In
Secondly, managing with share permissions is not done as much because
NTFS allows permissions to be applied at the filesystem level, ala
Unix/Linux. This is a greater level of security. In fact, in Windows
2000 the default share permission level was "Everyone - Full Control".
Many (most?) W2K3 admins still set them that way and manage all
permissions at the filesystem level (from the "Security" tab).
Kurt, excellent post. I just want to point out to Greg how share permissions
and NTFS (security tab) permissions work together.
Greg,
The share permission is what allows the intial connection. Once allowed in,
then the NTFS permissions are evaluated. The resulting permission is a
combination of all the permissions for any specific security principle
(group, user or even computer account). It is easier to explain that the
security principle gets the most restrictive permission of the two as the
resultant permissions to access the reource.
For example, let use an account called John Smith.
John has Full Control on the Share permissions fo the Sales folder.
John has Modify on the NTFS permissions of the Sales folder.
John's resultant permission is Modify (not full control) because it is the
most restrictive.
Now if John is part of a group that has more permissions than his account,
then the least restritive applies between multiple entries that a security
principle is a member of.
So now let's add John to the Sales group.
John has Change Share permissions on the Sales folder.
The Sales group has Full Control Sahre permissions on the Sales folder.
John has Read NTFS permissions on the Sales folder.
The Sales group has Modify NTFS permissions on the Sales folder
The resultant permission will be Modify.
Inheritance is automatic going downhill as Kurt already explained and
controlled by not allowing inheritance. Child can override the parent
permissions. However if the parent share is Read, and the child is FC, the
resultant will be Read.
Then there's group nesting. Keeping track of who's who in a nested scenario
is easy as long as you follow the rules and guidelines in using them. Domain
mode is also a factor in what nesting options are available.
I would take up Kurt's suggestions to read up on AD, or better yet, attend a
Microsoft Official Curriculum (MOC) course on AD. The course is a 5 day
hands on with labs instructore lead class. You will be amazed at what you
will learn in the course.GPOs, installing and removing DCs, Sites, Recovery,
and much more. Below is a link with more info on the class.
2279: Planning, Implementing, and Maintaining a Microsoft® Windows ServerT
2003 Active Directory® Infrastructure
Summary: In this five-day instructor-led course students will learn the job
skills necessary to plan, implement and troubleshoot the key components of a
Microsoft Windows Server 2003 directory service environment.
Audience: IT professionals
Delivery Method: Instructor-led (classroom)
http://www.microsoft.com/learning/syllabi/2279Afinal.asp
Good luck with everything.
--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."
The only constant in life is change...
