Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? i can agree that authenticated users can be a best practices, but you make again a VERY BAD MISTAKE : guest account isn't member of authenticated users group :)(you have to read and learn more) The Everyone group often contains the same set of users as the Users and Authenticated Users groups. However, if you've enabled the Guest account, you'll find that users who have logged on as Guest are members of Everyone but not members of Users or Authenticated Users. The difference between the Users and Authenticated Users groups is a bit more esoteric. Windows networks include the ability to have computer-to-computer connections that involve null sessions. Computers use these sessions to exchange lists of shared folders, printers, and other network resources; workstations use null sessions to connect to domain controllers (DCs) before users authenticate to the domain. -- Dragos CAMARA MCSA Windows 2003 server "SBS Rocker" wrote: > Now that's what everyone here is talking about Dragos. You are creating more > work. If you had the parent folder shared at Everyone=FULL or even better > Authenticated Users=FULL you'll never have to modify the share permissions > again no matter what type of access you need to grant in the folder or sub > folder. All security is now controlled and managed at the NFTS folder and > sub folder levels. > There was a reason why pre W2K3 by default for a share was Everyone=FULL. > Now they have changed it to Everyone=Read. You may not agree with having > Everyone=FULL at the share level but you seem to agree with Authenticated > Users=FULL at the share level. Isn't the Guest account a member of Everyone > as well as Authenicated Users? That siad if you did it that way there would > be no reason to creating new groups or removing groups at share level. > Correct? All you would need to do at the parent FolderA and sub folderB now > is create one new group and give them Read access. Copy the inherited NTFS > permissions from the parent folder and add Group B and have inheritance > turned on at the sub level to all child folders. > That is the reasoning behind why you only need to apply one group at the > share level so you don't have to go back and do all the extra work at the > share level as you just explained. > > > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com... > > simple as a walking in a park : > > create a group C give ntfs share permisions to that group, add group A and > > B > > to C, remove group A from share permission, give NTFS rights acording to > > group A and B. > > > > everyone group full access : includes anyone who has access to network > > resources, including the Guest account - so keep to guest account with > > that > > rights > > -- > > Dragos CAMARA > > MCSA Windows 2003 server > > > > > > "Albert Louis" wrote: > > > >> hmmmmmmmmmm this is all very interesting. Sure would like to see what > >> Dragos > >> response is to Eagles10 question. Dragos I'm almost embarrassed to have > >> read > >> your reply to Andrew instructing him to secure his folders at the share > >> level using groups. Makes the rest of us MCSA's look like we have no > >> creditability > >> > >> > >> "Eagles10" <bogus@bogus.net> wrote in message > >> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... > >> > wow!!! looks like I stumbled into a very interesting thread. Did anyone > >> > ever resolve Andrew's issues? Let me throw in my cents here and try not > >> > to > >> > offend anyone. I'm going to have to agree with SBS Rocker simply > >> > because > >> > if you start applying users and groups at the share level you are > >> > creating > >> > more work and managing the ntfs folder permissions becomes quite a task > >> > Rocker is correct. You need to apply Everyone=FULL at the share level. > >> > I'm > >> > not sure what Dragos was thinking about offering his suggestion to add > >> > groups to the share permissions. Afterall he is a MCSA and he should > >> > know > >> > better than that. > >> > > >> > Dragos what happens if I give Group A FULL share permissions and Modify > >> > NTFS permissions on the folder. Now I have a subfolder that requires > >> > part > >> > od the users of Group A to have Modify and a new Group B to have read > >> > access yet some of the members of Group B are members of Group A. Now > >> > what > >> > are you going to do? > >> > > >> > > >> > > >> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >> >>I shared a directory with one of our Windows 2003 servers and gave a > >> >>user > >> >> Full Control accesss to that directory. However, from his computer > >> >> where > >> >> he > >> >> is logged on, he can't copy and paste anything to that directory. If > >> >> he > >> >> remote desktop's into the server and logs on as himself, he can browse > >> >> to > >> >> another network share and pull the file over without any problems. > >> >> > >> >> I never had this problem in Windows 2000. How do I configure a > >> >> directory > >> >> on > >> >> a Windows 2003 server so that people can "push" files to that folder > >> >> without > >> >> logging onto the server locally and "pulling" the files over? > >> > > >> > > >> > >> > >> > > >
Guest SBS Rocker Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? OK I can agree with that and "I stand corrected" on the guest account. So in a nutshell best to apply "Authenticated Users" = FULL at the share level and that's all that needs to be done at the share level. But your way of creating new groups and applying it at the share level is not necessary or best practices. I'm out of this thread........ I hope Andrew got his answer :) "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message news:853B95FE-8EAA-4C7B-91FD-9AEEA43BDDC0@microsoft.com... >i can agree that authenticated users can be a best practices, but you make > again a VERY BAD MISTAKE : guest account isn't member of authenticated > users > group :)(you have to read and learn more) > > The Everyone group often contains the same set of users as the Users and > Authenticated Users groups. However, if you've enabled the Guest account, > you'll find that users who have logged on as Guest are members of Everyone > but not members of Users or Authenticated Users. > > The difference between the Users and Authenticated Users groups is a bit > more esoteric. > Windows networks include the ability to have computer-to-computer > connections that involve null sessions. Computers use these sessions to > exchange lists of shared folders, printers, and other network resources; > workstations use null sessions to connect to domain controllers (DCs) > before > users authenticate to the domain. > > -- > Dragos CAMARA > MCSA Windows 2003 server > > > "SBS Rocker" wrote: > >> Now that's what everyone here is talking about Dragos. You are creating >> more >> work. If you had the parent folder shared at Everyone=FULL or even better >> Authenticated Users=FULL you'll never have to modify the share >> permissions >> again no matter what type of access you need to grant in the folder or >> sub >> folder. All security is now controlled and managed at the NFTS folder and >> sub folder levels. >> There was a reason why pre W2K3 by default for a share was Everyone=FULL. >> Now they have changed it to Everyone=Read. You may not agree with having >> Everyone=FULL at the share level but you seem to agree with Authenticated >> Users=FULL at the share level. Isn't the Guest account a member of >> Everyone >> as well as Authenicated Users? That siad if you did it that way there >> would >> be no reason to creating new groups or removing groups at share level. >> Correct? All you would need to do at the parent FolderA and sub folderB >> now >> is create one new group and give them Read access. Copy the inherited >> NTFS >> permissions from the parent folder and add Group B and have inheritance >> turned on at the sub level to all child folders. >> That is the reasoning behind why you only need to apply one group at the >> share level so you don't have to go back and do all the extra work at the >> share level as you just explained. >> >> >> >> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message >> news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com... >> > simple as a walking in a park : >> > create a group C give ntfs share permisions to that group, add group A >> > and >> > B >> > to C, remove group A from share permission, give NTFS rights acording >> > to >> > group A and B. >> > >> > everyone group full access : includes anyone who has access to network >> > resources, including the Guest account - so keep to guest account with >> > that >> > rights >> > -- >> > Dragos CAMARA >> > MCSA Windows 2003 server >> > >> > >> > "Albert Louis" wrote: >> > >> >> hmmmmmmmmmm this is all very interesting. Sure would like to see what >> >> Dragos >> >> response is to Eagles10 question. Dragos I'm almost embarrassed to >> >> have >> >> read >> >> your reply to Andrew instructing him to secure his folders at the >> >> share >> >> level using groups. Makes the rest of us MCSA's look like we have no >> >> creditability >> >> >> >> >> >> "Eagles10" <bogus@bogus.net> wrote in message >> >> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... >> >> > wow!!! looks like I stumbled into a very interesting thread. Did >> >> > anyone >> >> > ever resolve Andrew's issues? Let me throw in my cents here and try >> >> > not >> >> > to >> >> > offend anyone. I'm going to have to agree with SBS Rocker simply >> >> > because >> >> > if you start applying users and groups at the share level you are >> >> > creating >> >> > more work and managing the ntfs folder permissions becomes quite a >> >> > task >> >> > Rocker is correct. You need to apply Everyone=FULL at the share >> >> > level. >> >> > I'm >> >> > not sure what Dragos was thinking about offering his suggestion to >> >> > add >> >> > groups to the share permissions. Afterall he is a MCSA and he should >> >> > know >> >> > better than that. >> >> > >> >> > Dragos what happens if I give Group A FULL share permissions and >> >> > Modify >> >> > NTFS permissions on the folder. Now I have a subfolder that requires >> >> > part >> >> > od the users of Group A to have Modify and a new Group B to have >> >> > read >> >> > access yet some of the members of Group B are members of Group A. >> >> > Now >> >> > what >> >> > are you going to do? >> >> > >> >> > >> >> > >> >> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message >> >> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... >> >> >>I shared a directory with one of our Windows 2003 servers and gave a >> >> >>user >> >> >> Full Control accesss to that directory. However, from his computer >> >> >> where >> >> >> he >> >> >> is logged on, he can't copy and paste anything to that directory. >> >> >> If >> >> >> he >> >> >> remote desktop's into the server and logs on as himself, he can >> >> >> browse >> >> >> to >> >> >> another network share and pull the file over without any problems. >> >> >> >> >> >> I never had this problem in Windows 2000. How do I configure a >> >> >> directory >> >> >> on >> >> >> a Windows 2003 server so that people can "push" files to that >> >> >> folder >> >> >> without >> >> >> logging onto the server locally and "pulling" the files over? >> >> > >> >> > >> >> >> >> >> >> >> >> >>
Guest Dragos CAMARA Posted July 19, 2007 Posted July 19, 2007 Re: Directory Permissions - What gives? and if Group A have 10k users and Group B have 15k users how a create and maintain that group C? and again if i delegate the rights to maintain that share how i will restrict the delegated admin to not give rights to group D but can give rights to what other group he wants? -- Dragos CAMARA MCSA Windows 2003 server "SBS Rocker" wrote: > Oh I forgot to mention Group C which is a copy of Group A minus the members > of Group B. Which means you copy the inheritance from the parent folder, > remove Group A and Add Group B and Group C. But nothing else needed to be > done at the share level is required. > > "SBS Rocker" <noreply@NoDomain.com> wrote in message > news:%23VrSs7hyHHA.4824@TK2MSFTNGP02.phx.gbl... > > Now that's what everyone here is talking about Dragos. You are creating > > more work. If you had the parent folder shared at Everyone=FULL or even > > better Authenticated Users=FULL you'll never have to modify the share > > permissions again no matter what type of access you need to grant in the > > folder or sub folder. All security is now controlled and managed at the > > NFTS folder and sub folder levels. > > There was a reason why pre W2K3 by default for a share was Everyone=FULL. > > Now they have changed it to Everyone=Read. You may not agree with having > > Everyone=FULL at the share level but you seem to agree with Authenticated > > Users=FULL at the share level. Isn't the Guest account a member of > > Everyone as well as Authenicated Users? That siad if you did it that way > > there would be no reason to creating new groups or removing groups at > > share level. Correct? All you would need to do at the parent FolderA and > > sub folderB now is create one new group and give them Read access. Copy > > the inherited NTFS permissions from the parent folder and add Group B and > > have inheritance turned on at the sub level to all child folders. > > That is the reasoning behind why you only need to apply one group at the > > share level so you don't have to go back and do all the extra work at the > > share level as you just explained. > > > > > > > > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message > > news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com... > >> simple as a walking in a park : > >> create a group C give ntfs share permisions to that group, add group A > >> and B > >> to C, remove group A from share permission, give NTFS rights acording to > >> group A and B. > >> > >> everyone group full access : includes anyone who has access to network > >> resources, including the Guest account - so keep to guest account with > >> that > >> rights > >> -- > >> Dragos CAMARA > >> MCSA Windows 2003 server > >> > >> > >> "Albert Louis" wrote: > >> > >>> hmmmmmmmmmm this is all very interesting. Sure would like to see what > >>> Dragos > >>> response is to Eagles10 question. Dragos I'm almost embarrassed to have > >>> read > >>> your reply to Andrew instructing him to secure his folders at the share > >>> level using groups. Makes the rest of us MCSA's look like we have no > >>> creditability > >>> > >>> > >>> "Eagles10" <bogus@bogus.net> wrote in message > >>> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl... > >>> > wow!!! looks like I stumbled into a very interesting thread. Did > >>> > anyone > >>> > ever resolve Andrew's issues? Let me throw in my cents here and try > >>> > not to > >>> > offend anyone. I'm going to have to agree with SBS Rocker simply > >>> > because > >>> > if you start applying users and groups at the share level you are > >>> > creating > >>> > more work and managing the ntfs folder permissions becomes quite a > >>> > task > >>> > Rocker is correct. You need to apply Everyone=FULL at the share level. > >>> > I'm > >>> > not sure what Dragos was thinking about offering his suggestion to add > >>> > groups to the share permissions. Afterall he is a MCSA and he should > >>> > know > >>> > better than that. > >>> > > >>> > Dragos what happens if I give Group A FULL share permissions and > >>> > Modify > >>> > NTFS permissions on the folder. Now I have a subfolder that requires > >>> > part > >>> > od the users of Group A to have Modify and a new Group B to have read > >>> > access yet some of the members of Group B are members of Group A. Now > >>> > what > >>> > are you going to do? > >>> > > >>> > > >>> > > >>> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message > >>> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com... > >>> >>I shared a directory with one of our Windows 2003 servers and gave a > >>> >>user > >>> >> Full Control accesss to that directory. However, from his computer > >>> >> where > >>> >> he > >>> >> is logged on, he can't copy and paste anything to that directory. If > >>> >> he > >>> >> remote desktop's into the server and logs on as himself, he can > >>> >> browse to > >>> >> another network share and pull the file over without any problems. > >>> >> > >>> >> I never had this problem in Windows 2000. How do I configure a > >>> >> directory > >>> >> on > >>> >> a Windows 2003 server so that people can "push" files to that folder > >>> >> without > >>> >> logging onto the server locally and "pulling" the files over? > >>> > > >>> > > >>> > >>> > >>> > > > > > > >
Recommended Posts