Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

share permissions

Posted on 2007-11-13
3
Medium Priority
?
387 Views
Last Modified: 2013-12-04
One of my fileserver is Windows 2003. I created a share on the d:\shares. The permissions are Domain Admins,  Everyone (Full Access).

under d:\shares there is a folder called music.

I only want  Domain Admins to have full access to d:shares\music and user1 to have read access only.

I right clicked on the music folder under d:\shares > security > adavanced > click on everyone > unchecked "Inherit from parent the permission entries that apply to child objects. In these with entries explicitly defined here". > edit > check on read permissions.

After the change the user1 can still add files to d:\shares\music.

I know if i take everyone out of d:\shares then it will work. I can't this way there are allot folders un d:\shares that requires full access to all users.

Any suggestions???
0
Comment
Question by:alisafia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:samalraj
ID: 20277781
Hi,
     I hope you might have read this, if not take a look at http://www.microsoft.com/windowsxp/using/security/learnmore/accesscontrol.mspx
0
 
LVL 6

Expert Comment

by:MorDrakka
ID: 20278118
Hi,

I do not think I understand your problem. Security works this way (with NTFS + Share) it always takes the most restrictive for granted, so I would:

Share Permissions:
D:\Share    Everyone Full Controll
NTFS Permissions:
D:\Share\Music
Go to tab security, advanced, deselect inherit all rights(Copy if need be). Then make sure you have Domain Admins on Full Control, User1 on Read/List folder contents/read & executer(No using advanced rights)

I created the EXACT same share/folder structure here and verified this works.

Hope this helps.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 2000 total points
ID: 20278502
The way SHARE and NTFS permissions work is like this.

When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is usual to allow full control at the share level and then tie down permissions with NTFS.

If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

See http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html for more info

Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in My Computer

An analogy. Your computer is a house. Your data is in as safe the house. To gain access to the data people from outside have to go through the front door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data - having one key or the other is no good - they must have both.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question