dutch686
asked on
Confusion about W2K NTFS permissions and Share Permissions
This question has been asked a lot on this forum, and I think that I have read every entry over the last few hours. I'm still confused about the two. I see answers that state give Everyone Full Control on the Share Permission and control access with NTFS permissions. Others state that the Share Permission gives the network access to the network, and NTFS permissions control access to the local resource. If that is the case what is the purpose of the Read and Modify parts of the Share permissions?
I am trying to gain an understanding of when it is appropriate to use one type of permssioning instead of another, or when to use them in conjunction with one another. I am only repeating what I have read in the above explanation. I would really struggle with a real life scenario of trying to decide how to secure a file or folder.
I am trying to gain an understanding of when it is appropriate to use one type of permssioning instead of another, or when to use them in conjunction with one another. I am only repeating what I have read in the above explanation. I would really struggle with a real life scenario of trying to decide how to secure a file or folder.
Matt is right on in his advice. What set of permissions you use is a decision you will have to make based on your needs. Personally, I try to exclusively use NTFS permissions as they give me far more control. That doesn't make my method 'better' than Matt's, just different.
I think the trick that will save you a lot of headaches going forward, is to play around with Share and NTFS permissions in a test environment, figure out which set of permissions work better for your needs, then only use that set in the real world.
A few other things that can save you lots of troubleshooting time---
Whenever making changes to permission, always leave yourself a 'backdoor' before making the change. The Backdoor will usually be giving your user full rights.
Promise yourself not to use 'Deny' or make use of it very little. Because it overrides any 'Allow' setting, a misplaced or forgotten Deny can ruin your whole day.
Document in as much detail as practical who has rights where. I generally set-up a simple Excel spreadsheet
Give permissions to Groups rather than individual users. That way, when you have a new user to add or subtract, all you have to do is add/remove his/her from the appropriate groups and the permissions will already be correct. Otherwise, you would have to go through each permission separately everytime you needed to make a user change.
hope something here helps
I think the trick that will save you a lot of headaches going forward, is to play around with Share and NTFS permissions in a test environment, figure out which set of permissions work better for your needs, then only use that set in the real world.
A few other things that can save you lots of troubleshooting time---
Whenever making changes to permission, always leave yourself a 'backdoor' before making the change. The Backdoor will usually be giving your user full rights.
Promise yourself not to use 'Deny' or make use of it very little. Because it overrides any 'Allow' setting, a misplaced or forgotten Deny can ruin your whole day.
Document in as much detail as practical who has rights where. I generally set-up a simple Excel spreadsheet
Give permissions to Groups rather than individual users. That way, when you have a new user to add or subtract, all you have to do is add/remove his/her from the appropriate groups and the permissions will already be correct. Otherwise, you would have to go through each permission separately everytime you needed to make a user change.
hope something here helps
ASKER
The way that I understand it is that if I combine share and ntfs permissions then the sum is more restrictive. If I combine only share permissions or ntfs permissions then the sum is cumulative. Either way you can control access to your resources, but my question is still what type of situation would make you decide to use either one or both.
NTFS security can't just override share level security, at least not anything else that I have been researching.
NTFS security can't just override share level security, at least not anything else that I have been researching.
"what type of situation would make you decide to use either one or both"
Ask two experts and youll get two answers.. Theres no way to tell you, and not even MS can give you a straight answer...
I tested the NTFS override to test that my knowledge was right, and NTFS overrides the sharerights if they are stricter. I`m not aware of any situation that should not apply.. Thats the normal MS way, the stricter rule decides.. Sorry if my previous posting was unclear on that..
Ask two experts and youll get two answers.. Theres no way to tell you, and not even MS can give you a straight answer...
I tested the NTFS override to test that my knowledge was right, and NTFS overrides the sharerights if they are stricter. I`m not aware of any situation that should not apply.. Thats the normal MS way, the stricter rule decides.. Sorry if my previous posting was unclear on that..
ASKER
Here is the question that started it all. I don't think that I know how to ask the question correctly, and it is nothing against anyone. My friend is studying for his MS exams, and came across this question. By trying to understand and explain it to him I realized how little I knew about it also.
Both answers are correct, but as you can see NTFS and Share permissions are used. I would have thought that one or the other would have sufficed.
You have 2 drives on your W2K pro pc. Drive D has two folders New Research and Old Research which you want to share with the Development department over the network. These folders contain MS Word docs. You want users in the Development department to open and read the files, but do not want anyone to save files to either folder. After Sharing the folders and removing the Everyone group from the Permission page of each folder you add the Development department. You set the Full Control share permission to Allow, and enable disk quotas to each shared folder. A few days later you discover users are saving files to both folders.
Answers:
On the Security tab of the New Research folder's Properties dialogue box you should set the Read access permission to Allow for the Development department. You should repeat the process for the Old Research department.
On the Sharing tab of the New Research folder's Propery dialogue box you should set the Read Access permission to Allow for the Development department, and do the same thing for the Old Research folder.
Both answers are correct, but as you can see NTFS and Share permissions are used. I would have thought that one or the other would have sufficed.
You have 2 drives on your W2K pro pc. Drive D has two folders New Research and Old Research which you want to share with the Development department over the network. These folders contain MS Word docs. You want users in the Development department to open and read the files, but do not want anyone to save files to either folder. After Sharing the folders and removing the Everyone group from the Permission page of each folder you add the Development department. You set the Full Control share permission to Allow, and enable disk quotas to each shared folder. A few days later you discover users are saving files to both folders.
Answers:
On the Security tab of the New Research folder's Properties dialogue box you should set the Read access permission to Allow for the Development department. You should repeat the process for the Old Research department.
On the Sharing tab of the New Research folder's Propery dialogue box you should set the Read Access permission to Allow for the Development department, and do the same thing for the Old Research folder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you!!!! Your explanation has helped.
My real life scenario:
I find share-security-settings easier to use because i can adjust them easilyer by going \\servername and rightclick the share to get all attribbs (not just read/modify) from everywhere easy and quick! The major thing as i see it is who is the owner and is allowed to change settings.
I dont like the everyone setting, because you newer know when you get "guests"... And to me thats a big fat no-no on the servers.