Shared folder security tab...Windows 2003 server

[cyanide00]

I am a network admin and I am trying to setup a file managment system.
We want to have 3 or 4 different user levels, example...one can delete,
add and modify files (but not folders), one can only execute and add
but not delete, one can only execute, and the last one has no access. I
started on the highest level first (delete, add and modify) and was
able to implement that, however I have the problem of the user being
able to right click and go into properties -> and then see the security
tab and modifying their own permissions. I tried using the group policy
editor to remove the security tab. While this worked for local folders
when actually being in the server shared folders when viewed on the
network are still showing the security tab. I tried everything...anyone
have any ideas I would appreciate it very much! Would I have to edit
each computer's registry trying to access the shared folder?

 

[Colin Nash [MVP]]

I am a network admin and I am trying to setup a file managment system.
We want to have 3 or 4 different user levels, example...one can delete,
add and modify files (but not folders), one can only execute and add
but not delete, one can only execute, and the last one has no access. I
started on the highest level first (delete, add and modify) and was
able to implement that, however I have the problem of the user being
able to right click and go into properties -> and then see the security
tab and modifying their own permissions. I tried using the group policy
editor to remove the security tab. While this worked for local folders
when actually being in the server shared folders when viewed on the
network are still showing the security tab. I tried everything...anyone
have any ideas I would appreciate it very much! Would I have to edit
each computer's registry trying to access the shared folder?

Don't worry about the Security tab itself-- that's just the graphical
interface. You actually need to restrict the permissions granted because
even if you lock out the Security tab, users could still use command-line
tools or other utilities to get in to the files.

Make sure that the user is not a member of a group that has "full control"
on the folder(s)


http://www.microsoft.com/technet/technetmag/issues/2005/11/HowITWorksNTFS/
http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/

 

[cyanide00]

I am a network admin and I am trying to setup a file managment system.

We want to have 3 or 4 different user levels, example...one can delete,
add and modify files (but not folders), one can only execute and add
but not delete, one can only execute, and the last one has no access. I
started on the highest level first (delete, add and modify) and was
able to implement that, however I have the problem of the user being
able to right click and go into properties -> and then see the security
tab and modifying their own permissions. I tried using the group policy
editor to remove the security tab. While this worked for local folders
when actually being in the server shared folders when viewed on the
network are still showing the security tab. I tried everything...anyone
have any ideas I would appreciate it very much! Would I have to edit
each computer's registry trying to access the shared folder?

Don't worry about the Security tab itself-- that's just the graphical
interface. You actually need to restrict the permissions granted because 0
even if you lock out the Security tab, users could still use command-line
tools or other utilities to get in to the files.

Make sure that the user is not a member of a group that has "full control"
on the folder(s)

http://www.microsoft.com/technet/technetmag/issues/2005/11/HowITWorks...
http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorks...

I acutally have that Magazine article in front of me...but it doesnt
talk about shared folder permissions. The user is not part of any group
with full control. The BIG problem is that once the user is in the
folder they can click any subfolder and manually change their own
permissions (under group or user names) under the security tab. How can
I stop this??? My solution was to hide the security tab because it
would stop anyone who wanted to easily right click and do this.

 

[Steven L Umbach]

A user that creates a file/folder will be the owner of such and be able to
change permissions on them even if they have no explicit permissions. That
is the way the operating system handles owners and by default the owner gets
full control due to the creator owner placeholder that you see in advanced
permissions. You can change what permissions that creator owner applies to
the owner but the owner still can always grant themselves permissions if
they want to and know how to. If you have a need to you can change the owner
of any folder/file as an administrator via the command line or via the GUI
for Windows 2003 in properties/security/advanced/owner. If you want to hide
the security tab to make that more difficult for the user [not impossible as
Colin indicated] then you need to configure Group Policy to hide the
security tab on all the client computers. If the computers are members of an
Active Directory domain you can do that easily via Group Policy at the
domain or Organizational Unit level. --- Steve

http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml ---
NTFS and share permissions explained

 

[cyanide00]

Ok, so under owner in the properties/security/advanced/owner box there
is only domainname/administrator and domainname/administrators. The
user(s) name is not in there so they shouldn't be able to change their
own permissions right? Or would I have to remove these accounts? I'm
also sure that the user is not a part of the administrators group.

So lets say I just want to hide the security tab from the users. I
tried this once already and I couldn't get it to work. I probably did
it wrong. I went into the gpedit.msc, to edit the group policy, using
administrative templates. Then I obviously enable hide security tab
THOUGH this works, it doesn't work for a folder thats shared on the
network from the server. In other words if I log into the domain using
a supposed restricted user name, find the shared folder and right click
it I can still see the security tab and also change the permissions
even though this user did not create the folder. What am I missing? Is
there a way to add users to this group policy to restrict the security
tab (even if its shared) but allow my user name to still see the
security tab??? Any help would be much appreciated!

Thanks in advance...

 

[Steven L Umbach]

If the user is not in the group shown as owner then they should not be able
to change permissions because they are not owner assuming they do not have
full control permissions. If they still can change permissions then I would
think that they are in the group shown as owner. Note that each file has an
owner.

To prevent the users from seeing the security tab for domain users create a
domain/OU level Group Policy that applies to the users you want this to
apply to. If you do not want your domain user account to be affected then
make sure your user account is not in the OU/container where the Group
Policy is applied or "filter" the GPO so that your user account or global
group that your account is in has deny permissions for apply for the GPO in
the GPO properties for security. --- Steve