Solved

Share Permissions

Posted on 2013-06-11
8
423 Views
Last Modified: 2013-06-11
I have a share that usable by everyone.  I have a group called everyone_no Adminstrator.  I am having and issue with users creating folders on this share.  I don't want that.  My idea was to make the everyone_no Administrator group read only on the share, however, is this going to stop users from creating files and posting files to the other shares if the NTFS permission allow it?  I know that windows takes the most restrictive - however shouldn't NTFS override that share?
0
Comment
Question by:WellingtonIS
  • 4
  • 2
  • 2
8 Comments
 
LVL 3

Expert Comment

by:Hir0
ID: 39237664
There are two kinds of permissions involved in any shared folder - those on the actual share and those imposed by the underlying file system.  These permissions are subttractive.  This means the most restrictive permissions will win.
 Windows SBS 2011 MS Press

Generally speaking you should pick either NTFS or Share permissions to control file access and stick with one or the other.  I recommend setting share permissions to Full control for authenticated users and using a combination of NTFS and groups to manage access.
0
 
LVL 1

Expert Comment

by:marcocerruti
ID: 39237677
Hi!
If you make the users member of the "Everyone_no Administrator" group and you give the group the Read permission only on the share, they should not be able to create anything, even if the NTFS permissions allows it.
However you might have some different behavior if the users are members also of another group to which you gave more permissions on the share.

CHeck this document and test before applying.
http://technet.microsoft.com/en-us/library/cc770962.aspx

Effective Permissions Tool
http://technet.microsoft.com/en-us/library/cc756795(v=ws.10).aspx

I hope it helps!
0
 

Author Comment

by:WellingtonIS
ID: 39237685
I do understand that however, I need to find a way to prevent my users from creating folders on the share... Is that even possible?
0
 

Author Comment

by:WellingtonIS
ID: 39237856
Stupid question... The security tap on the share...  Isn't that controlling the permissions on the share?  If I deny write/create files for everyone_no administrator won't that solve my issue?
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 1

Accepted Solution

by:
marcocerruti earned 250 total points
ID: 39237874
Ok, on the folder you have 2 tabs:
- Sharing and Security

Security, defines NTFS permissions
Sharing, controls the Sharing of the folder and the Sharing permissions

The Sharing permissions only kick in if you access the folder through the network. NTFS permissions are defined on the volume if it has been formatted using NTFS.

Now, When you set the sharing permissions, it's like an "entrance" permission on the folder, so if you set "Read" for a user, that user, no matter what NTFS permission it has, cannot do anything else but Read.

However, if you set "Change" or "Full Control" on the Share permission, you can restrict on the NTFS later.

So the ultimate result depends on the combination of Share and NTFS permissions, and the application of these permissions on Users, Groups and ultimately the membership of the users.
0
 
LVL 3

Assisted Solution

by:Hir0
Hir0 earned 250 total points
ID: 39237892
Sounds like you want to control the directory structure.  With NTFS  If they can create files then they can create folders.  You should set the share permissions to full control for authenticated users and then set the NTfs permissions for the everyone_no_adminitrator group to modify, go into advanced permissions  for the group and uncheck delete and check delete sub folders and files.  Do this for all top level folders in the root of share.  This way users can see the directory tree but they can't write files or folders to the root, only inside the folders sub folders.
0
 

Author Comment

by:WellingtonIS
ID: 39237996
Thanks guys.  I'm going to "play" with it and hopefully I'll get my result.  I'm going to give the everyone_no administrator read and change and I'll take care of the rest via NTFS on the security tab.  Maybe, just maybe I'll get my result.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39238250
Thanks guys I figured it out and it works the way I want it to.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now