• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

NTFS PERMISSIONS

As far as a share is concerned:  I want the users to be able to view everything but not write or change... Can I give the everyone group read only to the share and the individual users the permissions on the individual folders if I don't have the permissions inheriting?

Also as for the security tab on the share what permission do I need if I want the admins to have full control over everything and the users just read,  Again I only want the users to have read to the share and write to the individual folders.
0
WellingtonIS
Asked:
WellingtonIS
  • 8
  • 3
  • 3
  • +3
2 Solutions
 
honestman31Commented:
Give everyone group the read permissions  on NTFS
give Admin Grope  Read/Write Modify on NTFS  
0
 
WellingtonISAuthor Commented:
When you say NTFS you mean the Permissions Tab on the Share?  I can't remember is the designates NTFS.  I know the Share doesn't
0
 
Elwin3Commented:
As well as honestman31's suggestions for NTFS (Security permissions). You will also need to give everyone Full Control on the Share permissions.They will get the most restrictive.  So everyeon will get read and admin group will r/w/m.  
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
WellingtonISAuthor Commented:
If I give everyone full control to the share then they are able to write to the "root of that share" and that's what I need to avoid.
0
 
PedrotechCommented:
I will explain this in two ways, as I am not sure if you want the share the folder for local computer users or throug the network:
1) Sharing a folder on the local computer:
Important: If using XP you need to unset the option "Use simple file sharing" under Control Panel > Folder Options

On the folder properties, go to security tab, and select the permissions, then click on advanced button; Now you can select the share options for that folder, in a local basis. You can also select if you want these permissions to propagate under subfolders and files, by selecting the appropriate drop down.
2) Sharing a folder on the network:
Again, if using XP you need to unset the option "Use simple file sharing" as described above.

On the folder properties, create a share for it, lets say "folderx", no click on "permissions" button.

If your computer is a domain member it will be easier since you can user the user names from the domain.

If your computer is not a domain member, you need to remember an important thing, I will exemplify:

Your computer, named PC01, has your user name set as "User01" with password "XXX"
The second other person on the network has a computer named PC02, and has a user name set as "User02", with password "YYY".
The third other person on the network has a computer named "PC03", and has a user name set as "User03", with password "ZZZ"

In this case, you will need to create the account "User02 with pass "YYY" on your computer, so the second person on the network can access you share with his/her credentials.

The same happens for the third person on the network.

This happens because windows send the user (name/password) credentials along the network to indeifity the person among the network.

If you are member of a domain, then you dont need to create the accounts on you computer, since the credentials are "domain dependent" and the server will make your computer recognize the different credentials.
 
I hope I haven't complicated even more your question lol.
If still in doubt, please try to explain better your question.
0
 
Elwin3Commented:
no they wont. It you give them full controll of the share and then restrict them with security permissions they get the most restrictive. This is stadnard practise when setting up shares.
0
 
oldPCguyCommented:
I would recommend :

For the Share: Everyone has Read access, add Administrators with Full Control
For the User Permissions : Read & Execute, List Folder Contents, Read

If this is a child folder with different permissions on the Parent, you will want to turn off inheritable permissions.
0
 
PedrotechCommented:
I just noticed some typos on my last answer.

2) Sharing a folder on the network:
Again, if using XP you need to unset the option "Use simple file sharing" as described above.

On the folder properties, create a share for it, lets say "folderx", NOW click on "permissions" button.
 
Back on part 1,
you can set "everyone" to read (checked) / modify (not checked) / write (not checked)
and then set the other users as read (checked) / modify (checked) / writeh (checked)


0
 
Elwin3Commented:
0
 
WellingtonISAuthor Commented:
OK this is a share on a server.  Sorry. This is a network.  I currently have the following:
Share: Sharing Tab Permissions:
Everyone read
Administrator: Full Control.

Security Tab on Share
Administrator: Full Control
Everyone: Read & Execute, List; Read

One the individual Folders I have the permission by users. So user x may have modify on the folder.
user y may also have modify on the folder,etc.
0
 
oldPCguyCommented:
Sounds like you're all set.
0
 
WellingtonISAuthor Commented:
No, the users can't save anything.  I had to give read and change and in the permissions read & list.
0
 
oldPCguyCommented:
In your previous post you stated you gave the individual users modify permissions to the folder. This should have done the trick unless you had inheritance turned on.

To save a file and create folders the users need write permissions. To save and/or delete files and folders they need modify permissions. The change permission will allow the users to change the file permissions ie: give themselves full control.

Windows 101: Know the basics about NTFS permissions
http://articles.techrepublic.com.com/5100-10878_11-6084446.html
0
 
WellingtonISAuthor Commented:
OK I'm talking about the general share.  Not the folders within the share.  It seems if I give the share read only then even though I have the users as modify on the folders, they still can not write.
0
 
WellingtonISAuthor Commented:
One more thing... I understand NTFS and I understand that the permissions take the most restrictive too.  That's not my issue.  Maybe I'm explaining this wrong.  So let me try again...

I have a folder called SHARE within that folder are a series of other folders...

The SHARE folder is shared...  I have a group called EVERYONE_NO_ADMINS which contains all my users except my administrators.  When you share this folder you have permissions.  Full control, Change, Read...
 In addition you have a security tab that's NTFS full control, modify, read & execute, list, write and special permissions.

What I'm trying to find out is what is the least amount of rights I can give the EVERYONE_NO_ADMINS group on the SHARE?  I'm trying to avoid the users adding folders and doc's, spreadsheets to the "root" of the share and still allow them to read, write and modify the individual folder within that share.

I've took out the Inheritable permission on all of the folder within the share.  Again I want the users to have modify permissions to the individual folders within the share.
0
 
Rant32Commented:
"One the individual Folders I have the permission by users. So user x may have modify on the folder.
user y may also have modify on the folder,etc."

If you want subfolders that are writable by users, the share permissions must always allow Change access.
0
 
Rant32Commented:
Also, disabling Inheritance on all subfolders is usually not necessary.

The easiest way to go about this depends on the "default" access for subfolders you create in the share.

If NO_ADMINS requires default write access to all (+new) subfolders in the share, but not allow them to create new folders at the root, then: Grant NTFS Modify permissions on the shared folder and all subfolders. Then add a separate NTFS permission with "Deny Write" that has the scope "This folder and files only" to NO_ADMINS on the shared folder itself. Only if a few specific subfolders require Read access, you should disable inheritance for those folders and set NTFS permissions accordingly.

If the default is read-only access, then just grant Read NTFS permissions on the entire folder and subfolders, and grant NTFS modify permissions as desired. No deny required.

In all cases, share security is set to Change for NO_ADMINS.
0
 
WellingtonISAuthor Commented:
THANK YOU.  THAT REALLY HELPS!
0
 
WellingtonISAuthor Commented:
Thanks everyone this really helped me out.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now