Security and Permissions

[jmos]

Can some explain (simply) how Share, folder and sub folder
permissions work because evrything I do in my domain
simply does not work?

All users have access to everything regardless of what
permissions I set.

I leave the network for up to and hour, log on as a test
user and they still have access to everthing even though I
specify access to only a select no. of shares.

Currently I have a share - SHARE A with Subfolders SB1-
SB3.

Each SB folder is a project which only a select few can
have access to.

If I have groups GP1 -3 for each SB folder what
permissions should I have for:

1. the Share
2. the Share folder (Security)
3. the SB folders in the share.

Hope someone can help.

TIA.

 

[Steven L Umbach]

Are you configuring ntfs permissions also? You also might try to use three top shares
instead as SB1, SB2, and SB3. However you do it, give system and administrators full
control ntfs permissions and then add the appropriate user group with the needed ntfs
permissions to each folder. If you are sharing one top folder then give
administrators full control and users change permissions to the share. If you use
three top shares then give administrators full control and the appropriate group
change control to each folder. Ntfs permissions are in a folders properties/security
page. When you test results be sure to logon as a user and not as an administrator
and log off and back on after a change to share or ntfs permissions. For a network
users, their permission to a share will be the most restrictive of either the share
or ntfs permissions. The link below may help. --- Steve

http://support.microsoft.com/default.aspx?kbid=300691

 

[jmos]

Thank you Steven
Yes I am including the NTFS Permissions.

What I'm doing is this:

1. Create a group (Share Group) and and GP 1-3 to it.

Share Permissions -> Domain Admin -> Full Control
-> Share Group -> Change

Share NTFS -> Domain Admin -> Full Control
-> Share Group -> Modify (Special)

Share Sub folders no Inheritance

Share Sub Folder 1-> Domain Admin -> Full Control
NTFS -> Group1 -> Modify (Special)

Share Sub Folder 2-> Domain Admin -> Full Control
NTFS -> Group2 -> Modify (Special)

Share Sub Folder 3-> Domain Admin -> Full Control
NTFS -> Group3 -> Modify (Special)

User Joe appears only in Group1
User Mary appears in Group 1 and 3

Now my understanding is that for user Joe they would get
the most restrictive of both the Share and the NTFS of the
share AND that the NTFS of the Sub Folder overrides the
securities of the forementioned i.e only access to Share
Sub folder 1. The same would apply to User Mary i.e access
to only Sub Folders 1 and 3 not 2.

Am I right in saying this?

If so why is this not currently working in my domain and
what else should I do or be looking for?

Many thanks for your reply

JMOS

-----Original Message-----
Are you configuring ntfs permissions also? You also might try to use three top shares
instead as SB1, SB2, and SB3. However you do it, give system and administrators full
control ntfs permissions and then add the appropriate

user group with the needed ntfs

permissions to each folder. If you are sharing one top folder then give
administrators full control and users change permissions to the share. If you use
three top shares then give administrators full control and the appropriate group
change control to each folder. Ntfs permissions are in a folders properties/security
page. When you test results be sure to logon as a user and not as an administrator
and log off and back on after a change to share or ntfs permissions. For a network
users, their permission to a share will be the most

restrictive of either the share

 

[Steven L Umbach]

At first glance it looks as if you are doing everything correct. Are you saying that
Joe and Mary can access the data and write and delete files in all the subfolders or
what kind of access are they getting to them that you find unexpected? --- Steve

 

[jmos]

Yes,
What's happening is that in the case of both Joe and Mary
they have access to all the sub folders in the share and
that's what I do not want. They shoud only have access to
certain sub folders in the share but generally have access
to the share i.e to get to the sub folders.

 

[Guest]

I've found another post which states that what I'm looking for can be done.

Subject: Re: Permissions on Shared Files 7/16/2004 9:30 AM PST
By: Keith Langmead

In actuality I have had this work in the past but since I've added a couple
of other shares to the network and tried to simplify securities (explain
below) poeple now have access to everything which gets me wondering if there
is a corruption somewhere.

Everything else looks fine and the Event viewer shows exceptionally clean
logs. Nothing else seems to be effected.

Most other shares are working correctly and they are mapped to local drives.

My simplification of securities was to add all project security groups to
one large group to manage the share and ntfs permissions easily otherwise I
could spend hours just ensuring permissions were correct.

Is there anything else I could do or look into to solve this issue. I use a
test user to test the securities out and the only groups they are members of
are:

Domain Users -> primary
Group 1 -> Sub Folder Group

Share Group -> By implication of Group 1 being a member of Share Group.

This is exactly the same as in other shares which works well. However
something has gone wrong somewhere in setting up new shares and everyone has
access to all data regardless of the permissions I set.

Note all Shares are on the same volume.

Please Help

TIA

 

[Guest]

I've found another post which states that what I'm looking for can be done.

Subject: Re: Permissions on Shared Files 7/16/2004 9:30 AM PST
By: Keith Langmead

In actuality I have had this work in the past but since I've added a couple
of other shares to the network and tried to simplify securities (explain
below) poeple now have access to everything which gets me wondering if there
is a corruption somewhere.

Everything else looks fine and the Event viewer shows exceptionally clean
logs. Nothing else seems to be effected.

Most other shares are working correctly and they are mapped to local drives.

My simplification of securities was to add all project security groups to
one large group to manage the share and ntfs permissions easily otherwise I
could spend hours just ensuring permissions were correct.

Is there anything else I could do or look into to solve this issue. I use a
test user to test the securities out and the only groups they are members of
are:

Domain Users -> primary
Group 1 -> Sub Folder Group

Share Group -> By implication of Group 1 being a member of Share Group.

This is exactly the same as in other shares which works well. However
something has gone wrong somewhere in setting up new shares and everyone has
access to all data regardless of the permissions I set.

Note all Shares are on the same volume.

Please Help

TIA

 

[Andrew Mitchell]

Thank you Steven
Yes I am including the NTFS Permissions.

What I'm doing is this:

1. Create a group (Share Group) and and GP 1-3 to it.

Share Permissions -> Domain Admin -> Full Control
-> Share Group -> Change

Share NTFS -> Domain Admin -> Full Control
-> Share Group -> Modify (Special)

Share Sub folders no Inheritance

Share Sub Folder 1-> Domain Admin -> Full Control
NTFS -> Group1 -> Modify (Special)

Share Sub Folder 2-> Domain Admin -> Full Control
NTFS -> Group2 -> Modify (Special)

Share Sub Folder 3-> Domain Admin -> Full Control
NTFS -> Group3 -> Modify (Special)

User Joe appears only in Group1
User Mary appears in Group 1 and 3

Now my understanding is that for user Joe they would get
the most restrictive of both the Share and the NTFS of the
share AND that the NTFS of the Sub Folder overrides the
securities of the forementioned i.e only access to Share
Sub folder 1. The same would apply to User Mary i.e access
to only Sub Folders 1 and 3 not 2.

Am I right in saying this?

If so why is this not currently working in my domain and
what else should I do or be looking for?

Make it easy on yourself and forget about the share permissions. Set them to
full access for everyone and use NTFS permissions to lock down the level of
access you want.

Create your root directory, share it and set the share permissions to full
control for everyone. You don't need to share each folder individually. The
users and admins can access them through \\server\share\folder1 , \\server
\share\folder2 etc.
Next click the 'Security' tab (this is where you set the NTFS permissions)
and give the Domain Admins group full control and the Everyone read and
execute permissions (this will put ticks in a few other boxes, which is
normal). If the check boxes are greyed out you will need to click the
'Advanced' button and disable inheritance.

For each of the sub folders, set the NTFS permissions to 'Modify' for the
groups you want to have access to that folder and 'Full control' for Domain
Admins. Make sure the 'Everyone' group is not listed as having any
permissions.

Using share permissions just confuses everyone involved (which is what I
think you've managed to do to yourself ;-) ) and also provides a false sense
of security.
You may think that you have set the share permissions OK but there could be
another share higher up the directory structure that will give users full
access if the NTFS permissions are not right. NTFS permissions can bypass
share permissions if you don't access the directory via a particular share.
Share level permissions can *never* over-ride NTFS permissions.
Much better to set the permissions at the file system level. That way there
can be no mistakes.

 

[Steven L Umbach]

You have "ntfs" permissions configured on the sub folders to give specific groups
access and users not in any of those groups can access/write/and delete to those
folders?? I have never seen that before. Be sure to check advanced permissions also
for those folders for group permissions. In addition make sure that on the root/drive
folder that users/everyone has no more that read/list/execute permissions. If you
still can not get it to work try using three separate top level folders - one for
each group you want to access. Make sure you are not testing access with existing
user files because if creator owner is present in ntfs permissions, the user will be
assigned creator owner permissions to the file if they are the owner of the file as
shown in security/advanced - owner, even if they have no other permissions to the
folder. --- Steve

 

[Guest]

Thank you Andrew it worked first time.

The share permissions are misleading and I'm not sure that having both share
and NTFS is worth it.

Beyond your advice, where the changes did not work, the result was achieved
by removing the share and NTFS permissions and then re establishing
everything again. This seems to *unclogg* the securities and re establish
with new ones.

Thank you though.

 

[Andrew Mitchell]

Thank you Andrew it worked first time.

No probs.

The share permissions are misleading and I'm not sure that having both
share and NTFS is worth it.

They're not only misleading, but can be downright dangerous.

Suppose I create a directory, share it as 'dir1' and set NTFS and share
permissions to full access for everyone.
Another admin comes along later and creates a subdirectory of my directory,
sharing it as 'dir2'. Wanting to secure their directory they set the share
permissions to full access for only the domain admins group, not knowing that
I have created a higher level share.

That admin has done this thinking that only domain admins can now get to this
directory, which is only true if it's accessed through \\server\dir2. Non
domain admins will be prevented from doing this, but *any* user can browse to
\\server\dir1\dir2 with no problems at all.
It becomes even worse when DFS becomes involved as you have absolutely no
idea what servers the other shares exist on.

Setting the permissions at the NTFS level is as close to fool-proof as you
can get. I am yet to see a situation where share level permissions are
required (with the exception of FAT32 volumes which, IMHO, is a huge no-no
anyway).