Solved

fodler share security

Posted on 2006-11-10
4
207 Views
Last Modified: 2013-12-04
What is the difference between setting security on the share tab for a folder in windows 2000 and setting security on the security tab of a folder in windows 2000?

Please explain also how setting security in one versus the other affects access.
0
Comment
Question by:markkurten
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Nightman earned 100 total points
ID: 17918832
Security via the share allows access to the share name via the network share.
Security via the security tab manages access to the physical folder/files on disk.

Access to the folder on disk allows access to the user, but no access via the share means that the user still cannot access the files via the network. The user would have to log on to the PC to access the folder. So a user may have full local permissions on a folder (and the files) from the local machine, but be prevented from updating (or even viewing) them accross the network.

Access via the share allows access to the network resource, but no access to the files on disk means that the user still can't do anything with them.

Does this makes things clearer or worse?
0
 

Author Comment

by:markkurten
ID: 17919161
thats exactly what i'm looking for - thank you..

so you can have a share and give full permissions to user x, but if you don't give them access using the security tab, they can't do anything with the files in the share?
0
 
LVL 29

Expert Comment

by:Nightman
ID: 17920444
That's it. Why don't you test it out?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17927816
Correct, the two work in tandem, the most restrictive setting is the one that is used... if you have everyone full control on the share, and you have userX denied delete on the NTFS permissions, UserX is denied delete as it is more restrictive than FC.
Share Permissions ( http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/?related=y )

To access a file or folder remotely, both NTFS and Share Permissions are evaluated to determine the actual rights the user has to that object. Between NTFS and Share Permissions, the effective permissions are whichever is most restrictive. If the NTFS permission is Read and the Share Permission is Full Control, the effective permission is Read because it is the most restrictive. If the NTFS and Share Permissions were reversed, Read would still be the effective permission.

NTFS and Share Permissions work quite differently from each other. NTFS has a rather complex process of inheritance (see "NTFS Permissions" in the November-December 2005 issue of TechNet Magazine) but essentially a user gets the combination of NTFS permissions assigned to them and any groups they are in, including nested groups. In general, Deny overrides Allow. You have to enter the file system on a remote computer by accessing a share. The Share Permissions are evaluated on the share you use to enter the file system. There is no inheritance with shares. The Share Permissions assigned on the share you used to enter the file system are the permissions you have in that branch of the directory tree, even if there is another share lower in the tree with different permissions.
============
For ease of use/maintenance/administration, share permissions are fine to set Everyone- Full Control, and use the NTFS rights to apply restrictions. Do not include the everyone group on the NTFS (security tab), use authenticated users, and or the groups you need to apply the permissions to. Setting to FC on the share helps, because that right applies to all subfolders... NTFS can inherit or not inherit thier rights from parent folders.
http://technet2.microsoft.com/WindowsServer/en/library/86987829-3f74-412f-abb8-c8b22b07257d1033.mspx?mfr=true
-rich
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now