Strange shared folder issue

Posted on 2005-03-17
Medium Priority
Last Modified: 2013-12-04
I have a folder shared out on a Windows 2003 Enterprise Edition server.  The server is a member of a 2003 AD.  I can't say for sure if the server is in 2003 native mode, but I'm pretty sure it is.  I don't think it matters for this question though, but I'm not sure so I will give the info I have.

The share is set up as such:

Share Permissions:  "Everyone" group has Read permissions
NTFS Security Permissions:  "Administrators" inherit full control, "Everyone" group has been explicitly granted allow read & execute, list contents and read permissions.  Users inherit Read & Execute, List Contents and Read.  SYSTEM has full control.  Creator Owner is listed but is not explicitly granted any permissions (allow or deny).

There are no other entries in either the ACL or the Share permission setup.

When I am logged in as any domain user, I can access the share just fine by typing in \\server\share

However, if I log in as a local user account (the local administrator account on a machine for example), I am prompted for a password when accessing the share.

The "everyone" permissions are not inherited.  There is not Access Control Entry in the root of the drive for "everyone"...just in my shared folder.

I can get into the share once I put in any domain credentials, but I'm very confused by this..."Everyone" read permissions means EVERYONE can access it, right?  If I wanted to require authentication I would put in "Authenticated Users" or "Domain Users" or other domain security groups or users I want to grant access to.

I'm pretty familiar with file shares and NTFS security permissions, but I've never run into a situation where I was prompted for a password with "Everyone" in the access control list.  Anyone shine any light on this for me?
Question by:mslunecka
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 15

Expert Comment

ID: 13568170
This is working correctly, as a local computer user you have to authenticate to the domain when you connect. Even though share permissions say read for everyone, what do the NTFS permissions say for everyone? The easiest way to handle the permissions game is to give full control to everyone at the share level and then control the access at the ntfs level. Chances are you just need to put everyone in the ntfs acl and give them the level of access you desire. The reason I say to give full control to everyone at the share level, is now you only have to deal with NTFS, it becomes a lot less confusing

Author Comment

ID: 13568289
Share permissions for Everyone are set at "read" and NTFS permissions for everyone  in the NTFS ACL is set for "Read & Execute" "List Contents" and "read"

I'll try going with Full Control on the File share Permissions.  I know the recommendation is to give Full Access in the share permissions and then do restrictions in NTFS, but I usually do both just to be safe.

Author Comment

ID: 13568370
No luck with increasing Everyone share permissions to Full Control.  I still can't access the share without authenticating.  
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 25

Accepted Solution

mikeleebrla earned 2000 total points
ID: 13569592
i think you are confusing what the EVERYONE group is,,, the everyone group consists of every domain account and every local account of the local machine.  If you are talking about accessing a share from a remote computer while you are logged into the remote computer with a local account, then that accout is local to the remote computer, not the local one where the share is.  That is why you are being prompted for authentication, b/c the account you are using is not a domain account and it is not a local account on the machine where the share is.  As usual the OS is operating just as it was engineered.  If you want truly ANYONE to be able to access the share you can do this with an anonymous user account such as the IUSR account that is desinged for public access to IIS (web server)
LVL 25

Expert Comment

ID: 13595175
thanks for the A grade,, just remember,, everyone doesn't mean ANYone.

Author Comment

ID: 13595243
No problem.  Thanks for clarifying that for me.  I always thought Everyone was basically the same as allowing anonymous user access.

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month11 days, 7 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question