zinno
asked on
groups & permissions on domain
I have a windows 2003 & i really don't get it.
What i want to do. Every user that authenticates on the domain should have no rights on file/server access.
So i create a group, "group1"
When i set permissions to this group, people can't access the share. Only when i add the build in "domain users" to the permissions like set it to "list folders/read/write", i can access the folder.
This makes no sence tbh.
How do i place people in a group & assign that group permissions for a folder/share on the domain.
Or do i need to set read/write/list for "user group" on all folders
and with my "group1", start denying access of example "write"???
What i want to do. Every user that authenticates on the domain should have no rights on file/server access.
So i create a group, "group1"
When i set permissions to this group, people can't access the share. Only when i add the build in "domain users" to the permissions like set it to "list folders/read/write", i can access the folder.
This makes no sence tbh.
How do i place people in a group & assign that group permissions for a folder/share on the domain.
Or do i need to set read/write/list for "user group" on all folders
and with my "group1", start denying access of example "write"???
First, you have the basic theory correct, in that you should only give permissions to groups, not individual users. but remember that permissions are a combination of Share and NTFS, in that the most restrictive permission takes precedence. If you give the Group1 only Read Share permission, but give them Full Control NTFS, Read will be the only thing they can do. This works the other way with just NTFS or Share permissions alone, whereas it is the combination of permissions that provides access.
Regarding your groups, make sure you are creating Security Groups and NOT Distribution Groups. (Distribution Groups are basically mailing lists, not security groups.) Then place your users in these groups. If you are only running a small domain, then use Domain Local Groups, as these are the proper groups to create for applying permissions on files/folders.
FE
Regarding your groups, make sure you are creating Security Groups and NOT Distribution Groups. (Distribution Groups are basically mailing lists, not security groups.) Then place your users in these groups. If you are only running a small domain, then use Domain Local Groups, as these are the proper groups to create for applying permissions on files/folders.
FE
Once your group is created, place your users in the group. This can be done via the Group Members tab, or the Membership Of tab on the user's properties' box... When you have added your users, then just go to the share, and Share the object/resource (File/Folder). click the Permissions button on the Share tab, and add your group with the correct share permissions.. Then, go to the Security Tab, and add the group again there, with the proper NTFS permissions...
That is all there is to it!
FE
That is all there is to it!
FE
On... one more thing!! Your users will have to log off and then log back in to get the correct security identifiers for the share...!!! These security 'descripters' define what kind of access they will get for the share, and are given at logon.. so if you create a share, and the user has their old descripter, they will not be able to access till they get a new one!
FE
FE
Hey FE,
Sometimes I feel it is my mission in life to make everyone change their thinking with the way permissions are assigned.
I think a better term for the combination of Share and NTFS permissions is the effecive permission are the permissions that are common between the two types of permissions, not the most restrictive. Here is my justification to that:
What would the permission be if we used the Most Restrictive rule in this case - If I grant a group Read Share permssion and Write NTFS permission? Which was in more restrictive? Neither of them and your effective permission would be No Access and you would be implicitly denied.
If you use my rule which is the permissions they have in common then that would have worked from the beginning. There is nothing in common between Read and Write. They are two independent permissions and thus there would be No Access.
If a group was granted Change Share permission and Read NTFS permission then the effective permission would be Read since Read is part of Change. Again it is the permission they have in common.
Not trying to argue your point but I just feel it is my mission in life to change the way people do this.
Brian
Sometimes I feel it is my mission in life to make everyone change their thinking with the way permissions are assigned.
I think a better term for the combination of Share and NTFS permissions is the effecive permission are the permissions that are common between the two types of permissions, not the most restrictive. Here is my justification to that:
What would the permission be if we used the Most Restrictive rule in this case - If I grant a group Read Share permssion and Write NTFS permission? Which was in more restrictive? Neither of them and your effective permission would be No Access and you would be implicitly denied.
If you use my rule which is the permissions they have in common then that would have worked from the beginning. There is nothing in common between Read and Write. They are two independent permissions and thus there would be No Access.
If a group was granted Change Share permission and Read NTFS permission then the effective permission would be Read since Read is part of Change. Again it is the permission they have in common.
Not trying to argue your point but I just feel it is my mission in life to change the way people do this.
Brian
ASKER
What u tell me is the issue, its vague, on every manual/google, its very vague ...
just to test it:
create a group with a user
give this group full controle, on shares, ntfs, permissions
so if u check the "security tab" u have only 2 groups there
"administrators" & "group"
the user in "group" gets a nice "access denied", aslong u don't add the "domain user" group to the permissions tabs.
Another way to look at it, when i create a new security group, why isn't it setting both permission for the domain user group?
just to test it:
create a group with a user
give this group full controle, on shares, ntfs, permissions
so if u check the "security tab" u have only 2 groups there
"administrators" & "group"
the user in "group" gets a nice "access denied", aslong u don't add the "domain user" group to the permissions tabs.
Another way to look at it, when i create a new security group, why isn't it setting both permission for the domain user group?
BTW: In Active Directory, create your groups in an organized way. For instance, on my DCs, I create OUs (containers) in my domain tree that define my organizational structure, like Finance / HumanResources / etc., and create my groups there. So, I have a Finance OU (Organizational Unit) and then within that OU, I have DL_FinanceManagers and DL_FinanceUsers (DL for Domain Local Group). Then I put the Finance Users in that OU, and assign them to a corresponding group..
Keep your ADUC organized, that is the key to easy management.
FE
Keep your ADUC organized, that is the key to easy management.
FE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, Mkb, you are correct, and I suppose the thinking regarding mixing these two permissions should be re-addressed! We get this theory pounded into us when taking the exams, and it sticks with us afterwards, eh? :)
lol, how can we forget AGDLP ;-)
ASKER
Have your users log out and log back in
arf details :/
arf details :/
I prefer the old NT saying of UGLY. I guess it isn't so PC any more. ;-)
Brian
Brian
*grin* and now with 2003, we have AUGDLP, or is it just GULP?
Thanks, and hope all goes well!
FE
Thanks, and hope all goes well!
FE
Brian