daveyd123
asked on
Authenticated Users vs Domain Users Group
What is the major difference between the Authenticated Users and the Domain Users Group? When setting share or NTFS permissions, is it best practice to use the authenticated users or Domain users group and why...
The authenticated users group can be used to grant permissions across a forest, but domain users is a security group for users in a specific domain.
When applying permissions it's best to be as restrictive as possible so you don't leave any unseen security holes. You could have guests authenticating for example that would be able to get access to your accounting information if you applied Authenticated Users as opposed to an Accounting Group.
Study question?
Well, the basic answer has been given, but they didn't elaborate on the shares thing. Share vs NTFS. It's pretty simple.
In order to access the share across the network, the user has to be in a group that has share level permissions. The easiest way to deal with them is to add change to the everyone group at the share level, and then restrict access through NTFS permissions. You can add the individual permissions to the shares, but that can get confusing, and adds another step in the process that can go wrong. Remember, KISS.
Well, the basic answer has been given, but they didn't elaborate on the shares thing. Share vs NTFS. It's pretty simple.
In order to access the share across the network, the user has to be in a group that has share level permissions. The easiest way to deal with them is to add change to the everyone group at the share level, and then restrict access through NTFS permissions. You can add the individual permissions to the shares, but that can get confusing, and adds another step in the process that can go wrong. Remember, KISS.
Domain Users contains all Users from the Domain the Group belongs to.
Authenticated Users contains Users from Trusted Domains too.
Authenticated Users contains Users from Trusted Domains too.
Best Practice is to give everyone modify permissions on the share level.
On NTFS Level grant permissions per local domain security groups.
So you have not to change permissions on NTFS if you have to change access for a user. just drop them from the granted group.
On NTFS Level grant permissions per local domain security groups.
So you have not to change permissions on NTFS if you have to change access for a user. just drop them from the granted group.
ASKER
Would it be best to give the Everyone, Domain Users or Authenticated Users group "Change" share permissions on a folder?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The everyone group shouldn't be modified. It's a little confusing how it works, but EVERYONE is any person that can access that share or resource. Meaning, anyone who can successfully log on to that share. If, for example, you were to remove the Read permission to the everyone group then NOBODY could read the folder. If you were to remove the write permission, then NOBODY could write to the share. This includes administrators!
If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change from the Everyone group and then do any updates locally from the machine with an Admin account.
Most shares are a place for people to upload and download files however, so the Everyone group should be left as unrestrictive as possible. Tighten the security with User specific or Groups to make sure that the correct people can access the share.
If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change from the Everyone group and then do any updates locally from the machine with an Admin account.
Most shares are a place for people to upload and download files however, so the Everyone group should be left as unrestrictive as possible. Tighten the security with User specific or Groups to make sure that the correct people can access the share.
> The everyone group shouldn't be modified
it's not possible to modify the everyone group. it is a special group.
> EVERYONE is any person that can access that share or resource
No. in everyone group are only authenticated users and the guest account.
So you must provide a username/password to the server/domain to be in everyone group.
> If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change from the Everyone group and then do any updates locally from the machine with an Admin account.
What is an Adminshare for read only access?
If you need an admin share, just delete all other groups and permit only Administrators Group to access.
> Tighten the security with User specific or Groups to make sure that the correct people can access the share
Ms recommendation is to put everyone full or change on share and handle permissions only in NTFS.
So do not grant rights on shares, as you will be confused sooner or later.
E.g.: If you set Readonly on share, no user will have more rights then readonly, regardless what you set on NTFS.
And you won't remberer that, if you are searching for permission problems.
it's not possible to modify the everyone group. it is a special group.
> EVERYONE is any person that can access that share or resource
No. in everyone group are only authenticated users and the guest account.
So you must provide a username/password to the server/domain to be in everyone group.
> If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change from the Everyone group and then do any updates locally from the machine with an Admin account.
What is an Adminshare for read only access?
If you need an admin share, just delete all other groups and permit only Administrators Group to access.
> Tighten the security with User specific or Groups to make sure that the correct people can access the share
Ms recommendation is to put everyone full or change on share and handle permissions only in NTFS.
So do not grant rights on shares, as you will be confused sooner or later.
E.g.: If you set Readonly on share, no user will have more rights then readonly, regardless what you set on NTFS.
And you won't remberer that, if you are searching for permission problems.
On the last point, I have to agree with WeHe; Follow the MS best practice on shares; open the share to change and use NTFS to restrict access.
ASKER
Say I have a Hard drive desigintated for data. It's shared by default as D$. I am creating a shared folder on the D drive called "shared". In that folder will be subfolders for each department. I need each deparment to be able to access and modify ONLY the documents in their respective folders.
Permission wise....I would set the NTFS permissions on the D$ share to Everyone (Read&Execute, List Folder Contents, Read). In the D$ drive, the shared folder named "shared" would have Everyone (Change) share permissions and Everyone (Read&Execute, List Folder Contents, Read) NTFS permissions. In the shared folder name "shared", create folders for each department. The NTFS permissions on each department folder would not inherit permissions and I would grant Modify rights for the departments Security Group on each respective folder...
Correct?
Permission wise....I would set the NTFS permissions on the D$ share to Everyone (Read&Execute, List Folder Contents, Read). In the D$ drive, the shared folder named "shared" would have Everyone (Change) share permissions and Everyone (Read&Execute, List Folder Contents, Read) NTFS permissions. In the shared folder name "shared", create folders for each department. The NTFS permissions on each department folder would not inherit permissions and I would grant Modify rights for the departments Security Group on each respective folder...
Correct?
Dont touch the D$ share. It's for admin porposes only. Only Administrators should have rights there.
Create one Group "Share_List".
Create one Group per Department (Share_DepartmentX_Modify)
Uncheck "Inherit from parent ..." for "Share" folder.
Share d:\share as "Share", set Share permissions "Everyone - Change" and NTFS to "Share_List - List folder contents".
Set NTFS permissions for each DepartmentX folder to "Share_DepartmentX - Modify".
Create one Group "Share_List".
Create one Group per Department (Share_DepartmentX_Modify)
Uncheck "Inherit from parent ..." for "Share" folder.
Share d:\share as "Share", set Share permissions "Everyone - Change" and NTFS to "Share_List - List folder contents".
Set NTFS permissions for each DepartmentX folder to "Share_DepartmentX - Modify".