OEHG
asked on
Windows Folder Permissions
Hi all,
In an effort to lock down permissions on a network folder, I chose to deny read access to the Everyone group. Now, no one can access the folder at all. What can I do to undo this change, and get the permissions set for only specific users?
In an effort to lock down permissions on a network folder, I chose to deny read access to the Everyone group. Now, no one can access the folder at all. What can I do to undo this change, and get the permissions set for only specific users?
To expand on that concept, if you've got a user who is in multiple groups with permissions on a share, the permissions are cumulative as follows:
Share Permission + Share Permission = Most Permissive (except for Deny which overrides everything else)
On the NTFS side of things (the folder and file permissions), it works the same way:
NTFS Permission + NTFS Permission = Most Permissive (except for Deny which overrides everything else)
When a user accesses that shared folder, however, you have to consider that both share permissions AND the file/folder permissions will both be applied. Once that happens the LEAST permissive level of access is granted:
NTFS Permission + Share Permission = Least Permissive (Deny still overrides)
So, even though the Share may give users Full Control, if the NTFS permissions only give them Read & Execute, that's all they'll be able to do. And the reverse is true: If the NTFS permissions are Full Control, but the Share only allows "Read", then Read access is all they'll have.
Share Permission + Share Permission = Most Permissive (except for Deny which overrides everything else)
On the NTFS side of things (the folder and file permissions), it works the same way:
NTFS Permission + NTFS Permission = Most Permissive (except for Deny which overrides everything else)
When a user accesses that shared folder, however, you have to consider that both share permissions AND the file/folder permissions will both be applied. Once that happens the LEAST permissive level of access is granted:
NTFS Permission + Share Permission = Least Permissive (Deny still overrides)
So, even though the Share may give users Full Control, if the NTFS permissions only give them Read & Execute, that's all they'll be able to do. And the reverse is true: If the NTFS permissions are Full Control, but the Share only allows "Read", then Read access is all they'll have.
ASKER
I attempted to remove everyone, and I got an error applying security, " Failed to enumerate objects in the container. Access is denied." However, once I clicked through that, it removed the everyone group. I am personally listed with full control rights, and still cannot get into the folder.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I attempted to remove Everyone altogether, and it first it appear as if it worked. Now checking again, Everyone is back on the list with full control. Funny thing now I can access most of the sub-folders again, but there are stand-alone files in the root of the folder that I'm getting access denied on. Any idea what I might need to do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to take ownership and can access the single files now. Under Advanced Security, it is listing users/groups twice. One set with inherited permissions and the duplicates with no inheritance. I'm thinking the users should only be listed once. Any guidance on if this is typical or what I could do to fix?
I'd recommend you leave the Advanced Security stuff alone... it's the "under the hood" part of the permissions. It's kind of like the registry... if you mess that up, you'll have LOADS of problems. LOL
Whenever you're messing with permissions, only work from the Security tab unless you have a very specific reason (like setting up a home folder root to use Access-Based Enumeration on the share).
Glad to know things got worked out!!
Whenever you're messing with permissions, only work from the Security tab unless you have a very specific reason (like setting up a home folder root to use Access-Based Enumeration on the share).
Glad to know things got worked out!!
ASKER
Thanks guys!
For shared permissions, permissions are cumulative, so whatever the highest level of permissions a user has, that's what they get. So, if they're in a group that has "Read" permission and a group that has "Change" permission, their effective permission is "Change".
NTFS permissions work the exact same way.
The exception to this is when permissions are explicitly denied. A "Deny" permission overrides all other permissions. So, when you assign "Deny" to the Everyone group, access is denied to, literally, Everyone.
To fix this, remove the Everyone group from the permissions and then add the specific group(s) you want and the apply the appropriate permissions.
Remember, only users and groups that have permissions will have access. Everyone else will be denied access, so there's no need to explicitly add that.