?
Solved

Simple Share/NTFS Security question

Posted on 2006-06-07
16
Medium Priority
?
315 Views
Last Modified: 2010-08-05
I have a single share ("shared").  Under this share, I have 8-10 subdirectories, not shared out individually, but with NTFS permissions on each folder so that departmental "managers" can create and delete subfolders and "users" cannot, but CAN create files, etc...

My problem is that since I have "Authenticated Users" listed in the Share Permissions (Read/Change), anyone can create a subdirectory at the top level of the Share!!  Anywayt to remedy this without creating indivudal shares for each subdirectory?  The reason I did it this way is so that all users see the same "share" , yet only have access to their Departmental folders via Security Groups....Thanks.
0
Comment
Question by:tenover
  • 5
  • 5
  • 3
13 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16857276
Hi tenover,

try removing authenticated users and adding your AD groups in at the root of the share

or use the everyone group and deny writing on the root of the share
0
 

Author Comment

by:tenover
ID: 16857298
You mean Remove Authenitcated Users from the Root Share's NTFS permissions, and then adding the "Everyone" group and then denying  Denying the Everyone Group to "Create Folders" in the root?
0
 

Author Comment

by:tenover
ID: 16857311
I want NO ONE to be able to create folders or files at the Share's root, except Domain Admins, but I want everyone to see what's under the root.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16857318
tenover,

no not denying the group, just untick modify.. then add your approp permissions for users you want to edit
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16857332
also make sure that your share permissions and your security permissions match

any deny that you put in will override anything else, so if you deny the everyone group you are efectively denying EVERYONE inclusive of any exceptions you mke for admins
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16859639
On the root folder, change the NTFS permissions for Authenticated Users from "This Folder, Subfolders and Files" to just "Subfolders and Files" in the Advanced NTFS security settings.  There is no reason to use the DENY setting with this method.  If you DENY "Everyone" that would include Administrators as well... not a good thing.

You should have the share permissions set to Everyone > Full Control.  The NTFS permissions will override this, but it will allow the ability to do what's needed wherever you provide the permissions in NTFS.

Jeff
TechSoEasy

0
 

Author Comment

by:tenover
ID: 16863374
This is driving me nuts!!  I thought you nailed it, but it's still not working.  On the root share ("Shared"), I have the following set as the Share Permissions:
- Domain Admins = Full Control
- Everyone = Full Control

The NTFS Permissions for the root share ("Shared") are:

- Domain Admins =Full Control
- Authenticated Users (Advanced + Subfolders and Files Only) = everything EXCEPT "Full Control", "Take Ownership" and "Change Permissions".

I can stil login as one of my "General Lab Users" and create a new folder, and delete it, in the root share ("Shared")....
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16864177
Yeah... not quite... it's kinda difficult because you want to maintain the folder structure and not let users modify those... there is a big overview here:
http://searchwindowssecurity.techtarget.com/searchWindowsSecurity/downloads/ExamCram.pdf

But, this would really be much better handled with SharePoint.  Are you using SharePoint?  Have you considered it?  It's a free add-on to Windows Server 2003.

http://www.microsoft.com/windowsserver2003/technologies/sharepoint/default.mspx

Jeff
TechSoEasy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16866645
give authenticated users    list folder contents        under NTFS permissions
0
 

Author Comment

by:tenover
ID: 16897505
Still not working.  
One Share, 5 subdirectories.  
Share Permissions on the one share are:  Domain Admins=Full Control
                                                            Everyone =Full Control

NTFS Security on the one share are:        Domain Admins=Full Control
                                                            Authenticated Users=List Contents ONLY (only box selected in Advanced Security Settings)

Each Subdirectory has a "users" group and a "Managers" group, and all those permissions are working beautifully within each folder, however it seems that any authenticated user can access the main share and create (and DELETE!!) directories in the root of the share, which is what I need to stop so that things stay organized.  

Not sure where the problem lies here.....
0
 

Author Comment

by:tenover
ID: 16897673
I just explicitly DENIED the "Everyone" Group for Create Files and Create Folders for "This folder only", and that works great....Just curious as to wh I have to Deny them.....
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 2000 total points
ID: 16897910
Don't use DENY with "Everyone" because that will require even Administrators to remove that parameter before making any changes -- unless you want it this way.  

You would be much better off creating a Security Group for regular users and then just giving them a DENY instead.  Also, Make sure that ALL of your folders have SYSTEM with Full Control.

I'm not entirely sure why users can still add/delete folders on the top folder unless it's because "Authenticated Users" is a member of a group that has Administrative privileges.  You should really try using "Domain Users" instead, by the way.

Jeff
TechSoEasy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16898497
i agree with Jeff, there are always ways around using the DENY permission and never should that deny permission hit the everyone group
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question