Directory Permissions - What gives?

July 16, 2007

I shared a directory with one of our Windows 2003 servers and gave a user

Full Control accesss to that directory. However, from his computer where he

is logged on, he can't copy and paste anything to that directory. If he

remote desktop's into the server and logs on as himself, he can browse to

another network share and pull the file over without any problems.

I never had this problem in Windows 2000. How do I configure a directory on

a Windows 2003 server so that people can "push" files to that folder without

logging onto the server locally and "pulling" the files over?

July 16, 2007

Re: Directory Permissions - What gives?

What are the share permissions? When you say you gave the user FULL control

do you mean FULL NTFS permissions?

"Andrew" <Andrew@discussions.microsoft.com> wrote in message

news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>I shared a directory with one of our Windows 2003 servers and gave a user

> Full Control accesss to that directory. However, from his computer where

> he

> is logged on, he can't copy and paste anything to that directory. If he

> remote desktop's into the server and logs on as himself, he can browse to

> another network share and pull the file over without any problems.

>

> I never had this problem in Windows 2000. How do I configure a directory

> on

> a Windows 2003 server so that people can "push" files to that folder

> without

> logging onto the server locally and "pulling" the files over?

July 17, 2007

RE: Directory Permissions - What gives?

hi,

check the share permissions, the diference from w2k is that in w2k the

everyone have full share permissions and on w2k3 everyone is read-only by

default.

--

Dragos CAMARA

MCSA Windows 2003 server

"Andrew" wrote:

> I shared a directory with one of our Windows 2003 servers and gave a user

> Full Control accesss to that directory. However, from his computer where he

> is logged on, he can't copy and paste anything to that directory. If he

> remote desktop's into the server and logs on as himself, he can browse to

> another network share and pull the file over without any problems.

>

> I never had this problem in Windows 2000. How do I configure a directory on

> a Windows 2003 server so that people can "push" files to that folder without

> logging onto the server locally and "pulling" the files over?

July 17, 2007

Re: Directory Permissions - What gives?

I gave the user Full Control NTFS AND Folder Share permissions.

Even if I'm logged on as Administrator, I still can't push anything down,

but I can pull files across without any issues.

I'm stumped.

"SBS Rocker" wrote:

> What are the share permissions? When you say you gave the user FULL control

> do you mean FULL NTFS permissions?

>

> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

> >I shared a directory with one of our Windows 2003 servers and gave a user

> > Full Control accesss to that directory. However, from his computer where

> > he

> > is logged on, he can't copy and paste anything to that directory. If he

> > remote desktop's into the server and logs on as himself, he can browse to

> > another network share and pull the file over without any problems.

> >

> > I never had this problem in Windows 2000. How do I configure a directory

> > on

> > a Windows 2003 server so that people can "push" files to that folder

> > without

> > logging onto the server locally and "pulling" the files over?

>

July 17, 2007

Re: Directory Permissions - What gives?

I think I may know what your problems are. You say..........

"I gave the user Full Control NTFS AND Folder Share permissions."

does the group Everyone=READ on the Share permissions still there ? If so

you need to remove the user=FULL and change Everyone=FULL on the share

permissions. No need to add a user to the share permissions and give him

FULL access. By industry best practices when creating a Share the default

would be Everyone=FULL.

"Andrew" <Andrew@discussions.microsoft.com> wrote in message

news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>I gave the user Full Control NTFS AND Folder Share permissions.

>

> Even if I'm logged on as Administrator, I still can't push anything down,

> but I can pull files across without any issues.

>

> I'm stumped.

>

> "SBS Rocker" wrote:

>

>> What are the share permissions? When you say you gave the user FULL

>> control

>> do you mean FULL NTFS permissions?

>>

>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>> >I shared a directory with one of our Windows 2003 servers and gave a

>> >user

>> > Full Control accesss to that directory. However, from his computer

>> > where

>> > he

>> > is logged on, he can't copy and paste anything to that directory. If

>> > he

>> > remote desktop's into the server and logs on as himself, he can browse

>> > to

>> > another network share and pull the file over without any problems.

>> >

>> > I never had this problem in Windows 2000. How do I configure a

>> > directory

>> > on

>> > a Windows 2003 server so that people can "push" files to that folder

>> > without

>> > logging onto the server locally and "pulling" the files over?

>>

July 18, 2007

Re: Directory Permissions - What gives?

hi,

i dont agree with the best practices to give everyone full permisions on the

share. Best practices is to check and add the groups proper there.

--

Dragos CAMARA

MCSA Windows 2003 server

"SBS Rocker" wrote:

> I think I may know what your problems are. You say..........

>

> "I gave the user Full Control NTFS AND Folder Share permissions."

> does the group Everyone=READ on the Share permissions still there ? If so

> you need to remove the user=FULL and change Everyone=FULL on the share

> permissions. No need to add a user to the share permissions and give him

> FULL access. By industry best practices when creating a Share the default

> would be Everyone=FULL.

>

> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

> >I gave the user Full Control NTFS AND Folder Share permissions.

> >

> > Even if I'm logged on as Administrator, I still can't push anything down,

> > but I can pull files across without any issues.

> >

> > I'm stumped.

> >

> > "SBS Rocker" wrote:

> >

> >> What are the share permissions? When you say you gave the user FULL

> >> control

> >> do you mean FULL NTFS permissions?

> >>

> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

> >> >I shared a directory with one of our Windows 2003 servers and gave a

> >> >user

> >> > Full Control accesss to that directory. However, from his computer

> >> > where

> >> > he

> >> > is logged on, he can't copy and paste anything to that directory. If

> >> > he

> >> > remote desktop's into the server and logs on as himself, he can browse

> >> > to

> >> > another network share and pull the file over without any problems.

> >> >

> >> > I never had this problem in Windows 2000. How do I configure a

> >> > directory

> >> > on

> >> > a Windows 2003 server so that people can "push" files to that folder

> >> > without

> >> > logging onto the server locally and "pulling" the files over?

> >>

>

July 18, 2007

Re: Directory Permissions - What gives?

OK then you keep trying to figure it out why you have issues. Good

luck.............

"Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...

> hi,

> i dont agree with the best practices to give everyone full permisions on

> the

> share. Best practices is to check and add the groups proper there.

>

> --

> Dragos CAMARA

> MCSA Windows 2003 server

>

> "SBS Rocker" wrote:

>

>> I think I may know what your problems are. You say..........

>>

>> "I gave the user Full Control NTFS AND Folder Share permissions."

>> does the group Everyone=READ on the Share permissions still there ? If so

>> you need to remove the user=FULL and change Everyone=FULL on the share

>> permissions. No need to add a user to the share permissions and give him

>> FULL access. By industry best practices when creating a Share the default

>> would be Everyone=FULL.

>>

>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>> >I gave the user Full Control NTFS AND Folder Share permissions.

>> >

>> > Even if I'm logged on as Administrator, I still can't push anything

>> > down,

>> > but I can pull files across without any issues.

>> >

>> > I'm stumped.

>> >

>> > "SBS Rocker" wrote:

>> >

>> >> What are the share permissions? When you say you gave the user FULL

>> >> control

>> >> do you mean FULL NTFS permissions?

>> >>

>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>> >> >I shared a directory with one of our Windows 2003 servers and gave a

>> >> >user

>> >> > Full Control accesss to that directory. However, from his computer

>> >> > where

>> >> > he

>> >> > is logged on, he can't copy and paste anything to that directory.

>> >> > If

>> >> > he

>> >> > remote desktop's into the server and logs on as himself, he can

>> >> > browse

>> >> > to

>> >> > another network share and pull the file over without any problems.

>> >> >

>> >> > I never had this problem in Windows 2000. How do I configure a

>> >> > directory

>> >> > on

>> >> > a Windows 2003 server so that people can "push" files to that folder

>> >> > without

>> >> > logging onto the server locally and "pulling" the files over?

>> >>

>>

July 18, 2007

Re: Directory Permissions - What gives?

A good article for those who don't understand how Shares work in conjunction

with NTFS permissions. Take note on the last paragraph.....

http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434

"Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...

> hi,

> i dont agree with the best practices to give everyone full permisions on

> the

> share. Best practices is to check and add the groups proper there.

>

> --

> Dragos CAMARA

> MCSA Windows 2003 server

>

> "SBS Rocker" wrote:

>

>> I think I may know what your problems are. You say..........

>>

>> "I gave the user Full Control NTFS AND Folder Share permissions."

>> does the group Everyone=READ on the Share permissions still there ? If so

>> you need to remove the user=FULL and change Everyone=FULL on the share

>> permissions. No need to add a user to the share permissions and give him

>> FULL access. By industry best practices when creating a Share the default

>> would be Everyone=FULL.

>>

>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>> >I gave the user Full Control NTFS AND Folder Share permissions.

>> >

>> > Even if I'm logged on as Administrator, I still can't push anything

>> > down,

>> > but I can pull files across without any issues.

>> >

>> > I'm stumped.

>> >

>> > "SBS Rocker" wrote:

>> >

>> >> What are the share permissions? When you say you gave the user FULL

>> >> control

>> >> do you mean FULL NTFS permissions?

>> >>

>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>> >> >I shared a directory with one of our Windows 2003 servers and gave a

>> >> >user

>> >> > Full Control accesss to that directory. However, from his computer

>> >> > where

>> >> > he

>> >> > is logged on, he can't copy and paste anything to that directory.

>> >> > If

>> >> > he

>> >> > remote desktop's into the server and logs on as himself, he can

>> >> > browse

>> >> > to

>> >> > another network share and pull the file over without any problems.

>> >> >

>> >> > I never had this problem in Windows 2000. How do I configure a

>> >> > directory

>> >> > on

>> >> > a Windows 2003 server so that people can "push" files to that folder

>> >> > without

>> >> > logging onto the server locally and "pulling" the files over?

>> >>

>>

July 18, 2007

Re: Directory Permissions - What gives?

SBS Rocker,

I do agree with you because I consider myself a throwback from the old NT

days and that is the way I have always done it and consider to be the

industry best practices method. Also the link you provided Dragos confirms

the industry best practices. That said I do believe you may be a bit harsh

in explaining it to Dragos. This NG is here to assist and help those who

posts questions and issues and not to belittle and discourage others because

of their lack of knowledge or experience.

Dragos,

SBS Rocker is correct and the reason being is because how Share permissions

"superceed" NTFS permissions with the "most restrictive" access. In your

case I think you are trying to secure your folder access using the Share

permissions. If you do this you will find yourself doing more administrative

work than necessary. The reason you users cannot write to that folder even

though you gave them FULL "NTFS" permissions is because what resides in your

Share permissions. You can give Joe Bob FULL share permissions and FULL NTFS

permissions but that that is not going to work as long as their is a group

that includes Joe Bob in the Share permissions will lesser access. I'm

assuming the group EVERYONE=Read in still in your share permissions. That is

what is preventing Joe Bob from writng to that folder because share

permissions will alow the most restrictive access overriding his FULL share

permissions.

Take SBS Rockers advice. All you need at the Share level is Everyone or

Authenticated Users = FULL. control your security at the NTFS permssions.

"SBS Rocker" <noreply@NoDomain.com> wrote in message

news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl...

>A good article for those who don't understand how Shares work in

>conjunction with NTFS permissions. Take note on the last paragraph.....

>

> http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434

>

> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...

>> hi,

>> i dont agree with the best practices to give everyone full permisions on

>> the

>> share. Best practices is to check and add the groups proper there.

>>

>> --

>> Dragos CAMARA

>> MCSA Windows 2003 server

>>

>> "SBS Rocker" wrote:

>>

>>> I think I may know what your problems are. You say..........

>>>

>>> "I gave the user Full Control NTFS AND Folder Share permissions."

>>> does the group Everyone=READ on the Share permissions still there ? If

>>> so

>>> you need to remove the user=FULL and change Everyone=FULL on the share

>>> permissions. No need to add a user to the share permissions and give him

>>> FULL access. By industry best practices when creating a Share the

>>> default

>>> would be Everyone=FULL.

>>>

>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>>> >I gave the user Full Control NTFS AND Folder Share permissions.

>>> >

>>> > Even if I'm logged on as Administrator, I still can't push anything

>>> > down,

>>> > but I can pull files across without any issues.

>>> >

>>> > I'm stumped.

>>> >

>>> > "SBS Rocker" wrote:

>>> >

>>> >> What are the share permissions? When you say you gave the user FULL

>>> >> control

>>> >> do you mean FULL NTFS permissions?

>>> >>

>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>>> >> >I shared a directory with one of our Windows 2003 servers and gave a

>>> >> >user

>>> >> > Full Control accesss to that directory. However, from his computer

>>> >> > where

>>> >> > he

>>> >> > is logged on, he can't copy and paste anything to that directory.

>>> >> > If

>>> >> > he

>>> >> > remote desktop's into the server and logs on as himself, he can

>>> >> > browse

>>> >> > to

>>> >> > another network share and pull the file over without any problems.

>>> >> >

>>> >> > I never had this problem in Windows 2000. How do I configure a

>>> >> > directory

>>> >> > on

>>> >> > a Windows 2003 server so that people can "push" files to that

>>> >> > folder

>>> >> > without

>>> >> > logging onto the server locally and "pulling" the files over?

>>> >>

>>>

>

July 18, 2007

Re: Directory Permissions - What gives?

Hi Paul,

You are correct maybe I was a bit too harsh on poor ole Andrew. However it

just aggrevates me to see a person who advertises himself as being an MCSA

and doesn't understand NFTS and Share permissions. I mean come on. that's

elementary. That was one of the first things we learned going back to NT 3.5

days and for him to doubt it being the industry best practices and being an

MCSA and to disagree with someone who is trying to help him isn't going to

get him anywhere. Perhaps he should of stated his disagreement and then

asked why I think it is the industry best practices and I would have

explained it to him.

"Paul in Detroit" <PaulG@yahoo.com> wrote in message

news:uXnwJoVyHHA.5584@TK2MSFTNGP02.phx.gbl...

> SBS Rocker,

> I do agree with you because I consider myself a throwback from the old NT

> days and that is the way I have always done it and consider to be the

> industry best practices method. Also the link you provided Dragos confirms

> the industry best practices. That said I do believe you may be a bit harsh

> in explaining it to Dragos. This NG is here to assist and help those who

> posts questions and issues and not to belittle and discourage others

> because of their lack of knowledge or experience.

>

> Dragos,

> SBS Rocker is correct and the reason being is because how Share

> permissions "superceed" NTFS permissions with the "most restrictive"

> access. In your case I think you are trying to secure your folder access

> using the Share permissions. If you do this you will find yourself doing

> more administrative work than necessary. The reason you users cannot write

> to that folder even though you gave them FULL "NTFS" permissions is

> because what resides in your Share permissions. You can give Joe Bob FULL

> share permissions and FULL NTFS permissions but that that is not going to

> work as long as their is a group that includes Joe Bob in the Share

> permissions will lesser access. I'm assuming the group EVERYONE=Read in

> still in your share permissions. That is what is preventing Joe Bob from

> writng to that folder because share permissions will alow the most

> restrictive access overriding his FULL share permissions.

> Take SBS Rockers advice. All you need at the Share level is Everyone or

> Authenticated Users = FULL. control your security at the NTFS permssions.

>

> "SBS Rocker" <noreply@NoDomain.com> wrote in message

> news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl...

>>A good article for those who don't understand how Shares work in

>>conjunction with NTFS permissions. Take note on the last paragraph.....

>>

>> http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434

>>

>> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

>> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...

>>> hi,

>>> i dont agree with the best practices to give everyone full permisions on

>>> the

>>> share. Best practices is to check and add the groups proper there.

>>>

>>> --

>>> Dragos CAMARA

>>> MCSA Windows 2003 server

>>>

>>> "SBS Rocker" wrote:

>>>

>>>> I think I may know what your problems are. You say..........

>>>>

>>>> "I gave the user Full Control NTFS AND Folder Share permissions."

>>>> does the group Everyone=READ on the Share permissions still there ? If

>>>> so

>>>> you need to remove the user=FULL and change Everyone=FULL on the share

>>>> permissions. No need to add a user to the share permissions and give

>>>> him

>>>> FULL access. By industry best practices when creating a Share the

>>>> default

>>>> would be Everyone=FULL.

>>>>

>>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>>>> >I gave the user Full Control NTFS AND Folder Share permissions.

>>>> >

>>>> > Even if I'm logged on as Administrator, I still can't push anything

>>>> > down,

>>>> > but I can pull files across without any issues.

>>>> >

>>>> > I'm stumped.

>>>> >

>>>> > "SBS Rocker" wrote:

>>>> >

>>>> >> What are the share permissions? When you say you gave the user FULL

>>>> >> control

>>>> >> do you mean FULL NTFS permissions?

>>>> >>

>>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>>>> >> >I shared a directory with one of our Windows 2003 servers and gave

>>>> >> >a

>>>> >> >user

>>>> >> > Full Control accesss to that directory. However, from his

>>>> >> > computer

>>>> >> > where

>>>> >> > he

>>>> >> > is logged on, he can't copy and paste anything to that directory.

>>>> >> > If

>>>> >> > he

>>>> >> > remote desktop's into the server and logs on as himself, he can

>>>> >> > browse

>>>> >> > to

>>>> >> > another network share and pull the file over without any problems.

>>>> >> >

>>>> >> > I never had this problem in Windows 2000. How do I configure a

>>>> >> > directory

>>>> >> > on

>>>> >> > a Windows 2003 server so that people can "push" files to that

>>>> >> > folder

>>>> >> > without

>>>> >> > logging onto the server locally and "pulling" the files over?

>>>> >>

>>>>

>>

>

July 18, 2007

Re: Directory Permissions - What gives?

I apologize. It was Dragos I was referring to and not Andrew.

"SBS Rocker" <noreply@NoDomain.com> wrote in message

news:OVajTtVyHHA.5380@TK2MSFTNGP04.phx.gbl...

> Hi Paul,

> You are correct maybe I was a bit too harsh on poor ole Andrew. However it

> just aggrevates me to see a person who advertises himself as being an MCSA

> and doesn't understand NFTS and Share permissions. I mean come on. that's

> elementary. That was one of the first things we learned going back to NT

> 3.5 days and for him to doubt it being the industry best practices and

> being an MCSA and to disagree with someone who is trying to help him isn't

> going to get him anywhere. Perhaps he should of stated his disagreement

> and then asked why I think it is the industry best practices and I would

> have explained it to him.

>

> "Paul in Detroit" <PaulG@yahoo.com> wrote in message

> news:uXnwJoVyHHA.5584@TK2MSFTNGP02.phx.gbl...

>> SBS Rocker,

>> I do agree with you because I consider myself a throwback from the old NT

>> days and that is the way I have always done it and consider to be the

>> industry best practices method. Also the link you provided Dragos

>> confirms the industry best practices. That said I do believe you may be a

>> bit harsh in explaining it to Dragos. This NG is here to assist and help

>> those who posts questions and issues and not to belittle and discourage

>> others because of their lack of knowledge or experience.

>>

>> Dragos,

>> SBS Rocker is correct and the reason being is because how Share

>> permissions "superceed" NTFS permissions with the "most restrictive"

>> access. In your case I think you are trying to secure your folder access

>> using the Share permissions. If you do this you will find yourself doing

>> more administrative work than necessary. The reason you users cannot

>> write to that folder even though you gave them FULL "NTFS" permissions is

>> because what resides in your Share permissions. You can give Joe Bob FULL

>> share permissions and FULL NTFS permissions but that that is not going to

>> work as long as their is a group that includes Joe Bob in the Share

>> permissions will lesser access. I'm assuming the group EVERYONE=Read in

>> still in your share permissions. That is what is preventing Joe Bob from

>> writng to that folder because share permissions will alow the most

>> restrictive access overriding his FULL share permissions.

>> Take SBS Rockers advice. All you need at the Share level is Everyone or

>> Authenticated Users = FULL. control your security at the NTFS permssions.

>>

>> "SBS Rocker" <noreply@NoDomain.com> wrote in message

>> news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl...

>>>A good article for those who don't understand how Shares work in

>>>conjunction with NTFS permissions. Take note on the last paragraph.....

>>>

>>> http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434

>>>

>>> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

>>> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...

>>>> hi,

>>>> i dont agree with the best practices to give everyone full permisions

>>>> on the

>>>> share. Best practices is to check and add the groups proper there.

>>>>

>>>> --

>>>> Dragos CAMARA

>>>> MCSA Windows 2003 server

>>>>

>>>> "SBS Rocker" wrote:

>>>>

>>>>> I think I may know what your problems are. You say..........

>>>>>

>>>>> "I gave the user Full Control NTFS AND Folder Share permissions."

>>>>> does the group Everyone=READ on the Share permissions still there ? If

>>>>> so

>>>>> you need to remove the user=FULL and change Everyone=FULL on the share

>>>>> permissions. No need to add a user to the share permissions and give

>>>>> him

>>>>> FULL access. By industry best practices when creating a Share the

>>>>> default

>>>>> would be Everyone=FULL.

>>>>>

>>>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>>>>> >I gave the user Full Control NTFS AND Folder Share permissions.

>>>>> >

>>>>> > Even if I'm logged on as Administrator, I still can't push anything

>>>>> > down,

>>>>> > but I can pull files across without any issues.

>>>>> >

>>>>> > I'm stumped.

>>>>> >

>>>>> > "SBS Rocker" wrote:

>>>>> >

>>>>> >> What are the share permissions? When you say you gave the user FULL

>>>>> >> control

>>>>> >> do you mean FULL NTFS permissions?

>>>>> >>

>>>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>>>>> >> >I shared a directory with one of our Windows 2003 servers and gave

>>>>> >> >a

>>>>> >> >user

>>>>> >> > Full Control accesss to that directory. However, from his

>>>>> >> > computer

>>>>> >> > where

>>>>> >> > he

>>>>> >> > is logged on, he can't copy and paste anything to that directory.

>>>>> >> > If

>>>>> >> > he

>>>>> >> > remote desktop's into the server and logs on as himself, he can

>>>>> >> > browse

>>>>> >> > to

>>>>> >> > another network share and pull the file over without any

>>>>> >> > problems.

>>>>> >> >

>>>>> >> > I never had this problem in Windows 2000. How do I configure a

>>>>> >> > directory

>>>>> >> > on

>>>>> >> > a Windows 2003 server so that people can "push" files to that

>>>>> >> > folder

>>>>> >> > without

>>>>> >> > logging onto the server locally and "pulling" the files over?

>>>>> >>

>>>>>

>>>

>>

>

July 18, 2007

Re: Directory Permissions - What gives?

wow!!! looks like I stumbled into a very interesting thread. Did anyone ever

resolve Andrew's issues? Let me throw in my cents here and try not to offend

anyone. I'm going to have to agree with SBS Rocker simply because if you

start applying users and groups at the share level you are creating more

work and managing the ntfs folder permissions becomes quite a task Rocker

is correct. You need to apply Everyone=FULL at the share level. I'm not sure

what Dragos was thinking about offering his suggestion to add groups to the

share permissions. Afterall he is a MCSA and he should know better than

that.

Dragos what happens if I give Group A FULL share permissions and Modify NTFS

permissions on the folder. Now I have a subfolder that requires part od the

users of Group A to have Modify and a new Group B to have read access yet

some of the members of Group B are members of Group A. Now what are you

going to do?

"Andrew" <Andrew@discussions.microsoft.com> wrote in message

news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>I shared a directory with one of our Windows 2003 servers and gave a user

> Full Control accesss to that directory. However, from his computer where

> he

> is logged on, he can't copy and paste anything to that directory. If he

> remote desktop's into the server and logs on as himself, he can browse to

> another network share and pull the file over without any problems.

>

> I never had this problem in Windows 2000. How do I configure a directory

> on

> a Windows 2003 server so that people can "push" files to that folder

> without

> logging onto the server locally and "pulling" the files over?

July 18, 2007

Re: Directory Permissions - What gives?

Dragos,

I do agree with SBS Rocker and Paul in Detroit with one exception and I add

"Authenticated Users=FULL" and remove the Everyone group. IMHO that is all

that is required at the Share level. You control security at the NTFS folder

level. As far as best practices are concerned in the "old days" as many of

you are referrring to it was by "default" that at the Share level

Everyone=FULL. Now in W2k3 it is default Everyone=Read. Here is another good

article regarding the reasoning for the change and "best practices" with

share and ntfs permssions. And Dragos you don't even want to get into why

you do not control security at the Share level. Share permissions are

basically used to allow acces to the shared resource and not used to control

security. You use NTFS Folder and File permissions for that.

"Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...

> hi,

> i dont agree with the best practices to give everyone full permisions on

> the

> share. Best practices is to check and add the groups proper there.

>

> --

> Dragos CAMARA

> MCSA Windows 2003 server

>

> "SBS Rocker" wrote:

>

>> I think I may know what your problems are. You say..........

>>

>> "I gave the user Full Control NTFS AND Folder Share permissions."

>> does the group Everyone=READ on the Share permissions still there ? If so

>> you need to remove the user=FULL and change Everyone=FULL on the share

>> permissions. No need to add a user to the share permissions and give him

>> FULL access. By industry best practices when creating a Share the default

>> would be Everyone=FULL.

>>

>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>> >I gave the user Full Control NTFS AND Folder Share permissions.

>> >

>> > Even if I'm logged on as Administrator, I still can't push anything

>> > down,

>> > but I can pull files across without any issues.

>> >

>> > I'm stumped.

>> >

>> > "SBS Rocker" wrote:

>> >

>> >> What are the share permissions? When you say you gave the user FULL

>> >> control

>> >> do you mean FULL NTFS permissions?

>> >>

>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>> >> >I shared a directory with one of our Windows 2003 servers and gave a

>> >> >user

>> >> > Full Control accesss to that directory. However, from his computer

>> >> > where

>> >> > he

>> >> > is logged on, he can't copy and paste anything to that directory.

>> >> > If

>> >> > he

>> >> > remote desktop's into the server and logs on as himself, he can

>> >> > browse

>> >> > to

>> >> > another network share and pull the file over without any problems.

>> >> >

>> >> > I never had this problem in Windows 2000. How do I configure a

>> >> > directory

>> >> > on

>> >> > a Windows 2003 server so that people can "push" files to that folder

>> >> > without

>> >> > logging onto the server locally and "pulling" the files over?

>> >>

>>

July 18, 2007

Re: Directory Permissions - What gives?

I forgot the link. here it is.......

http://www.windowsecurity.com/articles/Share-Permissions.html

"jj johnson" <yurkiddingme@domain.com> wrote in message

news:uXACclWyHHA.5592@TK2MSFTNGP04.phx.gbl...

> Dragos,

> I do agree with SBS Rocker and Paul in Detroit with one exception and I

> add "Authenticated Users=FULL" and remove the Everyone group. IMHO that is

> all that is required at the Share level. You control security at the NTFS

> folder level. As far as best practices are concerned in the "old days" as

> many of you are referrring to it was by "default" that at the Share level

> Everyone=FULL. Now in W2k3 it is default Everyone=Read. Here is another

> good article regarding the reasoning for the change and "best practices"

> with share and ntfs permssions. And Dragos you don't even want to get into

> why you do not control security at the Share level. Share permissions are

> basically used to allow acces to the shared resource and not used to

> control security. You use NTFS Folder and File permissions for that.

>

> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...

>> hi,

>> i dont agree with the best practices to give everyone full permisions on

>> the

>> share. Best practices is to check and add the groups proper there.

>>

>> --

>> Dragos CAMARA

>> MCSA Windows 2003 server

>>

>> "SBS Rocker" wrote:

>>

>>> I think I may know what your problems are. You say..........

>>>

>>> "I gave the user Full Control NTFS AND Folder Share permissions."

>>> does the group Everyone=READ on the Share permissions still there ? If

>>> so

>>> you need to remove the user=FULL and change Everyone=FULL on the share

>>> permissions. No need to add a user to the share permissions and give him

>>> FULL access. By industry best practices when creating a Share the

>>> default

>>> would be Everyone=FULL.

>>>

>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...

>>> >I gave the user Full Control NTFS AND Folder Share permissions.

>>> >

>>> > Even if I'm logged on as Administrator, I still can't push anything

>>> > down,

>>> > but I can pull files across without any issues.

>>> >

>>> > I'm stumped.

>>> >

>>> > "SBS Rocker" wrote:

>>> >

>>> >> What are the share permissions? When you say you gave the user FULL

>>> >> control

>>> >> do you mean FULL NTFS permissions?

>>> >>

>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>>> >> >I shared a directory with one of our Windows 2003 servers and gave a

>>> >> >user

>>> >> > Full Control accesss to that directory. However, from his computer

>>> >> > where

>>> >> > he

>>> >> > is logged on, he can't copy and paste anything to that directory.

>>> >> > If

>>> >> > he

>>> >> > remote desktop's into the server and logs on as himself, he can

>>> >> > browse

>>> >> > to

>>> >> > another network share and pull the file over without any problems.

>>> >> >

>>> >> > I never had this problem in Windows 2000. How do I configure a

>>> >> > directory

>>> >> > on

>>> >> > a Windows 2003 server so that people can "push" files to that

>>> >> > folder

>>> >> > without

>>> >> > logging onto the server locally and "pulling" the files over?

>>> >>

>>>

>

July 18, 2007

Re: Directory Permissions - What gives?

hmmmmmmmmmm this is all very interesting. Sure would like to see what Dragos

response is to Eagles10 question. Dragos I'm almost embarrassed to have read

your reply to Andrew instructing him to secure his folders at the share

level using groups. Makes the rest of us MCSA's look like we have no

creditability

"Eagles10" <bogus@bogus.net> wrote in message

news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl...

> wow!!! looks like I stumbled into a very interesting thread. Did anyone

> ever resolve Andrew's issues? Let me throw in my cents here and try not to

> offend anyone. I'm going to have to agree with SBS Rocker simply because

> if you start applying users and groups at the share level you are creating

> more work and managing the ntfs folder permissions becomes quite a task

> Rocker is correct. You need to apply Everyone=FULL at the share level. I'm

> not sure what Dragos was thinking about offering his suggestion to add

> groups to the share permissions. Afterall he is a MCSA and he should know

> better than that.

>

> Dragos what happens if I give Group A FULL share permissions and Modify

> NTFS permissions on the folder. Now I have a subfolder that requires part

> od the users of Group A to have Modify and a new Group B to have read

> access yet some of the members of Group B are members of Group A. Now what

> are you going to do?

>

> "Andrew" <Andrew@discussions.microsoft.com> wrote in message

> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...

>>I shared a directory with one of our Windows 2003 servers and gave a user

>> Full Control accesss to that directory. However, from his computer where

>> he

>> is logged on, he can't copy and paste anything to that directory. If he

>> remote desktop's into the server and logs on as himself, he can browse to

>> another network share and pull the file over without any problems.

>>

>> I never had this problem in Windows 2000. How do I configure a directory

>> on

>> a Windows 2003 server so that people can "push" files to that folder

>> without

>> logging onto the server locally and "pulling" the files over?

>

July 19, 2007

Re: Directory Permissions - What gives?

While I agree with using NTFS permissions to control access to folders and

files in a shared folder and setting Share Permissions to Everyone (or

Authenticated Users if you prefer) Full Control, you might want to review

the example in your second paragraph.

Share Permissions work the same way that NTFS permissions do - they are

additive - a given user gets the sum of all the permissions granted to them

by all the groups they are members of, not the least permission as you

stated (assuming I understand what you said correctly). With Share

permissions, there are only three possibilities, so the situation is simple:

- if the user is a member of a group that is granted Share Permission of

Full Control or Change, then, if the NTFS permissions grant them Modify,

they will be able to change things in the share regardless of what other

groups they may be members of that only have Share Permissions of Read. The

only thing that changes this is if there is a "Deny" permission setting

anywhere - Deny always takes precedence over any Allow permissions.

As far as I'm aware, this has always been the case and is unlikely to change

in the future.

I'm not sure what "Andrew"'s problem was caused by, but perhaps there is a

communication/terminology issue and the following steps will clarify things

for him.

Try this:

On an XP SP2 computer that is a domain member (e.g. XPSP2), logon with an

administrative user account

1. open Windows Explorer and create a new Folder (e.g. c:\Test) in a

convenient place

2. right click the folder, select Sharing and Security...; on the Sharing

tab

a. select the Share this folder radio button

b. click Permissions

c. observe that the Share Permissions (default) are Everyone - Read - as

expected for XP SP2

d. click Cancel

3. select the Security tab

4. set the permissions to:

- Administrators - Full Control

- SYSTEM - Full Control

- Users - Modify

click OK; (saves the changes and closes the Properties dialog)

I'm assuming that the local Users group on this computer (XPSP2) contains at

least some domain user accounts (e.g. brucen) - the default is Domain Users

(as it has been forever)

On another computer in the same domain (e.g. XPTest), logon with a domain

user account that is also a member of the local Users group of the first

computer (e.g. brucen)

5. in Start, Run, key \\xpsp2\test

6. observe that Windows Explorer opens showing the Test folder associated

with the Test share - this folder is currently empty

7. attempt to create a file or a folder or both - this fails - access is

denied

On the first computer (e.g. XPSP2):

8. right click the shard folder (e.g. c:\test), select Sharing and

Security...; on the Sharing tab

a. click Permissions

b. click Add

c. add a domain group that contains the user account you logged on at

the second computer with (e.g. Domain Users), and grant that group Full

Control.

d. the Share Permissions will now look like:

Everyone - Read

Domain Users - Full Control

e. click OK

On the second computer (e.g. XPTest):

9. add a file through the share - works

10. add a folder through the share - works

The above was just to test the theory - normally I would just add Full

Control to Everyone in the Share Permissions.

--

Bruce Sanderson MVP Printing

http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.