Solved

NTFS PERMISSIONS

Posted on 2010-08-25
19
348 Views
Last Modified: 2013-12-04
As far as a share is concerned:  I want the users to be able to view everything but not write or change... Can I give the everyone group read only to the share and the individual users the permissions on the individual folders if I don't have the permissions inheriting?

Also as for the security tab on the share what permission do I need if I want the admins to have full control over everything and the users just read,  Again I only want the users to have read to the share and write to the individual folders.
0
Comment
Question by:WellingtonIS
  • 8
  • 3
  • 3
  • +3
19 Comments
 
LVL 10

Expert Comment

by:honestman31
Comment Utility
Give everyone group the read permissions  on NTFS
give Admin Grope  Read/Write Modify on NTFS  
0
 

Author Comment

by:WellingtonIS
Comment Utility
When you say NTFS you mean the Permissions Tab on the Share?  I can't remember is the designates NTFS.  I know the Share doesn't
0
 
LVL 6

Expert Comment

by:Elwin3
Comment Utility
As well as honestman31's suggestions for NTFS (Security permissions). You will also need to give everyone Full Control on the Share permissions.They will get the most restrictive.  So everyeon will get read and admin group will r/w/m.  
0
 

Author Comment

by:WellingtonIS
Comment Utility
If I give everyone full control to the share then they are able to write to the "root of that share" and that's what I need to avoid.
0
 

Assisted Solution

by:Pedrotech
Pedrotech earned 150 total points
Comment Utility
I will explain this in two ways, as I am not sure if you want the share the folder for local computer users or throug the network:
1) Sharing a folder on the local computer:
Important: If using XP you need to unset the option "Use simple file sharing" under Control Panel > Folder Options

On the folder properties, go to security tab, and select the permissions, then click on advanced button; Now you can select the share options for that folder, in a local basis. You can also select if you want these permissions to propagate under subfolders and files, by selecting the appropriate drop down.
2) Sharing a folder on the network:
Again, if using XP you need to unset the option "Use simple file sharing" as described above.

On the folder properties, create a share for it, lets say "folderx", no click on "permissions" button.

If your computer is a domain member it will be easier since you can user the user names from the domain.

If your computer is not a domain member, you need to remember an important thing, I will exemplify:

Your computer, named PC01, has your user name set as "User01" with password "XXX"
The second other person on the network has a computer named PC02, and has a user name set as "User02", with password "YYY".
The third other person on the network has a computer named "PC03", and has a user name set as "User03", with password "ZZZ"

In this case, you will need to create the account "User02 with pass "YYY" on your computer, so the second person on the network can access you share with his/her credentials.

The same happens for the third person on the network.

This happens because windows send the user (name/password) credentials along the network to indeifity the person among the network.

If you are member of a domain, then you dont need to create the accounts on you computer, since the credentials are "domain dependent" and the server will make your computer recognize the different credentials.
 
I hope I haven't complicated even more your question lol.
If still in doubt, please try to explain better your question.
0
 
LVL 6

Expert Comment

by:Elwin3
Comment Utility
no they wont. It you give them full controll of the share and then restrict them with security permissions they get the most restrictive. This is stadnard practise when setting up shares.
0
 
LVL 4

Expert Comment

by:oldPCguy
Comment Utility
I would recommend :

For the Share: Everyone has Read access, add Administrators with Full Control
For the User Permissions : Read & Execute, List Folder Contents, Read

If this is a child folder with different permissions on the Parent, you will want to turn off inheritable permissions.
0
 

Expert Comment

by:Pedrotech
Comment Utility
I just noticed some typos on my last answer.

2) Sharing a folder on the network:
Again, if using XP you need to unset the option "Use simple file sharing" as described above.

On the folder properties, create a share for it, lets say "folderx", NOW click on "permissions" button.
 
Back on part 1,
you can set "everyone" to read (checked) / modify (not checked) / write (not checked)
and then set the other users as read (checked) / modify (checked) / writeh (checked)


0
 
LVL 6

Expert Comment

by:Elwin3
Comment Utility
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:WellingtonIS
Comment Utility
OK this is a share on a server.  Sorry. This is a network.  I currently have the following:
Share: Sharing Tab Permissions:
Everyone read
Administrator: Full Control.

Security Tab on Share
Administrator: Full Control
Everyone: Read & Execute, List; Read

One the individual Folders I have the permission by users. So user x may have modify on the folder.
user y may also have modify on the folder,etc.
0
 
LVL 4

Expert Comment

by:oldPCguy
Comment Utility
Sounds like you're all set.
0
 

Author Comment

by:WellingtonIS
Comment Utility
No, the users can't save anything.  I had to give read and change and in the permissions read & list.
0
 
LVL 4

Expert Comment

by:oldPCguy
Comment Utility
In your previous post you stated you gave the individual users modify permissions to the folder. This should have done the trick unless you had inheritance turned on.

To save a file and create folders the users need write permissions. To save and/or delete files and folders they need modify permissions. The change permission will allow the users to change the file permissions ie: give themselves full control.

Windows 101: Know the basics about NTFS permissions
http://articles.techrepublic.com.com/5100-10878_11-6084446.html
0
 

Author Comment

by:WellingtonIS
Comment Utility
OK I'm talking about the general share.  Not the folders within the share.  It seems if I give the share read only then even though I have the users as modify on the folders, they still can not write.
0
 

Author Comment

by:WellingtonIS
Comment Utility
One more thing... I understand NTFS and I understand that the permissions take the most restrictive too.  That's not my issue.  Maybe I'm explaining this wrong.  So let me try again...

I have a folder called SHARE within that folder are a series of other folders...

The SHARE folder is shared...  I have a group called EVERYONE_NO_ADMINS which contains all my users except my administrators.  When you share this folder you have permissions.  Full control, Change, Read...
 In addition you have a security tab that's NTFS full control, modify, read & execute, list, write and special permissions.

What I'm trying to find out is what is the least amount of rights I can give the EVERYONE_NO_ADMINS group on the SHARE?  I'm trying to avoid the users adding folders and doc's, spreadsheets to the "root" of the share and still allow them to read, write and modify the individual folder within that share.

I've took out the Inheritable permission on all of the folder within the share.  Again I want the users to have modify permissions to the individual folders within the share.
0
 
LVL 12

Expert Comment

by:Rant32
Comment Utility
"One the individual Folders I have the permission by users. So user x may have modify on the folder.
user y may also have modify on the folder,etc."

If you want subfolders that are writable by users, the share permissions must always allow Change access.
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 350 total points
Comment Utility
Also, disabling Inheritance on all subfolders is usually not necessary.

The easiest way to go about this depends on the "default" access for subfolders you create in the share.

If NO_ADMINS requires default write access to all (+new) subfolders in the share, but not allow them to create new folders at the root, then: Grant NTFS Modify permissions on the shared folder and all subfolders. Then add a separate NTFS permission with "Deny Write" that has the scope "This folder and files only" to NO_ADMINS on the shared folder itself. Only if a few specific subfolders require Read access, you should disable inheritance for those folders and set NTFS permissions accordingly.

If the default is read-only access, then just grant Read NTFS permissions on the entire folder and subfolders, and grant NTFS modify permissions as desired. No deny required.

In all cases, share security is set to Change for NO_ADMINS.
0
 

Author Comment

by:WellingtonIS
Comment Utility
THANK YOU.  THAT REALLY HELPS!
0
 

Author Closing Comment

by:WellingtonIS
Comment Utility
Thanks everyone this really helped me out.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now