NTFS and share permissions - I found a difference where there should not be any
Normally, I set share permissions to everyone: full and I only use NTFS permissions for restrictions.
Could someone please clarify why using share permissions makes a difference to using NTFS permissions in the following case:
The share permissions are everyone: change and admins:full, the NTFS permissions are everyone: read,execute and admins: full.
Whenever someone creates a new folder, he becomes the owner AND (I quote the 2003 server help):
"The owner can always change permissions on an object, even when denied all access to the object."
But, this is not the case! When the permissions are set like above, the creator is listed as owner, but he cannot change permissions.
Furthermore, and that is the big question: If I set the share permissions to everyone: full and NTFS to Everyone: change and admins: full, the owners may change permissions.
Until now, I thought, this should be the same! Can someone please give me a clue why this is not the case?
------------------
Aditionally, another qoute from 2003 server help:
"You can control access to shared resources with a variety of methods. You can use share permissions, which are simple to apply and manage. Or, you can use access control on the NTFS file system, which provides more detailed control of the shared resource and its contents. You can also use a combination of these methods. If you use a combination of these methods, the more restrictive permission always applies. For example, if the share permission is set to Everyone = Read (which is the default), and the NTFS permission allows users to make changes to a shared file, the share permission applies, and the user is not allowed to change the file."
I never read from Microsoft that it should make a difference, maybe there are other documents I never found.
Could someone please clarify why using share permissions makes a difference to using NTFS permissions in the following case:
The share permissions are everyone: change and admins:full, the NTFS permissions are everyone: read,execute and admins: full.
Whenever someone creates a new folder, he becomes the owner AND (I quote the 2003 server help):
"The owner can always change permissions on an object, even when denied all access to the object."
But, this is not the case! When the permissions are set like above, the creator is listed as owner, but he cannot change permissions.
Furthermore, and that is the big question: If I set the share permissions to everyone: full and NTFS to Everyone: change and admins: full, the owners may change permissions.
Until now, I thought, this should be the same! Can someone please give me a clue why this is not the case?
------------------
Aditionally, another qoute from 2003 server help:
"You can control access to shared resources with a variety of methods. You can use share permissions, which are simple to apply and manage. Or, you can use access control on the NTFS file system, which provides more detailed control of the shared resource and its contents. You can also use a combination of these methods. If you use a combination of these methods, the more restrictive permission always applies. For example, if the share permission is set to Everyone = Read (which is the default), and the NTFS permission allows users to make changes to a shared file, the share permission applies, and the user is not allowed to change the file."
I never read from Microsoft that it should make a difference, maybe there are other documents I never found.
ASKER
ObdA, but why aren't NTFS and share permissions interchangeable? Microsoft says "the more restrictive permission always applies" but that is not true. Like I said, if you set NTFS to be more restrictive (ie set to "change") - why is every owner still able to change permissions then?
McKnife - consider two approaches:
User, Tom, approaches your server and logs in locally. Now he only has to contend with security permissions - share permissions are not a factor at all for him (thus, they're not interchangeable).
Same user Tom, now logs into his workstation and connects remotely to the same server. The effective permissions are the combination of the share and security permissions. Thus, since it's sometimes very complex to determine what the effective permissions are by eyeballing sharing and security permissions, many admins simply bump the share perms to everyone full control (default in 2k), and set their security settings on the NTFS volume instead.
Hope that helps...
User, Tom, approaches your server and logs in locally. Now he only has to contend with security permissions - share permissions are not a factor at all for him (thus, they're not interchangeable).
Same user Tom, now logs into his workstation and connects remotely to the same server. The effective permissions are the combination of the share and security permissions. Thus, since it's sometimes very complex to determine what the effective permissions are by eyeballing sharing and security permissions, many admins simply bump the share perms to everyone full control (default in 2k), and set their security settings on the NTFS volume instead.
Hope that helps...
ASKER
Hi SirBounty, I know, I know... that's not my point. I don't get, why you cannot reach the same functionality using NTFS only. Using NTFS only, you cannot keep users from changing permissions if they are the owner, no matter how restrictive you get - using share permissions you can.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is by design. The creator is the owner and as sirbounty mentioned, this is a failsafe. Users should only access data via shares. We grant Authenticated users: Change at the share. Thus they can never get too much permissions.
Look into the CREATOR OWNER ACE entry. This ACE allows you to change the default way a user gets control of the file/folders they create. The default is full control. You can tweak this down to Change.
Look into the CREATOR OWNER ACE entry. This ACE allows you to change the default way a user gets control of the file/folders they create. The default is full control. You can tweak this down to Change.
NTFS and share permissions look similar, but they aren't the same thing, and thus not interchangeable. When accessing a FAT partition through the network, you can apply share permissions, but obviously no NTFS permissions. Share permissions are basically just a way to provide some sort of security for file systems that don't offer other possibilities.
But it's still true that the most restrictive permissions apply; as I said, ownership is an NTFS attribute, and, from your quote: "The owner can always change permissions on an object, even when denied all access to the object.". The "Change Permissions" permission is an implicit NTFS permission for the owner of the object, so there's no contradiction here (and this permission even overrides a "Deny Change Permissions" you might have set on the folder for the Creator Owner group!).
This is a safeguard against data loss; even if an administrator is disallowed access, or a user account is deleted which had the only permissions, or if a folder's ACL becomes corrupted, an administrator can still take ownership, change the permissions, and access the file again.
But it's still true that the most restrictive permissions apply; as I said, ownership is an NTFS attribute, and, from your quote: "The owner can always change permissions on an object, even when denied all access to the object.". The "Change Permissions" permission is an implicit NTFS permission for the owner of the object, so there's no contradiction here (and this permission even overrides a "Deny Change Permissions" you might have set on the folder for the Creator Owner group!).
This is a safeguard against data loss; even if an administrator is disallowed access, or a user account is deleted which had the only permissions, or if a folder's ACL becomes corrupted, an administrator can still take ownership, change the permissions, and access the file again.
ASKER
Ok folks, I will close the question. I assume, Microsoft did not put it precise enough in their help file, as in this one special case above, the more restrictive permission does not apply. I will accept Sir Bounty's answer, it is a logical explanation because on shares, you don't need this failsafe.
The Change permissions for Everyone for the *share* mean that "Change" is the maximum possible permission for Everyone, whatever else might be allowed through NTFS permissions. Change does not include changing the permissions, so a user, even if he is owner of a folder or file, will not be able to change the permissions (Ownership is an NTFS attribute!).
If Everyone has Full permissions for the share, then only NTFS permissions apply. In this case, the owner of a folder or file can change the permissions (as mentioned in your first quote).