about > five folders in that drive and all the users have access to one of them, the > other folders have just the group administrators, that way i can browse all > folders but my users justo one. The problem begins when i tried to share for > my network one of the folders or subfolders that only have the group > administrators, in that case when they try to connect to that folder through > the network a popup message apears saying that they have not access. well > the solution seems pretty simple, i add the group "all" (i don't know for > sure if that's the correct name 'cause i have winxp in spanish), to the > folder that's being shared and now all of the machines on my network can > access the shared folder. > But, with that change i made, the users of the my machine also have access > to that folder, thing that i don't want. My question is, wich group is used > for the connection that are made from the network?, there is a group called > NETWORK, but when i used that group instead of the "all" group, my network > machines can't access to the shared folder anymore. > > > For any helping reply i say thanks. > > Cheers, > Pablo Wynands. > >
- Next message: Jupiter Jones: "Re: making folder 'private'"
- Previous message: Mac Bochinski: "making folder 'private'"
- In reply to: phoenix: "Groups in WinXP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
