Guest Andrew Posted July 16, 2007 Posted July 16, 2007 I shared a directory with one of our Windows 2003 servers and gave a user Full Control accesss to that directory. However, from his computer where he is logged on, he can't copy and paste anything to that directory. If he remote desktop's into the server and logs on as himself, he can browse to another network share and pull the file over without any problems. I never had this problem in Windows 2000. How do I configure a directory on a Windows 2003 server so that people can "push" files to that folder without logging onto the server locally and "pulling" the files over?
Guest SBS Rocker Posted July 16, 2007 Posted July 16, 2007 Re: Directory Permissions - What gives? What are the share permissions? When you say you gave the user FULL control do you mean FULL NTFS permissions? "Andrew" <Andrew@discussions.microsoft.com> wrote in message news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >I shared a directory with one of our Windows 2003 servers and gave a user > Full Control accesss to that directory. However, from his computer where > he > is logged on, he can't copy and paste anything to that directory. If he > remote desktop's into the server and logs on as himself, he can browse to > another network share and pull the file over without any problems. > > I never had this problem in Windows 2000. How do I configure a directory > on > a Windows 2003 server so that people can "push" files to that folder > without > logging onto the server locally and "pulling" the files over?
Guest Dragos CAMARA Posted July 17, 2007 Posted July 17, 2007 RE: Directory Permissions - What gives? hi, check the share permissions, the diference from w2k is that in w2k the everyone have full share permissions and on w2k3 everyone is read-only by default. -- Dragos CAMARA MCSA Windows 2003 server "Andrew" wrote: > I shared a directory with one of our Windows 2003 servers and gave a user > Full Control accesss to that directory. However, from his computer where he > is logged on, he can't copy and paste anything to that directory. If he > remote desktop's into the server and logs on as himself, he can browse to > another network share and pull the file over without any problems. > > I never had this problem in Windows 2000. How do I configure a directory on > a Windows 2003 server so that people can "push" files to that folder without > logging onto the server locally and "pulling" the files over?
Guest Andrew Posted July 17, 2007 Posted July 17, 2007 Re: Directory Permissions - What gives? I gave the user Full Control NTFS AND Folder Share permissions. Even if I'm logged on as Administrator, I still can't push anything down, but I can pull files across without any issues. I'm stumped. "SBS Rocker" wrote: > What are the share permissions? When you say you gave the user FULL control > do you mean FULL NTFS permissions? > > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >I shared a directory with one of our Windows 2003 servers and gave a user > > Full Control accesss to that directory. However, from his computer where > > he > > is logged on, he can't copy and paste anything to that directory. If he > > remote desktop's into the server and logs on as himself, he can browse to > > another network share and pull the file over without any problems. > > > > I never had this problem in Windows 2000. How do I configure a directory > > on > > a Windows 2003 server so that people can "push" files to that folder > > without > > logging onto the server locally and "pulling" the files over? > > >
Guest SBS Rocker Posted July 17, 2007 Posted July 17, 2007 Re: Directory Permissions - What gives? I think I may know what your problems are. You say.......... "I gave the user Full Control NTFS AND Folder Share permissions." does the group Everyone=READ on the Share permissions still there ? If so you need to remove the user=FULL and change Everyone=FULL on the share permissions. No need to add a user to the share permissions and give him FULL access. By industry best practices when creating a Share the default would be Everyone=FULL. "Andrew" <Andrew@discussions.microsoft.com> wrote in message news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >I gave the user Full Control NTFS AND Folder Share permissions. > > Even if I'm logged on as Administrator, I still can't push anything down, > but I can pull files across without any issues. > > I'm stumped. > > "SBS Rocker" wrote: > >> What are the share permissions? When you say you gave the user FULL >> control >> do you mean FULL NTFS permissions? >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >> >I shared a directory with one of our Windows 2003 servers and gave a >> >user >> > Full Control accesss to that directory. However, from his computer >> > where >> > he >> > is logged on, he can't copy and paste anything to that directory. If >> > he >> > remote desktop's into the server and logs on as himself, he can browse >> > to >> > another network share and pull the file over without any problems. >> > >> > I never had this problem in Windows 2000. How do I configure a >> > directory >> > on >> > a Windows 2003 server so that people can "push" files to that folder >> > without >> > logging onto the server locally and "pulling" the files over? >> >> >>
Guest Dragos CAMARA Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? hi, i dont agree with the best practices to give everyone full permisions on the share. Best practices is to check and add the groups proper there. -- Dragos CAMARA MCSA Windows 2003 server "SBS Rocker" wrote: > I think I may know what your problems are. You say.......... > > "I gave the user Full Control NTFS AND Folder Share permissions." > does the group Everyone=READ on the Share permissions still there ? If so > you need to remove the user=FULL and change Everyone=FULL on the share > permissions. No need to add a user to the share permissions and give him > FULL access. By industry best practices when creating a Share the default > would be Everyone=FULL. > > > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... > >I gave the user Full Control NTFS AND Folder Share permissions. > > > > Even if I'm logged on as Administrator, I still can't push anything down, > > but I can pull files across without any issues. > > > > I'm stumped. > > > > "SBS Rocker" wrote: > > > >> What are the share permissions? When you say you gave the user FULL > >> control > >> do you mean FULL NTFS permissions? > >> > >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >> >I shared a directory with one of our Windows 2003 servers and gave a > >> >user > >> > Full Control accesss to that directory. However, from his computer > >> > where > >> > he > >> > is logged on, he can't copy and paste anything to that directory. If > >> > he > >> > remote desktop's into the server and logs on as himself, he can browse > >> > to > >> > another network share and pull the file over without any problems. > >> > > >> > I never had this problem in Windows 2000. How do I configure a > >> > directory > >> > on > >> > a Windows 2003 server so that people can "push" files to that folder > >> > without > >> > logging onto the server locally and "pulling" the files over? > >> > >> > >> > > >
Guest SBS Rocker Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? OK then you keep trying to figure it out why you have issues. Good luck............. "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... > hi, > i dont agree with the best practices to give everyone full permisions on > the > share. Best practices is to check and add the groups proper there. > > -- > Dragos CAMARA > MCSA Windows 2003 server > > > "SBS Rocker" wrote: > >> I think I may know what your problems are. You say.......... >> >> "I gave the user Full Control NTFS AND Folder Share permissions." >> does the group Everyone=READ on the Share permissions still there ? If so >> you need to remove the user=FULL and change Everyone=FULL on the share >> permissions. No need to add a user to the share permissions and give him >> FULL access. By industry best practices when creating a Share the default >> would be Everyone=FULL. >> >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >> >I gave the user Full Control NTFS AND Folder Share permissions. >> > >> > Even if I'm logged on as Administrator, I still can't push anything >> > down, >> > but I can pull files across without any issues. >> > >> > I'm stumped. >> > >> > "SBS Rocker" wrote: >> > >> >> What are the share permissions? When you say you gave the user FULL >> >> control >> >> do you mean FULL NTFS permissions? >> >> >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >> >> >I shared a directory with one of our Windows 2003 servers and gave a >> >> >user >> >> > Full Control accesss to that directory. However, from his computer >> >> > where >> >> > he >> >> > is logged on, he can't copy and paste anything to that directory. >> >> > If >> >> > he >> >> > remote desktop's into the server and logs on as himself, he can >> >> > browse >> >> > to >> >> > another network share and pull the file over without any problems. >> >> > >> >> > I never had this problem in Windows 2000. How do I configure a >> >> > directory >> >> > on >> >> > a Windows 2003 server so that people can "push" files to that folder >> >> > without >> >> > logging onto the server locally and "pulling" the files over? >> >> >> >> >> >> >> >> >>
Guest SBS Rocker Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? A good article for those who don't understand how Shares work in conjunction with NTFS permissions. Take note on the last paragraph..... http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434 "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... > hi, > i dont agree with the best practices to give everyone full permisions on > the > share. Best practices is to check and add the groups proper there. > > -- > Dragos CAMARA > MCSA Windows 2003 server > > > "SBS Rocker" wrote: > >> I think I may know what your problems are. You say.......... >> >> "I gave the user Full Control NTFS AND Folder Share permissions." >> does the group Everyone=READ on the Share permissions still there ? If so >> you need to remove the user=FULL and change Everyone=FULL on the share >> permissions. No need to add a user to the share permissions and give him >> FULL access. By industry best practices when creating a Share the default >> would be Everyone=FULL. >> >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >> >I gave the user Full Control NTFS AND Folder Share permissions. >> > >> > Even if I'm logged on as Administrator, I still can't push anything >> > down, >> > but I can pull files across without any issues. >> > >> > I'm stumped. >> > >> > "SBS Rocker" wrote: >> > >> >> What are the share permissions? When you say you gave the user FULL >> >> control >> >> do you mean FULL NTFS permissions? >> >> >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >> >> >I shared a directory with one of our Windows 2003 servers and gave a >> >> >user >> >> > Full Control accesss to that directory. However, from his computer >> >> > where >> >> > he >> >> > is logged on, he can't copy and paste anything to that directory. >> >> > If >> >> > he >> >> > remote desktop's into the server and logs on as himself, he can >> >> > browse >> >> > to >> >> > another network share and pull the file over without any problems. >> >> > >> >> > I never had this problem in Windows 2000. How do I configure a >> >> > directory >> >> > on >> >> > a Windows 2003 server so that people can "push" files to that folder >> >> > without >> >> > logging onto the server locally and "pulling" the files over? >> >> >> >> >> >> >> >> >>
Guest Paul in Detroit Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? SBS Rocker, I do agree with you because I consider myself a throwback from the old NT days and that is the way I have always done it and consider to be the industry best practices method. Also the link you provided Dragos confirms the industry best practices. That said I do believe you may be a bit harsh in explaining it to Dragos. This NG is here to assist and help those who posts questions and issues and not to belittle and discourage others because of their lack of knowledge or experience. Dragos, SBS Rocker is correct and the reason being is because how Share permissions "superceed" NTFS permissions with the "most restrictive" access. In your case I think you are trying to secure your folder access using the Share permissions. If you do this you will find yourself doing more administrative work than necessary. The reason you users cannot write to that folder even though you gave them FULL "NTFS" permissions is because what resides in your Share permissions. You can give Joe Bob FULL share permissions and FULL NTFS permissions but that that is not going to work as long as their is a group that includes Joe Bob in the Share permissions will lesser access. I'm assuming the group EVERYONE=Read in still in your share permissions. That is what is preventing Joe Bob from writng to that folder because share permissions will alow the most restrictive access overriding his FULL share permissions. Take SBS Rockers advice. All you need at the Share level is Everyone or Authenticated Users = FULL. control your security at the NTFS permssions. "SBS Rocker" <noreply@NoDomain.com> wrote in message news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl... >A good article for those who don't understand how Shares work in >conjunction with NTFS permissions. Take note on the last paragraph..... > > http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434 > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... >> hi, >> i dont agree with the best practices to give everyone full permisions on >> the >> share. Best practices is to check and add the groups proper there. >> >> -- >> Dragos CAMARA >> MCSA Windows 2003 server >> >> >> "SBS Rocker" wrote: >> >>> I think I may know what your problems are. You say.......... >>> >>> "I gave the user Full Control NTFS AND Folder Share permissions." >>> does the group Everyone=READ on the Share permissions still there ? If >>> so >>> you need to remove the user=FULL and change Everyone=FULL on the share >>> permissions. No need to add a user to the share permissions and give him >>> FULL access. By industry best practices when creating a Share the >>> default >>> would be Everyone=FULL. >>> >>> >>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >>> >I gave the user Full Control NTFS AND Folder Share permissions. >>> > >>> > Even if I'm logged on as Administrator, I still can't push anything >>> > down, >>> > but I can pull files across without any issues. >>> > >>> > I'm stumped. >>> > >>> > "SBS Rocker" wrote: >>> > >>> >> What are the share permissions? When you say you gave the user FULL >>> >> control >>> >> do you mean FULL NTFS permissions? >>> >> >>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >>> >> >I shared a directory with one of our Windows 2003 servers and gave a >>> >> >user >>> >> > Full Control accesss to that directory. However, from his computer >>> >> > where >>> >> > he >>> >> > is logged on, he can't copy and paste anything to that directory. >>> >> > If >>> >> > he >>> >> > remote desktop's into the server and logs on as himself, he can >>> >> > browse >>> >> > to >>> >> > another network share and pull the file over without any problems. >>> >> > >>> >> > I never had this problem in Windows 2000. How do I configure a >>> >> > directory >>> >> > on >>> >> > a Windows 2003 server so that people can "push" files to that >>> >> > folder >>> >> > without >>> >> > logging onto the server locally and "pulling" the files over? >>> >> >>> >> >>> >> >>> >>> >>> > >
Guest SBS Rocker Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? Hi Paul, You are correct maybe I was a bit too harsh on poor ole Andrew. However it just aggrevates me to see a person who advertises himself as being an MCSA and doesn't understand NFTS and Share permissions. I mean come on. that's elementary. That was one of the first things we learned going back to NT 3.5 days and for him to doubt it being the industry best practices and being an MCSA and to disagree with someone who is trying to help him isn't going to get him anywhere. Perhaps he should of stated his disagreement and then asked why I think it is the industry best practices and I would have explained it to him. "Paul in Detroit" <PaulG@yahoo.com> wrote in message news:uXnwJoVyHHA.5584@TK2MSFTNGP02.phx.gbl... > SBS Rocker, > I do agree with you because I consider myself a throwback from the old NT > days and that is the way I have always done it and consider to be the > industry best practices method. Also the link you provided Dragos confirms > the industry best practices. That said I do believe you may be a bit harsh > in explaining it to Dragos. This NG is here to assist and help those who > posts questions and issues and not to belittle and discourage others > because of their lack of knowledge or experience. > > Dragos, > SBS Rocker is correct and the reason being is because how Share > permissions "superceed" NTFS permissions with the "most restrictive" > access. In your case I think you are trying to secure your folder access > using the Share permissions. If you do this you will find yourself doing > more administrative work than necessary. The reason you users cannot write > to that folder even though you gave them FULL "NTFS" permissions is > because what resides in your Share permissions. You can give Joe Bob FULL > share permissions and FULL NTFS permissions but that that is not going to > work as long as their is a group that includes Joe Bob in the Share > permissions will lesser access. I'm assuming the group EVERYONE=Read in > still in your share permissions. That is what is preventing Joe Bob from > writng to that folder because share permissions will alow the most > restrictive access overriding his FULL share permissions. > Take SBS Rockers advice. All you need at the Share level is Everyone or > Authenticated Users = FULL. control your security at the NTFS permssions. > > > "SBS Rocker" <noreply@NoDomain.com> wrote in message > news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl... >>A good article for those who don't understand how Shares work in >>conjunction with NTFS permissions. Take note on the last paragraph..... >> >> http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434 >> >> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message >> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... >>> hi, >>> i dont agree with the best practices to give everyone full permisions on >>> the >>> share. Best practices is to check and add the groups proper there. >>> >>> -- >>> Dragos CAMARA >>> MCSA Windows 2003 server >>> >>> >>> "SBS Rocker" wrote: >>> >>>> I think I may know what your problems are. You say.......... >>>> >>>> "I gave the user Full Control NTFS AND Folder Share permissions." >>>> does the group Everyone=READ on the Share permissions still there ? If >>>> so >>>> you need to remove the user=FULL and change Everyone=FULL on the share >>>> permissions. No need to add a user to the share permissions and give >>>> him >>>> FULL access. By industry best practices when creating a Share the >>>> default >>>> would be Everyone=FULL. >>>> >>>> >>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >>>> >I gave the user Full Control NTFS AND Folder Share permissions. >>>> > >>>> > Even if I'm logged on as Administrator, I still can't push anything >>>> > down, >>>> > but I can pull files across without any issues. >>>> > >>>> > I'm stumped. >>>> > >>>> > "SBS Rocker" wrote: >>>> > >>>> >> What are the share permissions? When you say you gave the user FULL >>>> >> control >>>> >> do you mean FULL NTFS permissions? >>>> >> >>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >>>> >> >I shared a directory with one of our Windows 2003 servers and gave >>>> >> >a >>>> >> >user >>>> >> > Full Control accesss to that directory. However, from his >>>> >> > computer >>>> >> > where >>>> >> > he >>>> >> > is logged on, he can't copy and paste anything to that directory. >>>> >> > If >>>> >> > he >>>> >> > remote desktop's into the server and logs on as himself, he can >>>> >> > browse >>>> >> > to >>>> >> > another network share and pull the file over without any problems. >>>> >> > >>>> >> > I never had this problem in Windows 2000. How do I configure a >>>> >> > directory >>>> >> > on >>>> >> > a Windows 2003 server so that people can "push" files to that >>>> >> > folder >>>> >> > without >>>> >> > logging onto the server locally and "pulling" the files over? >>>> >> >>>> >> >>>> >> >>>> >>>> >>>> >> >> > >
Guest SBS Rocker Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? I apologize. It was Dragos I was referring to and not Andrew. "SBS Rocker" <noreply@NoDomain.com> wrote in message news:OVajTtVyHHA.5380@TK2MSFTNGP04.phx.gbl... > Hi Paul, > You are correct maybe I was a bit too harsh on poor ole Andrew. However it > just aggrevates me to see a person who advertises himself as being an MCSA > and doesn't understand NFTS and Share permissions. I mean come on. that's > elementary. That was one of the first things we learned going back to NT > 3.5 days and for him to doubt it being the industry best practices and > being an MCSA and to disagree with someone who is trying to help him isn't > going to get him anywhere. Perhaps he should of stated his disagreement > and then asked why I think it is the industry best practices and I would > have explained it to him. > > "Paul in Detroit" <PaulG@yahoo.com> wrote in message > news:uXnwJoVyHHA.5584@TK2MSFTNGP02.phx.gbl... >> SBS Rocker, >> I do agree with you because I consider myself a throwback from the old NT >> days and that is the way I have always done it and consider to be the >> industry best practices method. Also the link you provided Dragos >> confirms the industry best practices. That said I do believe you may be a >> bit harsh in explaining it to Dragos. This NG is here to assist and help >> those who posts questions and issues and not to belittle and discourage >> others because of their lack of knowledge or experience. >> >> Dragos, >> SBS Rocker is correct and the reason being is because how Share >> permissions "superceed" NTFS permissions with the "most restrictive" >> access. In your case I think you are trying to secure your folder access >> using the Share permissions. If you do this you will find yourself doing >> more administrative work than necessary. The reason you users cannot >> write to that folder even though you gave them FULL "NTFS" permissions is >> because what resides in your Share permissions. You can give Joe Bob FULL >> share permissions and FULL NTFS permissions but that that is not going to >> work as long as their is a group that includes Joe Bob in the Share >> permissions will lesser access. I'm assuming the group EVERYONE=Read in >> still in your share permissions. That is what is preventing Joe Bob from >> writng to that folder because share permissions will alow the most >> restrictive access overriding his FULL share permissions. >> Take SBS Rockers advice. All you need at the Share level is Everyone or >> Authenticated Users = FULL. control your security at the NTFS permssions. >> >> >> "SBS Rocker" <noreply@NoDomain.com> wrote in message >> news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl... >>>A good article for those who don't understand how Shares work in >>>conjunction with NTFS permissions. Take note on the last paragraph..... >>> >>> http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434 >>> >>> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message >>> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... >>>> hi, >>>> i dont agree with the best practices to give everyone full permisions >>>> on the >>>> share. Best practices is to check and add the groups proper there. >>>> >>>> -- >>>> Dragos CAMARA >>>> MCSA Windows 2003 server >>>> >>>> >>>> "SBS Rocker" wrote: >>>> >>>>> I think I may know what your problems are. You say.......... >>>>> >>>>> "I gave the user Full Control NTFS AND Folder Share permissions." >>>>> does the group Everyone=READ on the Share permissions still there ? If >>>>> so >>>>> you need to remove the user=FULL and change Everyone=FULL on the share >>>>> permissions. No need to add a user to the share permissions and give >>>>> him >>>>> FULL access. By industry best practices when creating a Share the >>>>> default >>>>> would be Everyone=FULL. >>>>> >>>>> >>>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >>>>> >I gave the user Full Control NTFS AND Folder Share permissions. >>>>> > >>>>> > Even if I'm logged on as Administrator, I still can't push anything >>>>> > down, >>>>> > but I can pull files across without any issues. >>>>> > >>>>> > I'm stumped. >>>>> > >>>>> > "SBS Rocker" wrote: >>>>> > >>>>> >> What are the share permissions? When you say you gave the user FULL >>>>> >> control >>>>> >> do you mean FULL NTFS permissions? >>>>> >> >>>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >>>>> >> >I shared a directory with one of our Windows 2003 servers and gave >>>>> >> >a >>>>> >> >user >>>>> >> > Full Control accesss to that directory. However, from his >>>>> >> > computer >>>>> >> > where >>>>> >> > he >>>>> >> > is logged on, he can't copy and paste anything to that directory. >>>>> >> > If >>>>> >> > he >>>>> >> > remote desktop's into the server and logs on as himself, he can >>>>> >> > browse >>>>> >> > to >>>>> >> > another network share and pull the file over without any >>>>> >> > problems. >>>>> >> > >>>>> >> > I never had this problem in Windows 2000. How do I configure a >>>>> >> > directory >>>>> >> > on >>>>> >> > a Windows 2003 server so that people can "push" files to that >>>>> >> > folder >>>>> >> > without >>>>> >> > logging onto the server locally and "pulling" the files over? >>>>> >> >>>>> >> >>>>> >> >>>>> >>>>> >>>>> >>> >>> >> >> > >
Guest Eagles10 Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? wow!!! looks like I stumbled into a very interesting thread. Did anyone ever resolve Andrew's issues? Let me throw in my cents here and try not to offend anyone. I'm going to have to agree with SBS Rocker simply because if you start applying users and groups at the share level you are creating more work and managing the ntfs folder permissions becomes quite a task Rocker is correct. You need to apply Everyone=FULL at the share level. I'm not sure what Dragos was thinking about offering his suggestion to add groups to the share permissions. Afterall he is a MCSA and he should know better than that. Dragos what happens if I give Group A FULL share permissions and Modify NTFS permissions on the folder. Now I have a subfolder that requires part od the users of Group A to have Modify and a new Group B to have read access yet some of the members of Group B are members of Group A. Now what are you going to do? "Andrew" <Andrew@discussions.microsoft.com> wrote in message news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >I shared a directory with one of our Windows 2003 servers and gave a user > Full Control accesss to that directory. However, from his computer where > he > is logged on, he can't copy and paste anything to that directory. If he > remote desktop's into the server and logs on as himself, he can browse to > another network share and pull the file over without any problems. > > I never had this problem in Windows 2000. How do I configure a directory > on > a Windows 2003 server so that people can "push" files to that folder > without > logging onto the server locally and "pulling" the files over?
Guest jj johnson Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? Dragos, I do agree with SBS Rocker and Paul in Detroit with one exception and I add "Authenticated Users=FULL" and remove the Everyone group. IMHO that is all that is required at the Share level. You control security at the NTFS folder level. As far as best practices are concerned in the "old days" as many of you are referrring to it was by "default" that at the Share level Everyone=FULL. Now in W2k3 it is default Everyone=Read. Here is another good article regarding the reasoning for the change and "best practices" with share and ntfs permssions. And Dragos you don't even want to get into why you do not control security at the Share level. Share permissions are basically used to allow acces to the shared resource and not used to control security. You use NTFS Folder and File permissions for that. "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... > hi, > i dont agree with the best practices to give everyone full permisions on > the > share. Best practices is to check and add the groups proper there. > > -- > Dragos CAMARA > MCSA Windows 2003 server > > > "SBS Rocker" wrote: > >> I think I may know what your problems are. You say.......... >> >> "I gave the user Full Control NTFS AND Folder Share permissions." >> does the group Everyone=READ on the Share permissions still there ? If so >> you need to remove the user=FULL and change Everyone=FULL on the share >> permissions. No need to add a user to the share permissions and give him >> FULL access. By industry best practices when creating a Share the default >> would be Everyone=FULL. >> >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >> >I gave the user Full Control NTFS AND Folder Share permissions. >> > >> > Even if I'm logged on as Administrator, I still can't push anything >> > down, >> > but I can pull files across without any issues. >> > >> > I'm stumped. >> > >> > "SBS Rocker" wrote: >> > >> >> What are the share permissions? When you say you gave the user FULL >> >> control >> >> do you mean FULL NTFS permissions? >> >> >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >> >> >I shared a directory with one of our Windows 2003 servers and gave a >> >> >user >> >> > Full Control accesss to that directory. However, from his computer >> >> > where >> >> > he >> >> > is logged on, he can't copy and paste anything to that directory. >> >> > If >> >> > he >> >> > remote desktop's into the server and logs on as himself, he can >> >> > browse >> >> > to >> >> > another network share and pull the file over without any problems. >> >> > >> >> > I never had this problem in Windows 2000. How do I configure a >> >> > directory >> >> > on >> >> > a Windows 2003 server so that people can "push" files to that folder >> >> > without >> >> > logging onto the server locally and "pulling" the files over? >> >> >> >> >> >> >> >> >>
Guest jj johnson Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? I forgot the link. here it is....... http://www.windowsecurity.com/articles/Share-Permissions.html "jj johnson" <yurkiddingme@domain.com> wrote in message news:uXACclWyHHA.5592@TK2MSFTNGP04.phx.gbl... > Dragos, > I do agree with SBS Rocker and Paul in Detroit with one exception and I > add "Authenticated Users=FULL" and remove the Everyone group. IMHO that is > all that is required at the Share level. You control security at the NTFS > folder level. As far as best practices are concerned in the "old days" as > many of you are referrring to it was by "default" that at the Share level > Everyone=FULL. Now in W2k3 it is default Everyone=Read. Here is another > good article regarding the reasoning for the change and "best practices" > with share and ntfs permssions. And Dragos you don't even want to get into > why you do not control security at the Share level. Share permissions are > basically used to allow acces to the shared resource and not used to > control security. You use NTFS Folder and File permissions for that. > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... >> hi, >> i dont agree with the best practices to give everyone full permisions on >> the >> share. Best practices is to check and add the groups proper there. >> >> -- >> Dragos CAMARA >> MCSA Windows 2003 server >> >> >> "SBS Rocker" wrote: >> >>> I think I may know what your problems are. You say.......... >>> >>> "I gave the user Full Control NTFS AND Folder Share permissions." >>> does the group Everyone=READ on the Share permissions still there ? If >>> so >>> you need to remove the user=FULL and change Everyone=FULL on the share >>> permissions. No need to add a user to the share permissions and give him >>> FULL access. By industry best practices when creating a Share the >>> default >>> would be Everyone=FULL. >>> >>> >>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >>> >I gave the user Full Control NTFS AND Folder Share permissions. >>> > >>> > Even if I'm logged on as Administrator, I still can't push anything >>> > down, >>> > but I can pull files across without any issues. >>> > >>> > I'm stumped. >>> > >>> > "SBS Rocker" wrote: >>> > >>> >> What are the share permissions? When you say you gave the user FULL >>> >> control >>> >> do you mean FULL NTFS permissions? >>> >> >>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >>> >> >I shared a directory with one of our Windows 2003 servers and gave a >>> >> >user >>> >> > Full Control accesss to that directory. However, from his computer >>> >> > where >>> >> > he >>> >> > is logged on, he can't copy and paste anything to that directory. >>> >> > If >>> >> > he >>> >> > remote desktop's into the server and logs on as himself, he can >>> >> > browse >>> >> > to >>> >> > another network share and pull the file over without any problems. >>> >> > >>> >> > I never had this problem in Windows 2000. How do I configure a >>> >> > directory >>> >> > on >>> >> > a Windows 2003 server so that people can "push" files to that >>> >> > folder >>> >> > without >>> >> > logging onto the server locally and "pulling" the files over? >>> >> >>> >> >>> >> >>> >>> >>> > >
Guest Albert Louis Posted July 18, 2007 Posted July 18, 2007 Re: Directory Permissions - What gives? hmmmmmmmmmm this is all very interesting. Sure would like to see what Dragos response is to Eagles10 question. Dragos I'm almost embarrassed to have read your reply to Andrew instructing him to secure his folders at the share level using groups. Makes the rest of us MCSA's look like we have no creditability "Eagles10" <bogus@bogus.net> wrote in message news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... > wow!!! looks like I stumbled into a very interesting thread. Did anyone > ever resolve Andrew's issues? Let me throw in my cents here and try not to > offend anyone. I'm going to have to agree with SBS Rocker simply because > if you start applying users and groups at the share level you are creating > more work and managing the ntfs folder permissions becomes quite a task > Rocker is correct. You need to apply Everyone=FULL at the share level. I'm > not sure what Dragos was thinking about offering his suggestion to add > groups to the share permissions. Afterall he is a MCSA and he should know > better than that. > > Dragos what happens if I give Group A FULL share permissions and Modify > NTFS permissions on the folder. Now I have a subfolder that requires part > od the users of Group A to have Modify and a new Group B to have read > access yet some of the members of Group B are members of Group A. Now what > are you going to do? > > > > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >>I shared a directory with one of our Windows 2003 servers and gave a user >> Full Control accesss to that directory. However, from his computer where >> he >> is logged on, he can't copy and paste anything to that directory. If he >> remote desktop's into the server and logs on as himself, he can browse to >> another network share and pull the file over without any problems. >> >> I never had this problem in Windows 2000. How do I configure a directory >> on >> a Windows 2003 server so that people can "push" files to that folder >> without >> logging onto the server locally and "pulling" the files over? > >
Guest Bruce Sanderson Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? While I agree with using NTFS permissions to control access to folders and files in a shared folder and setting Share Permissions to Everyone (or Authenticated Users if you prefer) Full Control, you might want to review the example in your second paragraph. Share Permissions work the same way that NTFS permissions do - they are additive - a given user gets the sum of all the permissions granted to them by all the groups they are members of, not the least permission as you stated (assuming I understand what you said correctly). With Share permissions, there are only three possibilities, so the situation is simple: - if the user is a member of a group that is granted Share Permission of Full Control or Change, then, if the NTFS permissions grant them Modify, they will be able to change things in the share regardless of what other groups they may be members of that only have Share Permissions of Read. The only thing that changes this is if there is a "Deny" permission setting anywhere - Deny always takes precedence over any Allow permissions. As far as I'm aware, this has always been the case and is unlikely to change in the future. I'm not sure what "Andrew"'s problem was caused by, but perhaps there is a communication/terminology issue and the following steps will clarify things for him. Try this: On an XP SP2 computer that is a domain member (e.g. XPSP2), logon with an administrative user account 1. open Windows Explorer and create a new Folder (e.g. c:\Test) in a convenient place 2. right click the folder, select Sharing and Security...; on the Sharing tab a. select the Share this folder radio button b. click Permissions c. observe that the Share Permissions (default) are Everyone - Read - as expected for XP SP2 d. click Cancel 3. select the Security tab 4. set the permissions to: - Administrators - Full Control - SYSTEM - Full Control - Users - Modify click OK; (saves the changes and closes the Properties dialog) I'm assuming that the local Users group on this computer (XPSP2) contains at least some domain user accounts (e.g. brucen) - the default is Domain Users (as it has been forever) On another computer in the same domain (e.g. XPTest), logon with a domain user account that is also a member of the local Users group of the first computer (e.g. brucen) 5. in Start, Run, key \\xpsp2\test 6. observe that Windows Explorer opens showing the Test folder associated with the Test share - this folder is currently empty 7. attempt to create a file or a folder or both - this fails - access is denied On the first computer (e.g. XPSP2): 8. right click the shard folder (e.g. c:\test), select Sharing and Security...; on the Sharing tab a. click Permissions b. click Add c. add a domain group that contains the user account you logged on at the second computer with (e.g. Domain Users), and grant that group Full Control. d. the Share Permissions will now look like: Everyone - Read Domain Users - Full Control e. click OK On the second computer (e.g. XPTest): 9. add a file through the share - works 10. add a folder through the share - works The above was just to test the theory - normally I would just add Full Control to Everyone in the Share Permissions. -- Bruce Sanderson MVP Printing http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. "Paul in Detroit" <PaulG@yahoo.com> wrote in message news:uXnwJoVyHHA.5584@TK2MSFTNGP02.phx.gbl... > SBS Rocker, > I do agree with you because I consider myself a throwback from the old NT > days and that is the way I have always done it and consider to be the > industry best practices method. Also the link you provided Dragos confirms > the industry best practices. That said I do believe you may be a bit harsh > in explaining it to Dragos. This NG is here to assist and help those who > posts questions and issues and not to belittle and discourage others > because of their lack of knowledge or experience. > > Dragos, > SBS Rocker is correct and the reason being is because how Share > permissions "superceed" NTFS permissions with the "most restrictive" > access. In your case I think you are trying to secure your folder access > using the Share permissions. If you do this you will find yourself doing > more administrative work than necessary. The reason you users cannot write > to that folder even though you gave them FULL "NTFS" permissions is > because what resides in your Share permissions. You can give Joe Bob FULL > share permissions and FULL NTFS permissions but that that is not going to > work as long as their is a group that includes Joe Bob in the Share > permissions will lesser access. I'm assuming the group EVERYONE=Read in > still in your share permissions. That is what is preventing Joe Bob from > writng to that folder because share permissions will alow the most > restrictive access overriding his FULL share permissions. > Take SBS Rockers advice. All you need at the Share level is Everyone or > Authenticated Users = FULL. control your security at the NTFS permssions. > > > "SBS Rocker" <noreply@NoDomain.com> wrote in message > news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl... >>A good article for those who don't understand how Shares work in >>conjunction with NTFS permissions. Take note on the last paragraph..... >> >> http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434 >> >> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message >> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... >>> hi, >>> i dont agree with the best practices to give everyone full permisions on >>> the >>> share. Best practices is to check and add the groups proper there. >>> >>> -- >>> Dragos CAMARA >>> MCSA Windows 2003 server >>> >>> >>> "SBS Rocker" wrote: >>> >>>> I think I may know what your problems are. You say.......... >>>> >>>> "I gave the user Full Control NTFS AND Folder Share permissions." >>>> does the group Everyone=READ on the Share permissions still there ? If >>>> so >>>> you need to remove the user=FULL and change Everyone=FULL on the share >>>> permissions. No need to add a user to the share permissions and give >>>> him >>>> FULL access. By industry best practices when creating a Share the >>>> default >>>> would be Everyone=FULL. >>>> >>>> >>>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... >>>> >I gave the user Full Control NTFS AND Folder Share permissions. >>>> > >>>> > Even if I'm logged on as Administrator, I still can't push anything >>>> > down, >>>> > but I can pull files across without any issues. >>>> > >>>> > I'm stumped. >>>> > >>>> > "SBS Rocker" wrote: >>>> > >>>> >> What are the share permissions? When you say you gave the user FULL >>>> >> control >>>> >> do you mean FULL NTFS permissions? >>>> >> >>>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >>>> >> >I shared a directory with one of our Windows 2003 servers and gave >>>> >> >a >>>> >> >user >>>> >> > Full Control accesss to that directory. However, from his >>>> >> > computer >>>> >> > where >>>> >> > he >>>> >> > is logged on, he can't copy and paste anything to that directory. >>>> >> > If >>>> >> > he >>>> >> > remote desktop's into the server and logs on as himself, he can >>>> >> > browse >>>> >> > to >>>> >> > another network share and pull the file over without any problems. >>>> >> > >>>> >> > I never had this problem in Windows 2000. How do I configure a >>>> >> > directory >>>> >> > on >>>> >> > a Windows 2003 server so that people can "push" files to that >>>> >> > folder >>>> >> > without >>>> >> > logging onto the server locally and "pulling" the files over? >>>> >> >>>> >> >>>> >> >>>> >>>> >>>> >> >> > >
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? hi, it's seems you miss unterstood me. i don't agree with share permissions with Everyone full and add proper groups there - i dont said anywhere to use only that - and let me explain why. if you give that permission then you are protected only by NTFS permissions and if i have and another metod to protect my data why not to use? because may be i will forget about it -that isn't a reason. of couse is more simple to give everyone full ntfs share permisions rights - but on my all shares i never agreed and i instructed to remove everyone and add proper groups on ntfs share permissions. -- Dragos CAMARA MCSA Windows 2003 server "Albert Louis" wrote: > hmmmmmmmmmm this is all very interesting. Sure would like to see what Dragos > response is to Eagles10 question. Dragos I'm almost embarrassed to have read > your reply to Andrew instructing him to secure his folders at the share > level using groups. Makes the rest of us MCSA's look like we have no > creditability > > > "Eagles10" <bogus@bogus.net> wrote in message > news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... > > wow!!! looks like I stumbled into a very interesting thread. Did anyone > > ever resolve Andrew's issues? Let me throw in my cents here and try not to > > offend anyone. I'm going to have to agree with SBS Rocker simply because > > if you start applying users and groups at the share level you are creating > > more work and managing the ntfs folder permissions becomes quite a task > > Rocker is correct. You need to apply Everyone=FULL at the share level. I'm > > not sure what Dragos was thinking about offering his suggestion to add > > groups to the share permissions. Afterall he is a MCSA and he should know > > better than that. > > > > Dragos what happens if I give Group A FULL share permissions and Modify > > NTFS permissions on the folder. Now I have a subfolder that requires part > > od the users of Group A to have Modify and a new Group B to have read > > access yet some of the members of Group B are members of Group A. Now what > > are you going to do? > > > > > > > > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >>I shared a directory with one of our Windows 2003 servers and gave a user > >> Full Control accesss to that directory. However, from his computer where > >> he > >> is logged on, he can't copy and paste anything to that directory. If he > >> remote desktop's into the server and logs on as himself, he can browse to > >> another network share and pull the file over without any problems. > >> > >> I never had this problem in Windows 2000. How do I configure a directory > >> on > >> a Windows 2003 server so that people can "push" files to that folder > >> without > >> logging onto the server locally and "pulling" the files over? > > > > > > >
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? hi Paul, i do know very well how it work, i dont said to protect the share only with share permissions rights all i said is i do not agree with everyone full rights on ntfs permissions and i do not consider that type a pain when i put users on the groups. -- Dragos CAMARA MCSA Windows 2003 server "Paul in Detroit" wrote: > SBS Rocker, > I do agree with you because I consider myself a throwback from the old NT > days and that is the way I have always done it and consider to be the > industry best practices method. Also the link you provided Dragos confirms > the industry best practices. That said I do believe you may be a bit harsh > in explaining it to Dragos. This NG is here to assist and help those who > posts questions and issues and not to belittle and discourage others because > of their lack of knowledge or experience. > > Dragos, > SBS Rocker is correct and the reason being is because how Share permissions > "superceed" NTFS permissions with the "most restrictive" access. In your > case I think you are trying to secure your folder access using the Share > permissions. If you do this you will find yourself doing more administrative > work than necessary. The reason you users cannot write to that folder even > though you gave them FULL "NTFS" permissions is because what resides in your > Share permissions. You can give Joe Bob FULL share permissions and FULL NTFS > permissions but that that is not going to work as long as their is a group > that includes Joe Bob in the Share permissions will lesser access. I'm > assuming the group EVERYONE=Read in still in your share permissions. That is > what is preventing Joe Bob from writng to that folder because share > permissions will alow the most restrictive access overriding his FULL share > permissions. > Take SBS Rockers advice. All you need at the Share level is Everyone or > Authenticated Users = FULL. control your security at the NTFS permssions. > > > "SBS Rocker" <noreply@NoDomain.com> wrote in message > news:eiFGQcVyHHA.276@TK2MSFTNGP06.phx.gbl... > >A good article for those who don't understand how Shares work in > >conjunction with NTFS permissions. Take note on the last paragraph..... > > > > http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434 > > > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > > news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... > >> hi, > >> i dont agree with the best practices to give everyone full permisions on > >> the > >> share. Best practices is to check and add the groups proper there. > >> > >> -- > >> Dragos CAMARA > >> MCSA Windows 2003 server > >> > >> > >> "SBS Rocker" wrote: > >> > >>> I think I may know what your problems are. You say.......... > >>> > >>> "I gave the user Full Control NTFS AND Folder Share permissions." > >>> does the group Everyone=READ on the Share permissions still there ? If > >>> so > >>> you need to remove the user=FULL and change Everyone=FULL on the share > >>> permissions. No need to add a user to the share permissions and give him > >>> FULL access. By industry best practices when creating a Share the > >>> default > >>> would be Everyone=FULL. > >>> > >>> > >>> "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >>> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... > >>> >I gave the user Full Control NTFS AND Folder Share permissions. > >>> > > >>> > Even if I'm logged on as Administrator, I still can't push anything > >>> > down, > >>> > but I can pull files across without any issues. > >>> > > >>> > I'm stumped. > >>> > > >>> > "SBS Rocker" wrote: > >>> > > >>> >> What are the share permissions? When you say you gave the user FULL > >>> >> control > >>> >> do you mean FULL NTFS permissions? > >>> >> > >>> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >>> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >>> >> >I shared a directory with one of our Windows 2003 servers and gave a > >>> >> >user > >>> >> > Full Control accesss to that directory. However, from his computer > >>> >> > where > >>> >> > he > >>> >> > is logged on, he can't copy and paste anything to that directory. > >>> >> > If > >>> >> > he > >>> >> > remote desktop's into the server and logs on as himself, he can > >>> >> > browse > >>> >> > to > >>> >> > another network share and pull the file over without any problems. > >>> >> > > >>> >> > I never had this problem in Windows 2000. How do I configure a > >>> >> > directory > >>> >> > on > >>> >> > a Windows 2003 server so that people can "push" files to that > >>> >> > folder > >>> >> > without > >>> >> > logging onto the server locally and "pulling" the files over? > >>> >> > >>> >> > >>> >> > >>> > >>> > >>> > > > > > > >
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? simple as a walking in a park : create a group C give ntfs share permisions to that group, add group A and B to C, remove group A from share permission, give NTFS rights acording to group A and B. everyone group full access : includes anyone who has access to network resources, including the Guest account - so keep to guest account with that rights -- Dragos CAMARA MCSA Windows 2003 server "Albert Louis" wrote: > hmmmmmmmmmm this is all very interesting. Sure would like to see what Dragos > response is to Eagles10 question. Dragos I'm almost embarrassed to have read > your reply to Andrew instructing him to secure his folders at the share > level using groups. Makes the rest of us MCSA's look like we have no > creditability > > > "Eagles10" <bogus@bogus.net> wrote in message > news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... > > wow!!! looks like I stumbled into a very interesting thread. Did anyone > > ever resolve Andrew's issues? Let me throw in my cents here and try not to > > offend anyone. I'm going to have to agree with SBS Rocker simply because > > if you start applying users and groups at the share level you are creating > > more work and managing the ntfs folder permissions becomes quite a task > > Rocker is correct. You need to apply Everyone=FULL at the share level. I'm > > not sure what Dragos was thinking about offering his suggestion to add > > groups to the share permissions. Afterall he is a MCSA and he should know > > better than that. > > > > Dragos what happens if I give Group A FULL share permissions and Modify > > NTFS permissions on the folder. Now I have a subfolder that requires part > > od the users of Group A to have Modify and a new Group B to have read > > access yet some of the members of Group B are members of Group A. Now what > > are you going to do? > > > > > > > > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >>I shared a directory with one of our Windows 2003 servers and gave a user > >> Full Control accesss to that directory. However, from his computer where > >> he > >> is logged on, he can't copy and paste anything to that directory. If he > >> remote desktop's into the server and logs on as himself, he can browse to > >> another network share and pull the file over without any problems. > >> > >> I never had this problem in Windows 2000. How do I configure a directory > >> on > >> a Windows 2003 server so that people can "push" files to that folder > >> without > >> logging onto the server locally and "pulling" the files over? > > > > > > >
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? i dont want to argue with you : everyone group full access : includes anyone who has access to network resources, including the Guest account - very good best practices -keep using it. microsoft best practices on share folders : http://technet2.microsoft.com/windowsserver/en/library/75d63fcc-de6f-4fb9-8036-2cfafb6c05971033.mspx?mfr=true -- Dragos CAMARA MCSA Windows 2003 server "SBS Rocker" wrote: > A good article for those who don't understand how Shares work in conjunction > with NTFS permissions. Take note on the last paragraph..... > > http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1093198,00.html?FromTaxonomy=%252Fpr%252F286434 > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... > > hi, > > i dont agree with the best practices to give everyone full permisions on > > the > > share. Best practices is to check and add the groups proper there. > > > > -- > > Dragos CAMARA > > MCSA Windows 2003 server > > > > > > "SBS Rocker" wrote: > > > >> I think I may know what your problems are. You say.......... > >> > >> "I gave the user Full Control NTFS AND Folder Share permissions." > >> does the group Everyone=READ on the Share permissions still there ? If so > >> you need to remove the user=FULL and change Everyone=FULL on the share > >> permissions. No need to add a user to the share permissions and give him > >> FULL access. By industry best practices when creating a Share the default > >> would be Everyone=FULL. > >> > >> > >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... > >> >I gave the user Full Control NTFS AND Folder Share permissions. > >> > > >> > Even if I'm logged on as Administrator, I still can't push anything > >> > down, > >> > but I can pull files across without any issues. > >> > > >> > I'm stumped. > >> > > >> > "SBS Rocker" wrote: > >> > > >> >> What are the share permissions? When you say you gave the user FULL > >> >> control > >> >> do you mean FULL NTFS permissions? > >> >> > >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >> >> >I shared a directory with one of our Windows 2003 servers and gave a > >> >> >user > >> >> > Full Control accesss to that directory. However, from his computer > >> >> > where > >> >> > he > >> >> > is logged on, he can't copy and paste anything to that directory. > >> >> > If > >> >> > he > >> >> > remote desktop's into the server and logs on as himself, he can > >> >> > browse > >> >> > to > >> >> > another network share and pull the file over without any problems. > >> >> > > >> >> > I never had this problem in Windows 2000. How do I configure a > >> >> > directory > >> >> > on > >> >> > a Windows 2003 server so that people can "push" files to that folder > >> >> > without > >> >> > logging onto the server locally and "pulling" the files over? > >> >> > >> >> > >> >> > >> > >> > >> > > >
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? :) what i see you agree with me : you cut or leave everyone with read only and "add proper group" authenticated users -- Dragos CAMARA MCSA Windows 2003 server "jj johnson" wrote: > Dragos, > I do agree with SBS Rocker and Paul in Detroit with one exception and I add > "Authenticated Users=FULL" and remove the Everyone group. IMHO that is all > that is required at the Share level. You control security at the NTFS folder > level. As far as best practices are concerned in the "old days" as many of > you are referrring to it was by "default" that at the Share level > Everyone=FULL. Now in W2k3 it is default Everyone=Read. Here is another good > article regarding the reasoning for the change and "best practices" with > share and ntfs permssions. And Dragos you don't even want to get into why > you do not control security at the Share level. Share permissions are > basically used to allow acces to the shared resource and not used to control > security. You use NTFS Folder and File permissions for that. > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com... > > hi, > > i dont agree with the best practices to give everyone full permisions on > > the > > share. Best practices is to check and add the groups proper there. > > > > -- > > Dragos CAMARA > > MCSA Windows 2003 server > > > > > > "SBS Rocker" wrote: > > > >> I think I may know what your problems are. You say.......... > >> > >> "I gave the user Full Control NTFS AND Folder Share permissions." > >> does the group Everyone=READ on the Share permissions still there ? If so > >> you need to remove the user=FULL and change Everyone=FULL on the share > >> permissions. No need to add a user to the share permissions and give him > >> FULL access. By industry best practices when creating a Share the default > >> would be Everyone=FULL. > >> > >> > >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com... > >> >I gave the user Full Control NTFS AND Folder Share permissions. > >> > > >> > Even if I'm logged on as Administrator, I still can't push anything > >> > down, > >> > but I can pull files across without any issues. > >> > > >> > I'm stumped. > >> > > >> > "SBS Rocker" wrote: > >> > > >> >> What are the share permissions? When you say you gave the user FULL > >> >> control > >> >> do you mean FULL NTFS permissions? > >> >> > >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >> >> >I shared a directory with one of our Windows 2003 servers and gave a > >> >> >user > >> >> > Full Control accesss to that directory. However, from his computer > >> >> > where > >> >> > he > >> >> > is logged on, he can't copy and paste anything to that directory. > >> >> > If > >> >> > he > >> >> > remote desktop's into the server and logs on as himself, he can > >> >> > browse > >> >> > to > >> >> > another network share and pull the file over without any problems. > >> >> > > >> >> > I never had this problem in Windows 2000. How do I configure a > >> >> > directory > >> >> > on > >> >> > a Windows 2003 server so that people can "push" files to that folder > >> >> > without > >> >> > logging onto the server locally and "pulling" the files over? > >> >> > >> >> > >> >> > >> > >> > >> > > >
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? Louis respond to that problem if you think that group everyone is best practices to have full control on share permission: junioradm full ntfs permission on folder FA group A internal users -rights to administer members to junioradm group B external users restrict group B to have any access to folder FA whatever mistakes make junioradm on ntfs permisions or on group A membership. -- Dragos CAMARA MCSA Windows 2003 server "Albert Louis" wrote: > hmmmmmmmmmm this is all very interesting. Sure would like to see what Dragos > response is to Eagles10 question. Dragos I'm almost embarrassed to have read > your reply to Andrew instructing him to secure his folders at the share > level using groups. Makes the rest of us MCSA's look like we have no > creditability > > > "Eagles10" <bogus@bogus.net> wrote in message > news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... > > wow!!! looks like I stumbled into a very interesting thread. Did anyone > > ever resolve Andrew's issues? Let me throw in my cents here and try not to > > offend anyone. I'm going to have to agree with SBS Rocker simply because > > if you start applying users and groups at the share level you are creating > > more work and managing the ntfs folder permissions becomes quite a task > > Rocker is correct. You need to apply Everyone=FULL at the share level. I'm > > not sure what Dragos was thinking about offering his suggestion to add > > groups to the share permissions. Afterall he is a MCSA and he should know > > better than that. > > > > Dragos what happens if I give Group A FULL share permissions and Modify > > NTFS permissions on the folder. Now I have a subfolder that requires part > > od the users of Group A to have Modify and a new Group B to have read > > access yet some of the members of Group B are members of Group A. Now what > > are you going to do? > > > > > > > > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >>I shared a directory with one of our Windows 2003 servers and gave a user > >> Full Control accesss to that directory. However, from his computer where > >> he > >> is logged on, he can't copy and paste anything to that directory. If he > >> remote desktop's into the server and logs on as himself, he can browse to > >> another network share and pull the file over without any problems. > >> > >> I never had this problem in Windows 2000. How do I configure a directory > >> on > >> a Windows 2003 server so that people can "push" files to that folder > >> without > >> logging onto the server locally and "pulling" the files over? > > > > > > >
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? hi, you dont offend nobody, but dont think the share permissions level like a banal think wich was introduced by microsoft only the admin to have to click more when make a sharing. as your problem is simple if you thinked twice before you post - i dont said to make all the permissions by sharing permissions, in fact i will modify your problem like that : assume you have a junior administrator and you dont want that he to give the rights to that folder to group C -but allow him to give rights to others groups- what are you doing? and assume you have hundred of that servers a tens of junior administrators -you will apply the same "best practice" with everyone full rights on shares permissions? i dont think so :), but ofcourse you are free to do what do you want, but do not tell that a full rights to group Everyone is a best practice. in best practices wich are linked by SBS Rocker it sais about authenticated users not about Everyone group so it's like i said add proper groups there and do not envolve Everyone group with full rights. -- Dragos CAMARA MCSA Windows 2003 server "Eagles10" wrote: > wow!!! looks like I stumbled into a very interesting thread. Did anyone ever > resolve Andrew's issues? Let me throw in my cents here and try not to offend > anyone. I'm going to have to agree with SBS Rocker simply because if you > start applying users and groups at the share level you are creating more > work and managing the ntfs folder permissions becomes quite a task Rocker > is correct. You need to apply Everyone=FULL at the share level. I'm not sure > what Dragos was thinking about offering his suggestion to add groups to the > share permissions. Afterall he is a MCSA and he should know better than > that. > > Dragos what happens if I give Group A FULL share permissions and Modify NTFS > permissions on the folder. Now I have a subfolder that requires part od the > users of Group A to have Modify and a new Group B to have read access yet > some of the members of Group B are members of Group A. Now what are you > going to do? > > > > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >I shared a directory with one of our Windows 2003 servers and gave a user > > Full Control accesss to that directory. However, from his computer where > > he > > is logged on, he can't copy and paste anything to that directory. If he > > remote desktop's into the server and logs on as himself, he can browse to > > another network share and pull the file over without any problems. > > > > I never had this problem in Windows 2000. How do I configure a directory > > on > > a Windows 2003 server so that people can "push" files to that folder > > without > > logging onto the server locally and "pulling" the files over? > > >
Guest SBS Rocker Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? Now that's what everyone here is talking about Dragos. You are creating more work. If you had the parent folder shared at Everyone=FULL or even better Authenticated Users=FULL you'll never have to modify the share permissions again no matter what type of access you need to grant in the folder or sub folder. All security is now controlled and managed at the NFTS folder and sub folder levels. There was a reason why pre W2K3 by default for a share was Everyone=FULL. Now they have changed it to Everyone=Read. You may not agree with having Everyone=FULL at the share level but you seem to agree with Authenticated Users=FULL at the share level. Isn't the Guest account a member of Everyone as well as Authenicated Users? That siad if you did it that way there would be no reason to creating new groups or removing groups at share level. Correct? All you would need to do at the parent FolderA and sub folderB now is create one new group and give them Read access. Copy the inherited NTFS permissions from the parent folder and add Group B and have inheritance turned on at the sub level to all child folders. That is the reasoning behind why you only need to apply one group at the share level so you don't have to go back and do all the extra work at the share level as you just explained. "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com... > simple as a walking in a park : > create a group C give ntfs share permisions to that group, add group A and > B > to C, remove group A from share permission, give NTFS rights acording to > group A and B. > > everyone group full access : includes anyone who has access to network > resources, including the Guest account - so keep to guest account with > that > rights > -- > Dragos CAMARA > MCSA Windows 2003 server > > > "Albert Louis" wrote: > >> hmmmmmmmmmm this is all very interesting. Sure would like to see what >> Dragos >> response is to Eagles10 question. Dragos I'm almost embarrassed to have >> read >> your reply to Andrew instructing him to secure his folders at the share >> level using groups. Makes the rest of us MCSA's look like we have no >> creditability >> >> >> "Eagles10" <bogus@bogus.net> wrote in message >> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... >> > wow!!! looks like I stumbled into a very interesting thread. Did anyone >> > ever resolve Andrew's issues? Let me throw in my cents here and try not >> > to >> > offend anyone. I'm going to have to agree with SBS Rocker simply >> > because >> > if you start applying users and groups at the share level you are >> > creating >> > more work and managing the ntfs folder permissions becomes quite a task >> > Rocker is correct. You need to apply Everyone=FULL at the share level. >> > I'm >> > not sure what Dragos was thinking about offering his suggestion to add >> > groups to the share permissions. Afterall he is a MCSA and he should >> > know >> > better than that. >> > >> > Dragos what happens if I give Group A FULL share permissions and Modify >> > NTFS permissions on the folder. Now I have a subfolder that requires >> > part >> > od the users of Group A to have Modify and a new Group B to have read >> > access yet some of the members of Group B are members of Group A. Now >> > what >> > are you going to do? >> > >> > >> > >> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >> >>I shared a directory with one of our Windows 2003 servers and gave a >> >>user >> >> Full Control accesss to that directory. However, from his computer >> >> where >> >> he >> >> is logged on, he can't copy and paste anything to that directory. If >> >> he >> >> remote desktop's into the server and logs on as himself, he can browse >> >> to >> >> another network share and pull the file over without any problems. >> >> >> >> I never had this problem in Windows 2000. How do I configure a >> >> directory >> >> on >> >> a Windows 2003 server so that people can "push" files to that folder >> >> without >> >> logging onto the server locally and "pulling" the files over? >> > >> > >> >> >>
Guest SBS Rocker Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? Oh I forgot to mention Group C which is a copy of Group A minus the members of Group B. Which means you copy the inheritance from the parent folder, remove Group A and Add Group B and Group C. But nothing else needed to be done at the share level is required. "SBS Rocker" <noreply@NoDomain.com> wrote in message news:%23VrSs7hyHHA.4824@TK2MSFTNGP02.phx.gbl... > Now that's what everyone here is talking about Dragos. You are creating > more work. If you had the parent folder shared at Everyone=FULL or even > better Authenticated Users=FULL you'll never have to modify the share > permissions again no matter what type of access you need to grant in the > folder or sub folder. All security is now controlled and managed at the > NFTS folder and sub folder levels. > There was a reason why pre W2K3 by default for a share was Everyone=FULL. > Now they have changed it to Everyone=Read. You may not agree with having > Everyone=FULL at the share level but you seem to agree with Authenticated > Users=FULL at the share level. Isn't the Guest account a member of > Everyone as well as Authenicated Users? That siad if you did it that way > there would be no reason to creating new groups or removing groups at > share level. Correct? All you would need to do at the parent FolderA and > sub folderB now is create one new group and give them Read access. Copy > the inherited NTFS permissions from the parent folder and add Group B and > have inheritance turned on at the sub level to all child folders. > That is the reasoning behind why you only need to apply one group at the > share level so you don't have to go back and do all the extra work at the > share level as you just explained. > > > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com... >> simple as a walking in a park : >> create a group C give ntfs share permisions to that group, add group A >> and B >> to C, remove group A from share permission, give NTFS rights acording to >> group A and B. >> >> everyone group full access : includes anyone who has access to network >> resources, including the Guest account - so keep to guest account with >> that >> rights >> -- >> Dragos CAMARA >> MCSA Windows 2003 server >> >> >> "Albert Louis" wrote: >> >>> hmmmmmmmmmm this is all very interesting. Sure would like to see what >>> Dragos >>> response is to Eagles10 question. Dragos I'm almost embarrassed to have >>> read >>> your reply to Andrew instructing him to secure his folders at the share >>> level using groups. Makes the rest of us MCSA's look like we have no >>> creditability >>> >>> >>> "Eagles10" <bogus@bogus.net> wrote in message >>> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... >>> > wow!!! looks like I stumbled into a very interesting thread. Did >>> > anyone >>> > ever resolve Andrew's issues? Let me throw in my cents here and try >>> > not to >>> > offend anyone. I'm going to have to agree with SBS Rocker simply >>> > because >>> > if you start applying users and groups at the share level you are >>> > creating >>> > more work and managing the ntfs folder permissions becomes quite a >>> > task >>> > Rocker is correct. You need to apply Everyone=FULL at the share level. >>> > I'm >>> > not sure what Dragos was thinking about offering his suggestion to add >>> > groups to the share permissions. Afterall he is a MCSA and he should >>> > know >>> > better than that. >>> > >>> > Dragos what happens if I give Group A FULL share permissions and >>> > Modify >>> > NTFS permissions on the folder. Now I have a subfolder that requires >>> > part >>> > od the users of Group A to have Modify and a new Group B to have read >>> > access yet some of the members of Group B are members of Group A. Now >>> > what >>> > are you going to do? >>> > >>> > >>> > >>> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message >>> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >>> >>I shared a directory with one of our Windows 2003 servers and gave a >>> >>user >>> >> Full Control accesss to that directory. However, from his computer >>> >> where >>> >> he >>> >> is logged on, he can't copy and paste anything to that directory. If >>> >> he >>> >> remote desktop's into the server and logs on as himself, he can >>> >> browse to >>> >> another network share and pull the file over without any problems. >>> >> >>> >> I never had this problem in Windows 2000. How do I configure a >>> >> directory >>> >> on >>> >> a Windows 2003 server so that people can "push" files to that folder >>> >> without >>> >> logging onto the server locally and "pulling" the files over? >>> > >>> > >>> >>> >>> > >
Recommended Posts