Solved

fodler share security

Posted on 2006-11-10
4
211 Views
Last Modified: 2013-12-04
What is the difference between setting security on the share tab for a folder in windows 2000 and setting security on the security tab of a folder in windows 2000?

Please explain also how setting security in one versus the other affects access.
0
Comment
Question by:markkurten
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Nightman earned 100 total points
ID: 17918832
Security via the share allows access to the share name via the network share.
Security via the security tab manages access to the physical folder/files on disk.

Access to the folder on disk allows access to the user, but no access via the share means that the user still cannot access the files via the network. The user would have to log on to the PC to access the folder. So a user may have full local permissions on a folder (and the files) from the local machine, but be prevented from updating (or even viewing) them accross the network.

Access via the share allows access to the network resource, but no access to the files on disk means that the user still can't do anything with them.

Does this makes things clearer or worse?
0
 

Author Comment

by:markkurten
ID: 17919161
thats exactly what i'm looking for - thank you..

so you can have a share and give full permissions to user x, but if you don't give them access using the security tab, they can't do anything with the files in the share?
0
 
LVL 29

Expert Comment

by:Nightman
ID: 17920444
That's it. Why don't you test it out?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17927816
Correct, the two work in tandem, the most restrictive setting is the one that is used... if you have everyone full control on the share, and you have userX denied delete on the NTFS permissions, UserX is denied delete as it is more restrictive than FC.
Share Permissions ( http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/?related=y )

To access a file or folder remotely, both NTFS and Share Permissions are evaluated to determine the actual rights the user has to that object. Between NTFS and Share Permissions, the effective permissions are whichever is most restrictive. If the NTFS permission is Read and the Share Permission is Full Control, the effective permission is Read because it is the most restrictive. If the NTFS and Share Permissions were reversed, Read would still be the effective permission.

NTFS and Share Permissions work quite differently from each other. NTFS has a rather complex process of inheritance (see "NTFS Permissions" in the November-December 2005 issue of TechNet Magazine) but essentially a user gets the combination of NTFS permissions assigned to them and any groups they are in, including nested groups. In general, Deny overrides Allow. You have to enter the file system on a remote computer by accessing a share. The Share Permissions are evaluated on the share you use to enter the file system. There is no inheritance with shares. The Share Permissions assigned on the share you used to enter the file system are the permissions you have in that branch of the directory tree, even if there is another share lower in the tree with different permissions.
============
For ease of use/maintenance/administration, share permissions are fine to set Everyone- Full Control, and use the NTFS rights to apply restrictions. Do not include the everyone group on the NTFS (security tab), use authenticated users, and or the groups you need to apply the permissions to. Setting to FC on the share helps, because that right applies to all subfolders... NTFS can inherit or not inherit thier rights from parent folders.
http://technet2.microsoft.com/WindowsServer/en/library/86987829-3f74-412f-abb8-c8b22b07257d1033.mspx?mfr=true
-rich
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question