Win 2003 - Share can be read with no NTFS permission?

P

Patrick Saunders

Hi,
I apoligise in advance if this is the wrong newsgroup - I could not
find one for win2003.

Scenario:

I have small test domain with couple of machines.

1. On a member win2003 server machine '2K3Client' I created folder
"c:\ShareA"
2. I shared folder "ShareA", with default permissions.

This shows permissions as such:

Share permissions
=================
Everyone - Read


NTFS Security permissions
==========================
Administrators(2K3Client\Administrators) - Full
SYSTEM - Full
Users (2K3Client\Users) - Read,List, Special.


Question:
------------
I log into another machine as a test user, with no special
privelleges.
I can navigate to the share "ShareA" on Machine "2k3Client" AND I can
view
the contents of that folder.

I do not understand why I can see contents of folder if there are no
NTFS permissions to allow this? Can someone please explain?

Many thanks in advance,

Patrick.
 
S

Steven L Umbach

You show that users have read/list permissions to that folder. Since you are
in a domain, that is enough to allow another domain user to access the
folder from another domain computer. --- Steve
 
P

Pat

I have setup a similar setup, with a new share with default
permissions in W3K (read). Add a test user with R X L R ntfs
permissions. I logon with a workstation on that domain as test user
and try to create a folder and file in the share with no success. If I
add change to the share permissions I can create a folder and file in
the share. I thought the least restrictive permissions were applied
between shares and NTFS?
 
P

Pat

If I setup a sharecalled share2 with full share permissions and add a
group called testgroup and put a user called test in that group and
give the group R permissions on the folder. I then logon at a WS with
the user Test who is a domain user default rights on the domain and
administrative rights on the WS, I have Read rights on any
folders\files that were created by the admin on the server in share2.
I cannot delete these. I can create a file and in the NTFS permissions
I have Read rights on the testgroup group and it also puts in the test
user with full rights. where do the full rights come from. If I just
want a share that users can only read, not write or modify how can I
do that?
 
S

Steven L Umbach

I think your problem may be that the user you are testing with is a local
administrator on the computer where the share exists. The administrators
group may have full control permissions to the folder. Try removing your
test user from the local administrators group and try again after logging
off and logging back on. If the creator/owner is present, the user that
creates the file will receive those permissions which usually are full
control.

To create a share where you want users to only read files give the users
group only read permissions to the share and read/list for ntfs folder
permissions and make sure the users are not members of another group that
has more than read permissions to the share/folder. --- Steve
 
P

Pat

The share is on my DC, my test user had local Admin rights on the WS.
I removed the test user from the local Admin group and logged off and
on. I can create a folder on the share. It gives the user group R and
the test user Full control inherited from the parent folder. On the
share on the DC, I have Share permissions= Full control and R for the
test group. How is the test user inheriting full permissions?
 
S

Steven L Umbach

Apparently the test user has full control permissions in the parent folder?
If you create a folder and do not want to use inherited permissions go into
the advanced page for security and uncheck inherit permissions form the
parent folder at which time you will be prompted to either remove or copy
existing permissions. When checking permissions on the parent folder also
check advanced permissions to see if the user has permissions there also
which may not be apparent from the main security page.. --- Steve
 
P

Pat

It was picking up Full control permissions from creator owner. if a
user belongs to two groups,it is going to have least restrictive
permissons from both groups?
 
S

Steven L Umbach

A user will have the most permissive NTFS permissions applied based on group
membership unless deny permissions are assigned to the user either
explicitly or via group membership in which case deny usually takes
precedence though an explicit allow permission will override an inherited
deny permission. You can remove creator owner from the permissions of the
folder. For root folder you may need to do that in the advanced security
page. -- Steve
 
P

Pat

Thanks for all the help Steve.

A user will have the most permissive NTFS permissions applied based on group
membership unless deny permissions are assigned to the user either
explicitly or via group membership in which case deny usually takes
precedence though an explicit allow permission will override an inherited
deny permission. You can remove creator owner from the permissions of the
folder. For root folder you may need to do that in the advanced security
page. -- Steve
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Share and NTFS permissions 2
NTFS Permissions - Sub-Folders 4
NTFS and Shared Permissions 3
NTFS Permissions return to default upon server reboot 1
Share/NTFS Permissions Combined 1
NTFS & Share permissions 3
Question about share permissions 1
Convert share permissions to NTFS permissions? 1

Top