Permissions and File-Folder-Drive Sharing

[David Lewis]

Greetings,

The Situation:
I have XP Pro with 3 physical drives C,G,H formatted with NTFS, a home
network, and "Simple File Sharing" Disabled.

What I want to Achieve:
NOT to share (read write,view,list or anything else) the G and H drives
except with Administrators on the local computer.

The Problem:
Drive "Properties" "Share Tab" only allows to temporarily not share the
Drive.....with message,"This share was created for administrative purposes
and will be shared again when reboot.."
Under "Security Tab" when I tick the "deny" permissions for "users" at my
desktop location, Windows seems to go into a fit with "egg timer" coming up
indefinitely (needing to log out to escape).At one time it seemed to 'go
thru' but I was subsequently denied access to the drive even though I am the
"Administrator" and "Owner" with "Full Control" "Allowed" (ticked).
BTW I tried just using "simple file sharing" but this still allows access to
the drives from User accounts.

Questions:

1)Are physical (or logical) drives always shared for "Administrative"
reasons?
2)Can "Permissions" be configured to achieve my Objective? How?
3)If I deny "Permission" to "Users" should that necessarily include
"Administrative" Users as a subset?
4)BTW, What "group" does the group "Everyone" represent ( "the "System",
Administrators etc)?
5)Why does MS make things so hard??

Thanks in Advance

 

[james russel]

i have some ans to your question.
they are below your questions.

-----Original Message-----
Greetings,

The Situation:
I have XP Pro with 3 physical drives C,G,H formatted with NTFS, a home
network, and "Simple File Sharing" Disabled.

What I want to Achieve:
NOT to share (read write,view,list or anything else) the G and H drives
except with Administrators on the local computer.

The Problem:
Drive "Properties" "Share Tab" only allows to temporarily not share the
Drive.....with message,"This share was created for administrative purposes
and will be shared again when reboot.."
Under "Security Tab" when I tick the "deny" permissions for "users" at my
desktop location, Windows seems to go into a fit with "egg timer" coming up
indefinitely (needing to log out to escape).At one time it seemed to 'go
thru' but I was subsequently denied access to the drive even though I am the
"Administrator" and "Owner" with "Full Control" "Allowed" (ticked).
BTW I tried just using "simple file sharing" but this still allows access to
the drives from User accounts.

Questions:

1)Are physical (or logical) drives always shared

for "Administrative"

Ans. yes they are especially when you are on a network.

reasons?
2)Can "Permissions" be configured to achieve my

Objective? How?

Ans. yes, just select specific users in the security tab
to have access to your drive G and H remove users that you
do not want to access it. when you restart the comp this
setting will be retained.

3)If I deny "Permission" to "Users" should that necessarily include
"Administrative" Users as a subset?

And. No Users is a group, users belong to Users group will
be denied access.

4)BTW, What "group" does the group "Everyone" represent ( "the "System",
Administrators etc)?

Ans. they are built in and default groups, everyone means
everybody on your network of anybody uses your computer
localy. administrators is a group, the administrator
belongs to administrators group and has the full right to
the machine. refer to your computers help for a detailed
info. on this groups

5)Why does MS make things so hard??

bill gates should ans this question.

 

[David Lewis]

Bitstring <[email protected]>, from the wonderful


I guess you didn't read all the help files about permissions and
security before you started. In particular 'deny' over-rides 'allow'
in
all cases.

On the Contrary,I waded thru hyperlink after hyperlink..which I find very
annoying.This I why I posed the question about denying "Users" also denying
"Administrative Users" (which seemed to happen to me) even if the latter had
"full control".This would be c/w the deny overide allow rule but only if
Administrators were are subset of "Users".Similarly if you deny "everyone"
then you should effectively disable that drive/folder/file

You can, with some effort, disable the administrative (hidden) shares
.. www.google.com 'windows XP disable hidden admin shares' will get
you
many hits, which I'm not inclined to retype.

You get nil relevant hits in the help files for "administrative shares"
notwithstanding the fact that you have to know they exist in the first place
in order to search for them!But are you saying that if I find them I can
disable them meaning I can simply choose to not share the drive?


<snip>
With thanks

 

[David Lewis]

i have some ans to your question.
they are below your questions.



for "Administrative" reasons?

Ans. yes they are especially when you are on a network.
OK,Thanks


Ans. yes, just select specific users in the security tab
to have access to your drive G and H remove users that you
do not want to access it. when you restart the comp this
setting will be retained.

I wondered about this option.It implies that if a particular user group is
not listed under the "security Tab" then they will be denied access by
default.If memory serves me correctly it worked the other way around i.e you
need to add the specific users and then apply "deny" permissions

And. No Users is a group, users belong to Users group will
be denied access.

.....and "Administrators should still be allowed.Seems logical to me but it
didn't seem to work that way for me but could have just been a glitch?

Ans. they are built in and default groups, everyone means
everybody on your network of anybody uses your computer
localy. administrators is a group, the administrator
belongs to administrators group and has the full right to
the machine. refer to your computers help for a detailed
info. on this groups

This is poorly explained in help section which only mentions "Everybody"
group in relation to changes compared to NT or something.I can not find a
logical set out of *all* the different groups as listed under the security
tab (including "system","everybody") explaining default security settings
(these are easy to find for "administrator" or "User Group" but not many of
the others) and which is a subset of the other...which you need to Know as a
deny rule overides an allow rule.

<snip>

Thanks again