Shared vs Security tab

J

Jamie

Can someone explain to me what is the differences between these 2 types of
security tabs. Why do they have this shared tab?

DirX ---- --Dir1 -Read rights
--Dir2 -Read rights
--Dir3 -Full Rights
I want the users to be able to map a dir to DirX then get the shown rights
to the other dir's. I'm having some issues because of this shared thing.
Before what I would only use is Security and then give NTFS rights to areas.
Problem now is I have to enable this shared tab in order for a user to map
to the area. The rights I define in that tab overrule the rights I set in
the security tab for NTFS.

Jamie
 
M

Miha Pihler

With share tab you can share folders or drives on the PC. Security tab is
for setting security for local users AND anyone coming from network e.g.
share.

If you are SURE you set up right your Security settings, then you can allow
Everyone full access on the share! (Although this is NOT the best
practice!!!). Best practice would be e.g. give user Change permission on the
share3 and only Read on Share1 and 2 (depending what you would like to
achieve)...
NTFS Permission on Folder (share1 and 2) should also be Read and on Folder
(share3) should be Full Control.
 
K

Kent W. England [MVP]

The combination of network and file system permissions determines who
can access what. If you have your local file system permissions set just
right, you can allow access to Everyone via network.

On the other hand, if you aren't sure you have your local file system
permissions set right, you can restrict your network access for safety.
You could restrict Everyone to read-only access for example.
 
J

Jamie

Ok if I read what both of you are saying correctly then you are saying I can
enable the Share tab rights for DirX with full rights as long as I have my
Dir 123 setup correctly with file system rights I will be ok. I have tested
this and it does not work. The shared tab rights override the file system
rights which seems incorrect. File system rights should always be above
anything else. This is what confuses me. So what happens is -
if I share each of DIR 123 separately using shared tab and give the correct
rights using shared tab and file system rights they get what I want except I
can't map one drive to DIRX. I have to map 3 different drives. If I give
full shared rights to DirX so I can map to that Dir then they get full
rights to all 3 folders even though nothing has changed from before. I
still have file system rights setup correctly and have the 3 dir's still
setup with the Shared rights differently. As soon as I add the rights to
the Shared tab it does exactly that by giving those rights to everything
below.

Jamie
 
J

Jamie

Can someone explain to me what is the differences between these 2 types of
security tabs. Why do they have this shared tab?

DirX ---- --Dir1 -Read rights
--Dir2 -Read rights
--Dir3 -Full Rights
I want the users to be able to map a dir to DirX then get the shown rights
to the other dir's. I'm having some issues because of this shared thing.
Before what I would only use is Security and then give NTFS rights to areas.
Problem now is I have to enable this shared tab in order for a user to map
to the area. The rights I define in that tab overrule the rights I set in
the security tab for NTFS.

Ok if I read what both of you are saying correctly then you are saying I can
enable the Share tab rights for DirX with full rights as long as I have my
Dir 123 setup correctly with file system rights I will be ok. I have tested
this and it does not work. The shared tab rights override the file system
rights which seems incorrect. File system rights should always be above
anything else. This is what confuses me. So what happens is -
if I share each of DIR 123 separately using shared tab and give the correct
rights using shared tab and file system rights they get what I want except I
can't map one drive to DIRX. I have to map 3 different drives. If I give
full shared rights to DirX so I can map to that Dir then they get full
rights to all 3 folders even though nothing has changed from before. I
still have file system rights setup correctly and have the 3 dir's still
setup with the Shared rights differently. As soon as I add the rights to
the Shared tab it does exactly that by giving those rights to everything
below.

Still looking for help.

Jamie
 
K

Kent W. England [MVP]

If DirX is the shared folder, and Dir1 is a subfolder (ie, \dirX\dir1)
of DirX, you should be able to share DirX for Everyone with Full
Control, map that to a drive and then set the file system rights for
Dir1, Dir2, Dir3 with the rights that you want.

You have the choice of creating file system permissions for each user
(joe, bob, sue) or you can set permissions for a user group (either
Administrators or Users). In any event, you have to create local
accounts for your remote users, unless you are using domains and Active
Directory.

Make sure that if an account has permissions set by account (eg, joe)
and are also members of Administrators or Users that they get the right
permissions. If you only restrict individual account permissions then
you want to remove or restrict the Users or Administrators group
privileges, since joe is both "joe" and a member of one of those groups.
The union of the permissions is what is granted in file system
permissions and the intersection of permissions is what is granted for
file and network access.
 
J

Jamie

Kent,
I agree with this 100% in fact this is how I understood it to work. Problem
is it isn't working this way. I believe it must be something that was
previously set that is causing the problem. The problem with that is no
matter how much I look at all the other rights and settings I can't find
anything that would cause this problem. I'm considering starting all over
and removing all rights to that area and rebuilding the rights.

Jamie
 
K

Kent W. England [MVP]

Good luck. Note that you can cut and paste the output of a cacls.exe
command to describe your folder permissions. This might be helpful in a
future post.
 
J

Jamie

C:\>cacls c:\shared\*.*
c:\shared\Apps NODE1\secure:(OI)(CI)C
NODE1\Administrator:(OI)(CI)F
NODE1\DieUpdate:(CI)R
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


c:\shared\Data Everyone:(OI)(CI)C
NODE1\Administrator:(OI)(CI)F
NODE1\DieUpdate:(CI)R
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


c:\shared\Exe Everyone:(OI)(CI)R
NODE1\secure:(OI)(CI)C
NODE1\Administrator:(OI)(CI)F
NODE1\DieUpdate:(CI)R
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA

Ok,
Shared is the main dir
Then you see the 3 directories under that. Currently what the user did is
setup separate sharing on each of the 3 directories and controls his rights
to the outside this way. He can map 3 directories. On my side though I can
not map 3 directories and only can have one so I need to share at the SHARED
dir. So I did this and set NTFS permissions for the group DIEUPDATE after
that. I have given DIEUPDATE list folder contents rights to the shared and
all 3 directories. Under the DATA dir I have another dir that I have give
full access to DIEUPDATE. I then have a file that sits in the EXE dir and I
have given read rights to this file. All other security was setup by
someone else but the problem is I can't see what is causing the root
problem. That is what makes this share rights override the NTFS rights? My
users that I have created on the XP station are a member of the DIEUPDATE
group ONLY! Removed ALL other groups (user).
 
K

Kent W. England [MVP]

Your description is still incomplete. The result depends on these folder
permissions, the share permissions, and the memberships of the
individual accounts that are logging on remotely.

(I'm still assuming this is XP Pro with simple file sharing disabled. I
don't recall discussing that, but you can't see the sharing and security
tab in XP Home without safe mode or a third-party tool.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

extract from a field in Access 2
Don't have seciruty tab on shared NTFS folder 2
No security tab on shared printer properties 1
security 1
Accessing the security tab on a partitioned drive 5
MachineKeys no Security Tab shown 4
security tab problems 2
Shared folder security tab...Windows 2003 server 5

Top