• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 217
  • Last Modified:

fodler share security

What is the difference between setting security on the share tab for a folder in windows 2000 and setting security on the security tab of a folder in windows 2000?

Please explain also how setting security in one versus the other affects access.
0
markkurten
Asked:
markkurten
  • 2
1 Solution
 
NightmanCTOCommented:
Security via the share allows access to the share name via the network share.
Security via the security tab manages access to the physical folder/files on disk.

Access to the folder on disk allows access to the user, but no access via the share means that the user still cannot access the files via the network. The user would have to log on to the PC to access the folder. So a user may have full local permissions on a folder (and the files) from the local machine, but be prevented from updating (or even viewing) them accross the network.

Access via the share allows access to the network resource, but no access to the files on disk means that the user still can't do anything with them.

Does this makes things clearer or worse?
0
 
markkurtenAuthor Commented:
thats exactly what i'm looking for - thank you..

so you can have a share and give full permissions to user x, but if you don't give them access using the security tab, they can't do anything with the files in the share?
0
 
NightmanCTOCommented:
That's it. Why don't you test it out?
0
 
Rich RumbleSecurity SamuraiCommented:
Correct, the two work in tandem, the most restrictive setting is the one that is used... if you have everyone full control on the share, and you have userX denied delete on the NTFS permissions, UserX is denied delete as it is more restrictive than FC.
Share Permissions ( http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/?related=y )

To access a file or folder remotely, both NTFS and Share Permissions are evaluated to determine the actual rights the user has to that object. Between NTFS and Share Permissions, the effective permissions are whichever is most restrictive. If the NTFS permission is Read and the Share Permission is Full Control, the effective permission is Read because it is the most restrictive. If the NTFS and Share Permissions were reversed, Read would still be the effective permission.

NTFS and Share Permissions work quite differently from each other. NTFS has a rather complex process of inheritance (see "NTFS Permissions" in the November-December 2005 issue of TechNet Magazine) but essentially a user gets the combination of NTFS permissions assigned to them and any groups they are in, including nested groups. In general, Deny overrides Allow. You have to enter the file system on a remote computer by accessing a share. The Share Permissions are evaluated on the share you use to enter the file system. There is no inheritance with shares. The Share Permissions assigned on the share you used to enter the file system are the permissions you have in that branch of the directory tree, even if there is another share lower in the tree with different permissions.
============
For ease of use/maintenance/administration, share permissions are fine to set Everyone- Full Control, and use the NTFS rights to apply restrictions. Do not include the everyone group on the NTFS (security tab), use authenticated users, and or the groups you need to apply the permissions to. Setting to FC on the share helps, because that right applies to all subfolders... NTFS can inherit or not inherit thier rights from parent folders.
http://technet2.microsoft.com/WindowsServer/en/library/86987829-3f74-412f-abb8-c8b22b07257d1033.mspx?mfr=true
-rich
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now