Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Strange shared folder issue

Posted on 2005-03-17
Medium Priority
Last Modified: 2013-12-04
I have a folder shared out on a Windows 2003 Enterprise Edition server.  The server is a member of a 2003 AD.  I can't say for sure if the server is in 2003 native mode, but I'm pretty sure it is.  I don't think it matters for this question though, but I'm not sure so I will give the info I have.

The share is set up as such:

Share Permissions:  "Everyone" group has Read permissions
NTFS Security Permissions:  "Administrators" inherit full control, "Everyone" group has been explicitly granted allow read & execute, list contents and read permissions.  Users inherit Read & Execute, List Contents and Read.  SYSTEM has full control.  Creator Owner is listed but is not explicitly granted any permissions (allow or deny).

There are no other entries in either the ACL or the Share permission setup.

When I am logged in as any domain user, I can access the share just fine by typing in \\server\share

However, if I log in as a local user account (the local administrator account on a machine for example), I am prompted for a password when accessing the share.

The "everyone" permissions are not inherited.  There is not Access Control Entry in the root of the drive for "everyone"...just in my shared folder.

I can get into the share once I put in any domain credentials, but I'm very confused by this..."Everyone" read permissions means EVERYONE can access it, right?  If I wanted to require authentication I would put in "Authenticated Users" or "Domain Users" or other domain security groups or users I want to grant access to.

I'm pretty familiar with file shares and NTFS security permissions, but I've never run into a situation where I was prompted for a password with "Everyone" in the access control list.  Anyone shine any light on this for me?
Question by:mslunecka
  • 3
  • 2
LVL 15

Expert Comment

ID: 13568170
This is working correctly, as a local computer user you have to authenticate to the domain when you connect. Even though share permissions say read for everyone, what do the NTFS permissions say for everyone? The easiest way to handle the permissions game is to give full control to everyone at the share level and then control the access at the ntfs level. Chances are you just need to put everyone in the ntfs acl and give them the level of access you desire. The reason I say to give full control to everyone at the share level, is now you only have to deal with NTFS, it becomes a lot less confusing

Author Comment

ID: 13568289
Share permissions for Everyone are set at "read" and NTFS permissions for everyone  in the NTFS ACL is set for "Read & Execute" "List Contents" and "read"

I'll try going with Full Control on the File share Permissions.  I know the recommendation is to give Full Access in the share permissions and then do restrictions in NTFS, but I usually do both just to be safe.

Author Comment

ID: 13568370
No luck with increasing Everyone share permissions to Full Control.  I still can't access the share without authenticating.  
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 25

Accepted Solution

mikeleebrla earned 2000 total points
ID: 13569592
i think you are confusing what the EVERYONE group is,,, the everyone group consists of every domain account and every local account of the local machine.  If you are talking about accessing a share from a remote computer while you are logged into the remote computer with a local account, then that accout is local to the remote computer, not the local one where the share is.  That is why you are being prompted for authentication, b/c the account you are using is not a domain account and it is not a local account on the machine where the share is.  As usual the OS is operating just as it was engineered.  If you want truly ANYONE to be able to access the share you can do this with an anonymous user account such as the IUSR account that is desinged for public access to IIS (web server)
LVL 25

Expert Comment

ID: 13595175
thanks for the A grade,, just remember,, everyone doesn't mean ANYone.

Author Comment

ID: 13595243
No problem.  Thanks for clarifying that for me.  I always thought Everyone was basically the same as allowing anonymous user access.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Enter Foreign and Special Characters Enter characters you can't find on a keyboard using its ASCII code ... and learn how to make a handy reference for yourself using Excel ~ Use these codes in any Windows application! ... whether it is a Micr…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question