Simple Share/NTFS Security question

Hi tenover,

try removing authenticated users and adding your AD groups in at the root of the share

or use the everyone group and deny writing on the root of the share

You mean Remove Authenitcated Users from the Root Share's NTFS permissions, and then adding the "Everyone" group and then denying  Denying the Everyone Group to "Create Folders" in the root?

I want NO ONE to be able to create folders or files at the Share's root, except Domain Admins, but I want everyone to see what's under the root.

tenover,

no not denying the group, just untick modify.. then add your approp permissions for users you want to edit

also make sure that your share permissions and your security permissions match

any deny that you put in will override anything else, so if you deny the everyone group you are efectively denying EVERYONE inclusive of any exceptions you mke for admins

On the root folder, change the NTFS permissions for Authenticated Users from "This Folder, Subfolders and Files" to just "Subfolders and Files" in the Advanced NTFS security settings.  There is no reason to use the DENY setting with this method.  If you DENY "Everyone" that would include Administrators as well... not a good thing.

You should have the share permissions set to Everyone > Full Control.  The NTFS permissions will override this, but it will allow the ability to do what's needed wherever you provide the permissions in NTFS.

Jeff
TechSoEasy

This is driving me nuts!!  I thought you nailed it, but it's still not working.  On the root share ("Shared"), I have the following set as the Share Permissions:
- Domain Admins = Full Control
- Everyone = Full Control

The NTFS Permissions for the root share ("Shared") are:

- Domain Admins =Full Control
- Authenticated Users (Advanced + Subfolders and Files Only) = everything EXCEPT "Full Control", "Take Ownership" and "Change Permissions".

I can stil login as one of my "General Lab Users" and create a new folder, and delete it, in the root share ("Shared")....

Yeah... not quite... it's kinda difficult because you want to maintain the folder structure and not let users modify those... there is a big overview here:
http://searchwindowssecurity.techtarget.com/searchWindowsSecurity/downloads/ExamCram.pdf

But, this would really be much better handled with SharePoint.  Are you using SharePoint?  Have you considered it?  It's a free add-on to Windows Server 2003.

http://www.microsoft.com/windowsserver2003/technologies/sharepoint/default.mspx

Jeff
TechSoEasy

give authenticated users    list folder contents        under NTFS permissions

Still not working.  
One Share, 5 subdirectories.  
Share Permissions on the one share are:  Domain Admins=Full Control
                                                            Everyone =Full Control

NTFS Security on the one share are:        Domain Admins=Full Control
                                                            Authenticated Users=List Contents ONLY (only box selected in Advanced Security Settings)

Each Subdirectory has a "users" group and a "Managers" group, and all those permissions are working beautifully within each folder, however it seems that any authenticated user can access the main share and create (and DELETE!!) directories in the root of the share, which is what I need to stop so that things stay organized.  

Not sure where the problem lies here.....

I just explicitly DENIED the "Everyone" Group for Create Files and Create Folders for "This folder only", and that works great....Just curious as to wh I have to Deny them.....

i agree with Jeff, there are always ways around using the DENY permission and never should that deny permission hit the everyone group