tenover
asked on
Simple Share/NTFS Security question
I have a single share ("shared"). Under this share, I have 8-10 subdirectories, not shared out individually, but with NTFS permissions on each folder so that departmental "managers" can create and delete subfolders and "users" cannot, but CAN create files, etc...
My problem is that since I have "Authenticated Users" listed in the Share Permissions (Read/Change), anyone can create a subdirectory at the top level of the Share!! Anywayt to remedy this without creating indivudal shares for each subdirectory? The reason I did it this way is so that all users see the same "share" , yet only have access to their Departmental folders via Security Groups....Thanks.
My problem is that since I have "Authenticated Users" listed in the Share Permissions (Read/Change), anyone can create a subdirectory at the top level of the Share!! Anywayt to remedy this without creating indivudal shares for each subdirectory? The reason I did it this way is so that all users see the same "share" , yet only have access to their Departmental folders via Security Groups....Thanks.
ASKER
You mean Remove Authenitcated Users from the Root Share's NTFS permissions, and then adding the "Everyone" group and then denying Denying the Everyone Group to "Create Folders" in the root?
ASKER
I want NO ONE to be able to create folders or files at the Share's root, except Domain Admins, but I want everyone to see what's under the root.
tenover,
no not denying the group, just untick modify.. then add your approp permissions for users you want to edit
no not denying the group, just untick modify.. then add your approp permissions for users you want to edit
also make sure that your share permissions and your security permissions match
any deny that you put in will override anything else, so if you deny the everyone group you are efectively denying EVERYONE inclusive of any exceptions you mke for admins
any deny that you put in will override anything else, so if you deny the everyone group you are efectively denying EVERYONE inclusive of any exceptions you mke for admins
On the root folder, change the NTFS permissions for Authenticated Users from "This Folder, Subfolders and Files" to just "Subfolders and Files" in the Advanced NTFS security settings. There is no reason to use the DENY setting with this method. If you DENY "Everyone" that would include Administrators as well... not a good thing.
You should have the share permissions set to Everyone > Full Control. The NTFS permissions will override this, but it will allow the ability to do what's needed wherever you provide the permissions in NTFS.
Jeff
TechSoEasy
You should have the share permissions set to Everyone > Full Control. The NTFS permissions will override this, but it will allow the ability to do what's needed wherever you provide the permissions in NTFS.
Jeff
TechSoEasy
ASKER
This is driving me nuts!! I thought you nailed it, but it's still not working. On the root share ("Shared"), I have the following set as the Share Permissions:
- Domain Admins = Full Control
- Everyone = Full Control
The NTFS Permissions for the root share ("Shared") are:
- Domain Admins =Full Control
- Authenticated Users (Advanced + Subfolders and Files Only) = everything EXCEPT "Full Control", "Take Ownership" and "Change Permissions".
I can stil login as one of my "General Lab Users" and create a new folder, and delete it, in the root share ("Shared")....
- Domain Admins = Full Control
- Everyone = Full Control
The NTFS Permissions for the root share ("Shared") are:
- Domain Admins =Full Control
- Authenticated Users (Advanced + Subfolders and Files Only) = everything EXCEPT "Full Control", "Take Ownership" and "Change Permissions".
I can stil login as one of my "General Lab Users" and create a new folder, and delete it, in the root share ("Shared")....
Yeah... not quite... it's kinda difficult because you want to maintain the folder structure and not let users modify those... there is a big overview here:
http://searchwindowssecurity.techtarget.com/searchWindowsSecurity/downloads/ExamCram.pdf
But, this would really be much better handled with SharePoint. Are you using SharePoint? Have you considered it? It's a free add-on to Windows Server 2003.
http://www.microsoft.com/windowsserver2003/technologies/sharepoint/default.mspx
Jeff
TechSoEasy
http://searchwindowssecurity.techtarget.com/searchWindowsSecurity/downloads/ExamCram.pdf
But, this would really be much better handled with SharePoint. Are you using SharePoint? Have you considered it? It's a free add-on to Windows Server 2003.
http://www.microsoft.com/windowsserver2003/technologies/sharepoint/default.mspx
Jeff
TechSoEasy
give authenticated users list folder contents under NTFS permissions
ASKER
Still not working.
One Share, 5 subdirectories.
Share Permissions on the one share are: Domain Admins=Full Control
Everyone =Full Control
NTFS Security on the one share are: Domain Admins=Full Control
Authenticated Users=List Contents ONLY (only box selected in Advanced Security Settings)
Each Subdirectory has a "users" group and a "Managers" group, and all those permissions are working beautifully within each folder, however it seems that any authenticated user can access the main share and create (and DELETE!!) directories in the root of the share, which is what I need to stop so that things stay organized.
Not sure where the problem lies here.....
One Share, 5 subdirectories.
Share Permissions on the one share are: Domain Admins=Full Control
Everyone =Full Control
NTFS Security on the one share are: Domain Admins=Full Control
Authenticated Users=List Contents ONLY (only box selected in Advanced Security Settings)
Each Subdirectory has a "users" group and a "Managers" group, and all those permissions are working beautifully within each folder, however it seems that any authenticated user can access the main share and create (and DELETE!!) directories in the root of the share, which is what I need to stop so that things stay organized.
Not sure where the problem lies here.....
ASKER
I just explicitly DENIED the "Everyone" Group for Create Files and Create Folders for "This folder only", and that works great....Just curious as to wh I have to Deny them.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i agree with Jeff, there are always ways around using the DENY permission and never should that deny permission hit the everyone group
try removing authenticated users and adding your AD groups in at the root of the share
or use the everyone group and deny writing on the root of the share