Solved

NTFS PERMISSIONS

Posted on 2010-08-25
19
361 Views
Last Modified: 2013-12-04
As far as a share is concerned:  I want the users to be able to view everything but not write or change... Can I give the everyone group read only to the share and the individual users the permissions on the individual folders if I don't have the permissions inheriting?

Also as for the security tab on the share what permission do I need if I want the admins to have full control over everything and the users just read,  Again I only want the users to have read to the share and write to the individual folders.
0
Comment
Question by:WellingtonIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 3
  • +3
19 Comments
 
LVL 10

Expert Comment

by:honestman31
ID: 33522295
Give everyone group the read permissions  on NTFS
give Admin Grope  Read/Write Modify on NTFS  
0
 

Author Comment

by:WellingtonIS
ID: 33522322
When you say NTFS you mean the Permissions Tab on the Share?  I can't remember is the designates NTFS.  I know the Share doesn't
0
 
LVL 6

Expert Comment

by:Elwin3
ID: 33522351
As well as honestman31's suggestions for NTFS (Security permissions). You will also need to give everyone Full Control on the Share permissions.They will get the most restrictive.  So everyeon will get read and admin group will r/w/m.  
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:WellingtonIS
ID: 33522460
If I give everyone full control to the share then they are able to write to the "root of that share" and that's what I need to avoid.
0
 

Assisted Solution

by:Pedrotech
Pedrotech earned 150 total points
ID: 33522568
I will explain this in two ways, as I am not sure if you want the share the folder for local computer users or throug the network:
1) Sharing a folder on the local computer:
Important: If using XP you need to unset the option "Use simple file sharing" under Control Panel > Folder Options

On the folder properties, go to security tab, and select the permissions, then click on advanced button; Now you can select the share options for that folder, in a local basis. You can also select if you want these permissions to propagate under subfolders and files, by selecting the appropriate drop down.
2) Sharing a folder on the network:
Again, if using XP you need to unset the option "Use simple file sharing" as described above.

On the folder properties, create a share for it, lets say "folderx", no click on "permissions" button.

If your computer is a domain member it will be easier since you can user the user names from the domain.

If your computer is not a domain member, you need to remember an important thing, I will exemplify:

Your computer, named PC01, has your user name set as "User01" with password "XXX"
The second other person on the network has a computer named PC02, and has a user name set as "User02", with password "YYY".
The third other person on the network has a computer named "PC03", and has a user name set as "User03", with password "ZZZ"

In this case, you will need to create the account "User02 with pass "YYY" on your computer, so the second person on the network can access you share with his/her credentials.

The same happens for the third person on the network.

This happens because windows send the user (name/password) credentials along the network to indeifity the person among the network.

If you are member of a domain, then you dont need to create the accounts on you computer, since the credentials are "domain dependent" and the server will make your computer recognize the different credentials.
 
I hope I haven't complicated even more your question lol.
If still in doubt, please try to explain better your question.
0
 
LVL 6

Expert Comment

by:Elwin3
ID: 33522599
no they wont. It you give them full controll of the share and then restrict them with security permissions they get the most restrictive. This is stadnard practise when setting up shares.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 33522608
I would recommend :

For the Share: Everyone has Read access, add Administrators with Full Control
For the User Permissions : Read & Execute, List Folder Contents, Read

If this is a child folder with different permissions on the Parent, you will want to turn off inheritable permissions.
0
 

Expert Comment

by:Pedrotech
ID: 33522615
I just noticed some typos on my last answer.

2) Sharing a folder on the network:
Again, if using XP you need to unset the option "Use simple file sharing" as described above.

On the folder properties, create a share for it, lets say "folderx", NOW click on "permissions" button.
 
Back on part 1,
you can set "everyone" to read (checked) / modify (not checked) / write (not checked)
and then set the other users as read (checked) / modify (checked) / writeh (checked)


0
 
LVL 6

Expert Comment

by:Elwin3
ID: 33522622
0
 

Author Comment

by:WellingtonIS
ID: 33522754
OK this is a share on a server.  Sorry. This is a network.  I currently have the following:
Share: Sharing Tab Permissions:
Everyone read
Administrator: Full Control.

Security Tab on Share
Administrator: Full Control
Everyone: Read & Execute, List; Read

One the individual Folders I have the permission by users. So user x may have modify on the folder.
user y may also have modify on the folder,etc.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 33533162
Sounds like you're all set.
0
 

Author Comment

by:WellingtonIS
ID: 33533693
No, the users can't save anything.  I had to give read and change and in the permissions read & list.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 33534487
In your previous post you stated you gave the individual users modify permissions to the folder. This should have done the trick unless you had inheritance turned on.

To save a file and create folders the users need write permissions. To save and/or delete files and folders they need modify permissions. The change permission will allow the users to change the file permissions ie: give themselves full control.

Windows 101: Know the basics about NTFS permissions
http://articles.techrepublic.com.com/5100-10878_11-6084446.html
0
 

Author Comment

by:WellingtonIS
ID: 33536277
OK I'm talking about the general share.  Not the folders within the share.  It seems if I give the share read only then even though I have the users as modify on the folders, they still can not write.
0
 

Author Comment

by:WellingtonIS
ID: 33541346
One more thing... I understand NTFS and I understand that the permissions take the most restrictive too.  That's not my issue.  Maybe I'm explaining this wrong.  So let me try again...

I have a folder called SHARE within that folder are a series of other folders...

The SHARE folder is shared...  I have a group called EVERYONE_NO_ADMINS which contains all my users except my administrators.  When you share this folder you have permissions.  Full control, Change, Read...
 In addition you have a security tab that's NTFS full control, modify, read & execute, list, write and special permissions.

What I'm trying to find out is what is the least amount of rights I can give the EVERYONE_NO_ADMINS group on the SHARE?  I'm trying to avoid the users adding folders and doc's, spreadsheets to the "root" of the share and still allow them to read, write and modify the individual folder within that share.

I've took out the Inheritable permission on all of the folder within the share.  Again I want the users to have modify permissions to the individual folders within the share.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33550667
"One the individual Folders I have the permission by users. So user x may have modify on the folder.
user y may also have modify on the folder,etc."

If you want subfolders that are writable by users, the share permissions must always allow Change access.
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 350 total points
ID: 33550723
Also, disabling Inheritance on all subfolders is usually not necessary.

The easiest way to go about this depends on the "default" access for subfolders you create in the share.

If NO_ADMINS requires default write access to all (+new) subfolders in the share, but not allow them to create new folders at the root, then: Grant NTFS Modify permissions on the shared folder and all subfolders. Then add a separate NTFS permission with "Deny Write" that has the scope "This folder and files only" to NO_ADMINS on the shared folder itself. Only if a few specific subfolders require Read access, you should disable inheritance for those folders and set NTFS permissions accordingly.

If the default is read-only access, then just grant Read NTFS permissions on the entire folder and subfolders, and grant NTFS modify permissions as desired. No deny required.

In all cases, share security is set to Change for NO_ADMINS.
0
 

Author Comment

by:WellingtonIS
ID: 33557488
THANK YOU.  THAT REALLY HELPS!
0
 

Author Closing Comment

by:WellingtonIS
ID: 33567324
Thanks everyone this really helped me out.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
OfficeMate Freezes on login or does not load after login credentials are input.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question