Share and NTSF permissions...

[Guest Mrpush]

Hi,

 

Did I say I can't stand Sharing and security on Windows?

 

Ooops, just did.

 

Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still makes

little sense, but I'm getting better.

 

What I need is a utility that would allow me to AUDIT my entire network and

show me all my USERS and GROUPS and what permissions they have, that would be

great!

 

Is there any such utility? (freeware would be nice!)

 

I'm aware of the "Effective Permissions" in the settings, but that is only

good for a single person/group.

 

I'd like to see a table of users and groups and then all the SHARE / NTSF

permissions and what overrides what.

 

Any ideas?

 

Thanks much,

 

Mark

 

(P.S, - why would NTFS permission to "view" not have precedence over Share

for viewing files or folders over the network? I'm still scratching my head!

=) )

[Guest Michael Russell]

RE: Share and NTSF permissions...

 

I believe AccessChk might help you out.

 

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

 

--

Michael

 

 

"Mrpush" wrote:

> Hi,

>

> Did I say I can't stand Sharing and security on Windows?

>

> Ooops, just did.

>

> Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still makes

> little sense, but I'm getting better.

>

> What I need is a utility that would allow me to AUDIT my entire network and

> show me all my USERS and GROUPS and what permissions they have, that would be

> great!

>

> Is there any such utility? (freeware would be nice!)

>

> I'm aware of the "Effective Permissions" in the settings, but that is only

> good for a single person/group.

>

> I'd like to see a table of users and groups and then all the SHARE / NTSF

> permissions and what overrides what.

>

> Any ideas?

>

> Thanks much,

>

> Mark

>

> (P.S, - why would NTFS permission to "view" not have precedence over Share

> for viewing files or folders over the network? I'm still scratching my head!

> =) )

[Guest Bruce Sanderson]

Re: Share and NTSF permissions...

 

Think of the Share permissions as being the lock on the door and the NTFS

permissions as being the lock on the filling cabinet.

 

The key to filling cabinet is useless if you can't get into the room.

 

The computer uses the Share permissions to decide whether the user can

access the Share from another computer at all and what permissions will be

through that Share. The folder and file NTFS permissions are effective for

both local and remote access and give fine grained control over what the

user can do to the content. Share permissions have no affect on local

access (asuming the user is refering to the folder using the DriveLetter:\

as opposed to \\ComputerName\ShareName syntax).

 

The permissions that a user has when accessing through the Share is the

minimum of the Share and NTFS permissions. Thus if a user has Full Control

via NTFS, they can do whatever they want when logged on locally. If the

Share permission is Read, then they can only read files from another

computer. If you like, the Share permission take precedence over the NTFS

permission, but ONLY when the user is accessing via the Share (e.g. from

another computer).

 

In many cases, it is useful set the Share Permissions to Everyone (or

Authenticated Users) Full Control and manage access control entirly using

the NTFS permissions only. This simplifies administration and

troubleshooting without really compromising file security.

 

Share permissions were (are?) useful for file systems that do not have built

in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

etc. Share Permissions were the only way to control who could access files

remotely. With NTFS, in most situations, the Share permissions don't add

anything to file security (access control) that is not already provided by

the NTFS file system, thus the suggestion to set them Full Control for all

users and simplify your life.

 

A general rule in a domain, to simplify administration, is to NOT add user

accounts to NTFS (or Share) permissions and not create local groups, but to

always use domain groups whose name identifies the resource (share or

folder) and the granted permissions. That way you can tell who has access

to what by reading the group membership in conjunction with the name of the

group, entirely in AD Users and Computers. If you're interested I can post

(or send you) a set of rules re. group membership etc. that have been found

to be useful in this regard.

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

> Hi,

>

> Did I say I can't stand Sharing and security on Windows?

>

> Ooops, just did.

>

> Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

> makes

> little sense, but I'm getting better.

>

> What I need is a utility that would allow me to AUDIT my entire network

> and

> show me all my USERS and GROUPS and what permissions they have, that would

> be

> great!

>

> Is there any such utility? (freeware would be nice!)

>

> I'm aware of the "Effective Permissions" in the settings, but that is

> only

> good for a single person/group.

>

> I'd like to see a table of users and groups and then all the SHARE / NTSF

> permissions and what overrides what.

>

> Any ideas?

>

> Thanks much,

>

> Mark

>

> (P.S, - why would NTFS permission to "view" not have precedence over Share

> for viewing files or folders over the network? I'm still scratching my

> head!

> =) )

[Guest net_admin]

RE: Share and NTSF permissions...

 

DumpACL.

 

--

NetAdmin <São Paulo, BR>

 

 

 

"Mrpush" wrote:

> Hi,

>

> Did I say I can't stand Sharing and security on Windows?

>

> Ooops, just did.

>

> Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still makes

> little sense, but I'm getting better.

>

> What I need is a utility that would allow me to AUDIT my entire network and

> show me all my USERS and GROUPS and what permissions they have, that would be

> great!

>

> Is there any such utility? (freeware would be nice!)

>

> I'm aware of the "Effective Permissions" in the settings, but that is only

> good for a single person/group.

>

> I'd like to see a table of users and groups and then all the SHARE / NTSF

> permissions and what overrides what.

>

> Any ideas?

>

> Thanks much,

>

> Mark

>

> (P.S, - why would NTFS permission to "view" not have precedence over Share

> for viewing files or folders over the network? I'm still scratching my head!

> =) )

[Guest Mrpush]

RE: Share and NTSF permissions...

 

Great, thank you, I will check this out!

 

 

 

"Michael Russell" wrote:

> I believe AccessChk might help you out.

>

> http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

>

> --

> Michael

>

>

> "Mrpush" wrote:

>

> > Hi,

> >

> > Did I say I can't stand Sharing and security on Windows?

> >

> > Ooops, just did.

> >

> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still makes

> > little sense, but I'm getting better.

> >

> > What I need is a utility that would allow me to AUDIT my entire network and

> > show me all my USERS and GROUPS and what permissions they have, that would be

> > great!

> >

> > Is there any such utility? (freeware would be nice!)

> >

> > I'm aware of the "Effective Permissions" in the settings, but that is only

> > good for a single person/group.

> >

> > I'd like to see a table of users and groups and then all the SHARE / NTSF

> > permissions and what overrides what.

> >

> > Any ideas?

> >

> > Thanks much,

> >

> > Mark

> >

> > (P.S, - why would NTFS permission to "view" not have precedence over Share

> > for viewing files or folders over the network? I'm still scratching my head!

> > =) )

[Guest Mrpush]

Re: Share and NTSF permissions...

 

Bruce,

 

Bravo! Finally a useful explanation on this! (I have read at least 5 and

they did not help me much)

 

The "locks" explanation was very helpful. Somehow I was thinking that NTFS

would give me "network access". Share is the door, NTFS is the file cabinet,

this is good!

 

I also was somehow under the impression that SHARE-EVERYONE-FULL would give

EVERYONE full access to files (edit, delete, etc). But now I see that

SHARE-EVERYONE-FULL gives NO permissions unless NTFS also has EVERYONE (or

the user in question) with some type of permission.

 

I would really like to see the set of rules you are talking about, that

would be great.

 

Do you use any tools to audit you entire networks share and NTFS permissions?

 

Thanks very much,

 

Mark

 

 

"Bruce Sanderson" wrote:

> Think of the Share permissions as being the lock on the door and the NTFS

> permissions as being the lock on the filling cabinet.

>

> The key to filling cabinet is useless if you can't get into the room.

>

> The computer uses the Share permissions to decide whether the user can

> access the Share from another computer at all and what permissions will be

> through that Share. The folder and file NTFS permissions are effective for

> both local and remote access and give fine grained control over what the

> user can do to the content. Share permissions have no affect on local

> access (asuming the user is refering to the folder using the DriveLetter:\

> as opposed to \\ComputerName\ShareName syntax).

>

> The permissions that a user has when accessing through the Share is the

> minimum of the Share and NTFS permissions. Thus if a user has Full Control

> via NTFS, they can do whatever they want when logged on locally. If the

> Share permission is Read, then they can only read files from another

> computer. If you like, the Share permission take precedence over the NTFS

> permission, but ONLY when the user is accessing via the Share (e.g. from

> another computer).

>

> In many cases, it is useful set the Share Permissions to Everyone (or

> Authenticated Users) Full Control and manage access control entirly using

> the NTFS permissions only. This simplifies administration and

> troubleshooting without really compromising file security.

>

> Share permissions were (are?) useful for file systems that do not have built

> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

> etc. Share Permissions were the only way to control who could access files

> remotely. With NTFS, in most situations, the Share permissions don't add

> anything to file security (access control) that is not already provided by

> the NTFS file system, thus the suggestion to set them Full Control for all

> users and simplify your life.

>

> A general rule in a domain, to simplify administration, is to NOT add user

> accounts to NTFS (or Share) permissions and not create local groups, but to

> always use domain groups whose name identifies the resource (share or

> folder) and the granted permissions. That way you can tell who has access

> to what by reading the group membership in conjunction with the name of the

> group, entirely in AD Users and Computers. If you're interested I can post

> (or send you) a set of rules re. group membership etc. that have been found

> to be useful in this regard.

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

>

>

> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

> > Hi,

> >

> > Did I say I can't stand Sharing and security on Windows?

> >

> > Ooops, just did.

> >

> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

> > makes

> > little sense, but I'm getting better.

> >

> > What I need is a utility that would allow me to AUDIT my entire network

> > and

> > show me all my USERS and GROUPS and what permissions they have, that would

> > be

> > great!

> >

> > Is there any such utility? (freeware would be nice!)

> >

> > I'm aware of the "Effective Permissions" in the settings, but that is

> > only

> > good for a single person/group.

> >

> > I'd like to see a table of users and groups and then all the SHARE / NTSF

> > permissions and what overrides what.

> >

> > Any ideas?

> >

> > Thanks much,

> >

> > Mark

> >

> > (P.S, - why would NTFS permission to "view" not have precedence over Share

> > for viewing files or folders over the network? I'm still scratching my

> > head!

> > =) )

>

>

[Guest Mrpush]

RE: Share and NTSF permissions...

 

Thanks very much, I will check this out.

 

Mark

 

"net_admin" wrote:

> DumpACL.

>

> --

> NetAdmin <São Paulo, BR>

>

>

>

> "Mrpush" wrote:

>

> > Hi,

> >

> > Did I say I can't stand Sharing and security on Windows?

> >

> > Ooops, just did.

> >

> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still makes

> > little sense, but I'm getting better.

> >

> > What I need is a utility that would allow me to AUDIT my entire network and

> > show me all my USERS and GROUPS and what permissions they have, that would be

> > great!

> >

> > Is there any such utility? (freeware would be nice!)

> >

> > I'm aware of the "Effective Permissions" in the settings, but that is only

> > good for a single person/group.

> >

> > I'd like to see a table of users and groups and then all the SHARE / NTSF

> > permissions and what overrides what.

> >

> > Any ideas?

> >

> > Thanks much,

> >

> > Mark

> >

> > (P.S, - why would NTFS permission to "view" not have precedence over Share

> > for viewing files or folders over the network? I'm still scratching my head!

> > =) )

[Guest Bruce Sanderson]

Re: Share and NTSF permissions...

 

I've put the "rules" onto my web site - see

http://members.shaw.ca/bsanders/WindowsGeneralWeb/GroupsAccountsPermissionsGPOsRules.htm.

 

Comments are welcome!

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

news:B04A56E8-1234-4DBE-8F5B-04CB7AD6A1C6@microsoft.com...

> Bruce,

>

> Bravo! Finally a useful explanation on this! (I have read at least 5 and

> they did not help me much)

>

> The "locks" explanation was very helpful. Somehow I was thinking that

> NTFS

> would give me "network access". Share is the door, NTFS is the file

> cabinet,

> this is good!

>

> I also was somehow under the impression that SHARE-EVERYONE-FULL would

> give

> EVERYONE full access to files (edit, delete, etc). But now I see that

> SHARE-EVERYONE-FULL gives NO permissions unless NTFS also has EVERYONE (or

> the user in question) with some type of permission.

>

> I would really like to see the set of rules you are talking about, that

> would be great.

>

> Do you use any tools to audit you entire networks share and NTFS

> permissions?

>

> Thanks very much,

>

> Mark

>

>

> "Bruce Sanderson" wrote:

>

>> Think of the Share permissions as being the lock on the door and the NTFS

>> permissions as being the lock on the filling cabinet.

>>

>> The key to filling cabinet is useless if you can't get into the room.

>>

>> The computer uses the Share permissions to decide whether the user can

>> access the Share from another computer at all and what permissions will

>> be

>> through that Share. The folder and file NTFS permissions are effective

>> for

>> both local and remote access and give fine grained control over what the

>> user can do to the content. Share permissions have no affect on local

>> access (asuming the user is refering to the folder using the

>> DriveLetter:\

>> as opposed to \\ComputerName\ShareName syntax).

>>

>> The permissions that a user has when accessing through the Share is the

>> minimum of the Share and NTFS permissions. Thus if a user has Full

>> Control

>> via NTFS, they can do whatever they want when logged on locally. If the

>> Share permission is Read, then they can only read files from another

>> computer. If you like, the Share permission take precedence over the

>> NTFS

>> permission, but ONLY when the user is accessing via the Share (e.g. from

>> another computer).

>>

>> In many cases, it is useful set the Share Permissions to Everyone (or

>> Authenticated Users) Full Control and manage access control entirly using

>> the NTFS permissions only. This simplifies administration and

>> troubleshooting without really compromising file security.

>>

>> Share permissions were (are?) useful for file systems that do not have

>> built

>> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

>> etc. Share Permissions were the only way to control who could access

>> files

>> remotely. With NTFS, in most situations, the Share permissions don't add

>> anything to file security (access control) that is not already provided

>> by

>> the NTFS file system, thus the suggestion to set them Full Control for

>> all

>> users and simplify your life.

>>

>> A general rule in a domain, to simplify administration, is to NOT add

>> user

>> accounts to NTFS (or Share) permissions and not create local groups, but

>> to

>> always use domain groups whose name identifies the resource (share or

>> folder) and the granted permissions. That way you can tell who has

>> access

>> to what by reading the group membership in conjunction with the name of

>> the

>> group, entirely in AD Users and Computers. If you're interested I can

>> post

>> (or send you) a set of rules re. group membership etc. that have been

>> found

>> to be useful in this regard.

>>

>> --

>> Bruce Sanderson

>> http://members.shaw.ca/bsanders

>>

>> It is perfectly useless to know the right answer to the wrong question.

>>

>>

>>

>> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

>> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

>> > Hi,

>> >

>> > Did I say I can't stand Sharing and security on Windows?

>> >

>> > Ooops, just did.

>> >

>> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

>> > makes

>> > little sense, but I'm getting better.

>> >

>> > What I need is a utility that would allow me to AUDIT my entire network

>> > and

>> > show me all my USERS and GROUPS and what permissions they have, that

>> > would

>> > be

>> > great!

>> >

>> > Is there any such utility? (freeware would be nice!)

>> >

>> > I'm aware of the "Effective Permissions" in the settings, but that is

>> > only

>> > good for a single person/group.

>> >

>> > I'd like to see a table of users and groups and then all the SHARE /

>> > NTSF

>> > permissions and what overrides what.

>> >

>> > Any ideas?

>> >

>> > Thanks much,

>> >

>> > Mark

>> >

>> > (P.S, - why would NTFS permission to "view" not have precedence over

>> > Share

>> > for viewing files or folders over the network? I'm still scratching my

>> > head!

>> > =) )

>>

>>

[Guest Bruce Sanderson]

Re: Share and NTSF permissions...

 

About tools for auditing NTFS permissions: I personally have not needed to

do this, but I understand that tools such as cacls, xcacls might be useful

for this.

 

For xcacls, see http://support.microsoft.com/kb/318754.

 

For large folder structures, these tools can generate a huge amount of

output if used recursively, so be prepared!

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

news:B04A56E8-1234-4DBE-8F5B-04CB7AD6A1C6@microsoft.com...

> Bruce,

>

> Bravo! Finally a useful explanation on this! (I have read at least 5 and

> they did not help me much)

>

> The "locks" explanation was very helpful. Somehow I was thinking that

> NTFS

> would give me "network access". Share is the door, NTFS is the file

> cabinet,

> this is good!

>

> I also was somehow under the impression that SHARE-EVERYONE-FULL would

> give

> EVERYONE full access to files (edit, delete, etc). But now I see that

> SHARE-EVERYONE-FULL gives NO permissions unless NTFS also has EVERYONE (or

> the user in question) with some type of permission.

>

> I would really like to see the set of rules you are talking about, that

> would be great.

>

> Do you use any tools to audit you entire networks share and NTFS

> permissions?

>

> Thanks very much,

>

> Mark

>

>

> "Bruce Sanderson" wrote:

>

>> Think of the Share permissions as being the lock on the door and the NTFS

>> permissions as being the lock on the filling cabinet.

>>

>> The key to filling cabinet is useless if you can't get into the room.

>>

>> The computer uses the Share permissions to decide whether the user can

>> access the Share from another computer at all and what permissions will

>> be

>> through that Share. The folder and file NTFS permissions are effective

>> for

>> both local and remote access and give fine grained control over what the

>> user can do to the content. Share permissions have no affect on local

>> access (asuming the user is refering to the folder using the

>> DriveLetter:\

>> as opposed to \\ComputerName\ShareName syntax).

>>

>> The permissions that a user has when accessing through the Share is the

>> minimum of the Share and NTFS permissions. Thus if a user has Full

>> Control

>> via NTFS, they can do whatever they want when logged on locally. If the

>> Share permission is Read, then they can only read files from another

>> computer. If you like, the Share permission take precedence over the

>> NTFS

>> permission, but ONLY when the user is accessing via the Share (e.g. from

>> another computer).

>>

>> In many cases, it is useful set the Share Permissions to Everyone (or

>> Authenticated Users) Full Control and manage access control entirly using

>> the NTFS permissions only. This simplifies administration and

>> troubleshooting without really compromising file security.

>>

>> Share permissions were (are?) useful for file systems that do not have

>> built

>> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

>> etc. Share Permissions were the only way to control who could access

>> files

>> remotely. With NTFS, in most situations, the Share permissions don't add

>> anything to file security (access control) that is not already provided

>> by

>> the NTFS file system, thus the suggestion to set them Full Control for

>> all

>> users and simplify your life.

>>

>> A general rule in a domain, to simplify administration, is to NOT add

>> user

>> accounts to NTFS (or Share) permissions and not create local groups, but

>> to

>> always use domain groups whose name identifies the resource (share or

>> folder) and the granted permissions. That way you can tell who has

>> access

>> to what by reading the group membership in conjunction with the name of

>> the

>> group, entirely in AD Users and Computers. If you're interested I can

>> post

>> (or send you) a set of rules re. group membership etc. that have been

>> found

>> to be useful in this regard.

>>

>> --

>> Bruce Sanderson

>> http://members.shaw.ca/bsanders

>>

>> It is perfectly useless to know the right answer to the wrong question.

>>

>>

>>

>> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

>> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

>> > Hi,

>> >

>> > Did I say I can't stand Sharing and security on Windows?

>> >

>> > Ooops, just did.

>> >

>> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

>> > makes

>> > little sense, but I'm getting better.

>> >

>> > What I need is a utility that would allow me to AUDIT my entire network

>> > and

>> > show me all my USERS and GROUPS and what permissions they have, that

>> > would

>> > be

>> > great!

>> >

>> > Is there any such utility? (freeware would be nice!)

>> >

>> > I'm aware of the "Effective Permissions" in the settings, but that is

>> > only

>> > good for a single person/group.

>> >

>> > I'd like to see a table of users and groups and then all the SHARE /

>> > NTSF

>> > permissions and what overrides what.

>> >

>> > Any ideas?

>> >

>> > Thanks much,

>> >

>> > Mark

>> >

>> > (P.S, - why would NTFS permission to "view" not have precedence over

>> > Share

>> > for viewing files or folders over the network? I'm still scratching my

>> > head!

>> > =) )

>>

>>

[Guest Mrpush]

Re: Share and NTSF permissions...

 

Bruce,

 

I reviewed your site, its good. Thanks!

 

Here is part of my frustration with Sharing and security.

 

I have folder shared as EVERYONE-READ.

 

I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

 

This allows me to SEE files in the folders over the network. However I get

an "access Denied" when I try to open them. Fine.

 

Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER CONTENTS-ADVANCED

and it has checked:

 

Traverse/Execute file

List Folder/read data

Read Atributes

Read Extended Attributes

Read Permissions

 

Ok. I cannot READ ANY data or EXECUTE any file. So why would the first 2 in

the list be checked???? (they should not be!)

 

Now, go back into SECURITY-EVERYONE- and check READ instead of List Folder

Contents.

 

Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE but

now allows me full acces to open and read files!

 

This is the screwiest thing I have ever seen! WHY???????

 

Comments?

 

Thanks,

 

Mark

 

 

 

"Bruce Sanderson" wrote:

> Think of the Share permissions as being the lock on the door and the NTFS

> permissions as being the lock on the filling cabinet.

>

> The key to filling cabinet is useless if you can't get into the room.

>

> The computer uses the Share permissions to decide whether the user can

> access the Share from another computer at all and what permissions will be

> through that Share. The folder and file NTFS permissions are effective for

> both local and remote access and give fine grained control over what the

> user can do to the content. Share permissions have no affect on local

> access (asuming the user is refering to the folder using the DriveLetter:\

> as opposed to \\ComputerName\ShareName syntax).

>

> The permissions that a user has when accessing through the Share is the

> minimum of the Share and NTFS permissions. Thus if a user has Full Control

> via NTFS, they can do whatever they want when logged on locally. If the

> Share permission is Read, then they can only read files from another

> computer. If you like, the Share permission take precedence over the NTFS

> permission, but ONLY when the user is accessing via the Share (e.g. from

> another computer).

>

> In many cases, it is useful set the Share Permissions to Everyone (or

> Authenticated Users) Full Control and manage access control entirly using

> the NTFS permissions only. This simplifies administration and

> troubleshooting without really compromising file security.

>

> Share permissions were (are?) useful for file systems that do not have built

> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

> etc. Share Permissions were the only way to control who could access files

> remotely. With NTFS, in most situations, the Share permissions don't add

> anything to file security (access control) that is not already provided by

> the NTFS file system, thus the suggestion to set them Full Control for all

> users and simplify your life.

>

> A general rule in a domain, to simplify administration, is to NOT add user

> accounts to NTFS (or Share) permissions and not create local groups, but to

> always use domain groups whose name identifies the resource (share or

> folder) and the granted permissions. That way you can tell who has access

> to what by reading the group membership in conjunction with the name of the

> group, entirely in AD Users and Computers. If you're interested I can post

> (or send you) a set of rules re. group membership etc. that have been found

> to be useful in this regard.

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

>

>

> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

> > Hi,

> >

> > Did I say I can't stand Sharing and security on Windows?

> >

> > Ooops, just did.

> >

> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

> > makes

> > little sense, but I'm getting better.

> >

> > What I need is a utility that would allow me to AUDIT my entire network

> > and

> > show me all my USERS and GROUPS and what permissions they have, that would

> > be

> > great!

> >

> > Is there any such utility? (freeware would be nice!)

> >

> > I'm aware of the "Effective Permissions" in the settings, but that is

> > only

> > good for a single person/group.

> >

> > I'd like to see a table of users and groups and then all the SHARE / NTSF

> > permissions and what overrides what.

> >

> > Any ideas?

> >

> > Thanks much,

> >

> > Mark

> >

> > (P.S, - why would NTFS permission to "view" not have precedence over Share

> > for viewing files or folders over the network? I'm still scratching my

> > head!

> > =) )

>

>

[Guest Bruce Sanderson]

Re: Share and NTSF permissions...

 

Thank you for the complement!

 

In the Permissions lists, the part of an entry to the left of "/" is the

permission that pertains to Folder objects; the part to the right is the

permission that relates to File objects.

 

The "List Folder" (aggregated) permission deliberately specifies that the

settings apply ONLY for folder objects, NOT for File objects. In the

"Advanced Security Settings for ..." dialog box observe the column called

"Apply to". For the "List Folder" (aggregated) permissions, "Apply to" says

"This folder and subfolders" - there is no mention of Files. Click Edit and

observe the same thing in the "Apply onto" box, which you can change if you

want to. When you select the "Read" or "Read and Execute" (aggregated)

permission, the "Apply to" changes to "This folder, subfolders and files".

 

So, the "List Folder" (aggregated) setting on the Security tab of the

folder's Properties applies the following permissions to Folders:

 

Traverse Folder

List Folder

Read Attributes

Read Extended Attributes

Read Permissions

 

And absolutely NO permissions at all for Files. Since Users (in your case)

have NO PERMISSIONS specified for Files, they can see the list of them, but

get "access is denied" if they try to open them.

 

The List Folder (aggregated) setting is useful if you want users to be able

to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders, but

not read anything that is in it, just things to which they have been grated

Read permission for Files in sub-folders.

 

If you change anything in Advanced, Edit dialog (e.g. the setting in "Apply

onto"), you will most likely see a check mark beside "Special" in the

Security tab of the ...Properties dialog because you have specified

something that is not covered by any of the aggregated settings shown on

that dialog.

 

So, it's not "screwy", it is "by design". You can do some very complicated

(and consequently confusing, particularly months later!) things with NTFS

permissions, so a little experimenting and study might go a long way. I

suggest keeping things as simple as you possible can commensurate with

satisfying (REAL) business needs.

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

news:D8273890-5289-44C9-8ED4-A3DD30960CA6@microsoft.com...

> Bruce,

>

> I reviewed your site, its good. Thanks!

>

> Here is part of my frustration with Sharing and security.

>

> I have folder shared as EVERYONE-READ.

>

> I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

>

> This allows me to SEE files in the folders over the network. However I

> get

> an "access Denied" when I try to open them. Fine.

>

> Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER

> CONTENTS-ADVANCED

> and it has checked:

>

> Traverse/Execute file

> List Folder/read data

> Read Atributes

> Read Extended Attributes

> Read Permissions

>

> Ok. I cannot READ ANY data or EXECUTE any file. So why would the first 2

> in

> the list be checked???? (they should not be!)

>

> Now, go back into SECURITY-EVERYONE- and check READ instead of List Folder

> Contents.

>

> Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE but

> now allows me full acces to open and read files!

>

> This is the screwiest thing I have ever seen! WHY???????

>

> Comments?

>

> Thanks,

>

> Mark

>

>

>

> "Bruce Sanderson" wrote:

>

>> Think of the Share permissions as being the lock on the door and the NTFS

>> permissions as being the lock on the filling cabinet.

>>

>> The key to filling cabinet is useless if you can't get into the room.

>>

>> The computer uses the Share permissions to decide whether the user can

>> access the Share from another computer at all and what permissions will

>> be

>> through that Share. The folder and file NTFS permissions are effective

>> for

>> both local and remote access and give fine grained control over what the

>> user can do to the content. Share permissions have no affect on local

>> access (asuming the user is refering to the folder using the

>> DriveLetter:\

>> as opposed to \\ComputerName\ShareName syntax).

>>

>> The permissions that a user has when accessing through the Share is the

>> minimum of the Share and NTFS permissions. Thus if a user has Full

>> Control

>> via NTFS, they can do whatever they want when logged on locally. If the

>> Share permission is Read, then they can only read files from another

>> computer. If you like, the Share permission take precedence over the

>> NTFS

>> permission, but ONLY when the user is accessing via the Share (e.g. from

>> another computer).

>>

>> In many cases, it is useful set the Share Permissions to Everyone (or

>> Authenticated Users) Full Control and manage access control entirly using

>> the NTFS permissions only. This simplifies administration and

>> troubleshooting without really compromising file security.

>>

>> Share permissions were (are?) useful for file systems that do not have

>> built

>> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

>> etc. Share Permissions were the only way to control who could access

>> files

>> remotely. With NTFS, in most situations, the Share permissions don't add

>> anything to file security (access control) that is not already provided

>> by

>> the NTFS file system, thus the suggestion to set them Full Control for

>> all

>> users and simplify your life.

>>

>> A general rule in a domain, to simplify administration, is to NOT add

>> user

>> accounts to NTFS (or Share) permissions and not create local groups, but

>> to

>> always use domain groups whose name identifies the resource (share or

>> folder) and the granted permissions. That way you can tell who has

>> access

>> to what by reading the group membership in conjunction with the name of

>> the

>> group, entirely in AD Users and Computers. If you're interested I can

>> post

>> (or send you) a set of rules re. group membership etc. that have been

>> found

>> to be useful in this regard.

>>

>> --

>> Bruce Sanderson

>> http://members.shaw.ca/bsanders

>>

>> It is perfectly useless to know the right answer to the wrong question.

>>

>>

>>

>> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

>> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

>> > Hi,

>> >

>> > Did I say I can't stand Sharing and security on Windows?

>> >

>> > Ooops, just did.

>> >

>> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

>> > makes

>> > little sense, but I'm getting better.

>> >

>> > What I need is a utility that would allow me to AUDIT my entire network

>> > and

>> > show me all my USERS and GROUPS and what permissions they have, that

>> > would

>> > be

>> > great!

>> >

>> > Is there any such utility? (freeware would be nice!)

>> >

>> > I'm aware of the "Effective Permissions" in the settings, but that is

>> > only

>> > good for a single person/group.

>> >

>> > I'd like to see a table of users and groups and then all the SHARE /

>> > NTSF

>> > permissions and what overrides what.

>> >

>> > Any ideas?

>> >

>> > Thanks much,

>> >

>> > Mark

>> >

>> > (P.S, - why would NTFS permission to "view" not have precedence over

>> > Share

>> > for viewing files or folders over the network? I'm still scratching my

>> > head!

>> > =) )

>>

>>

[Guest Mrpush]

Re: Share and NTSF permissions...

 

Bruce,

 

You have found my weakest link. I really payed little of no attention to

the "Apply onto:" field when checking the permissions.

 

I do undestand now. (but I still think the GUI could be setup better so

that it shows the permissions in an easier to understand format)

 

Thanks a million, you have been very helpful. I will try to keep things

really simple.

 

Mark

 

"Bruce Sanderson" wrote:

> Thank you for the complement!

>

> In the Permissions lists, the part of an entry to the left of "/" is the

> permission that pertains to Folder objects; the part to the right is the

> permission that relates to File objects.

>

> The "List Folder" (aggregated) permission deliberately specifies that the

> settings apply ONLY for folder objects, NOT for File objects. In the

> "Advanced Security Settings for ..." dialog box observe the column called

> "Apply to". For the "List Folder" (aggregated) permissions, "Apply to" says

> "This folder and subfolders" - there is no mention of Files. Click Edit and

> observe the same thing in the "Apply onto" box, which you can change if you

> want to. When you select the "Read" or "Read and Execute" (aggregated)

> permission, the "Apply to" changes to "This folder, subfolders and files".

>

> So, the "List Folder" (aggregated) setting on the Security tab of the

> folder's Properties applies the following permissions to Folders:

>

> Traverse Folder

> List Folder

> Read Attributes

> Read Extended Attributes

> Read Permissions

>

> And absolutely NO permissions at all for Files. Since Users (in your case)

> have NO PERMISSIONS specified for Files, they can see the list of them, but

> get "access is denied" if they try to open them.

>

> The List Folder (aggregated) setting is useful if you want users to be able

> to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders, but

> not read anything that is in it, just things to which they have been grated

> Read permission for Files in sub-folders.

>

> If you change anything in Advanced, Edit dialog (e.g. the setting in "Apply

> onto"), you will most likely see a check mark beside "Special" in the

> Security tab of the ...Properties dialog because you have specified

> something that is not covered by any of the aggregated settings shown on

> that dialog.

>

> So, it's not "screwy", it is "by design". You can do some very complicated

> (and consequently confusing, particularly months later!) things with NTFS

> permissions, so a little experimenting and study might go a long way. I

> suggest keeping things as simple as you possible can commensurate with

> satisfying (REAL) business needs.

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

>

>

> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> news:D8273890-5289-44C9-8ED4-A3DD30960CA6@microsoft.com...

> > Bruce,

> >

> > I reviewed your site, its good. Thanks!

> >

> > Here is part of my frustration with Sharing and security.

> >

> > I have folder shared as EVERYONE-READ.

> >

> > I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

> >

> > This allows me to SEE files in the folders over the network. However I

> > get

> > an "access Denied" when I try to open them. Fine.

> >

> > Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER

> > CONTENTS-ADVANCED

> > and it has checked:

> >

> > Traverse/Execute file

> > List Folder/read data

> > Read Atributes

> > Read Extended Attributes

> > Read Permissions

> >

> > Ok. I cannot READ ANY data or EXECUTE any file. So why would the first 2

> > in

> > the list be checked???? (they should not be!)

> >

> > Now, go back into SECURITY-EVERYONE- and check READ instead of List Folder

> > Contents.

> >

> > Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE but

> > now allows me full acces to open and read files!

> >

> > This is the screwiest thing I have ever seen! WHY???????

> >

> > Comments?

> >

> > Thanks,

> >

> > Mark

> >

> >

> >

> > "Bruce Sanderson" wrote:

> >

> >> Think of the Share permissions as being the lock on the door and the NTFS

> >> permissions as being the lock on the filling cabinet.

> >>

> >> The key to filling cabinet is useless if you can't get into the room.

> >>

> >> The computer uses the Share permissions to decide whether the user can

> >> access the Share from another computer at all and what permissions will

> >> be

> >> through that Share. The folder and file NTFS permissions are effective

> >> for

> >> both local and remote access and give fine grained control over what the

> >> user can do to the content. Share permissions have no affect on local

> >> access (asuming the user is refering to the folder using the

> >> DriveLetter:\

> >> as opposed to \\ComputerName\ShareName syntax).

> >>

> >> The permissions that a user has when accessing through the Share is the

> >> minimum of the Share and NTFS permissions. Thus if a user has Full

> >> Control

> >> via NTFS, they can do whatever they want when logged on locally. If the

> >> Share permission is Read, then they can only read files from another

> >> computer. If you like, the Share permission take precedence over the

> >> NTFS

> >> permission, but ONLY when the user is accessing via the Share (e.g. from

> >> another computer).

> >>

> >> In many cases, it is useful set the Share Permissions to Everyone (or

> >> Authenticated Users) Full Control and manage access control entirly using

> >> the NTFS permissions only. This simplifies administration and

> >> troubleshooting without really compromising file security.

> >>

> >> Share permissions were (are?) useful for file systems that do not have

> >> built

> >> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

> >> etc. Share Permissions were the only way to control who could access

> >> files

> >> remotely. With NTFS, in most situations, the Share permissions don't add

> >> anything to file security (access control) that is not already provided

> >> by

> >> the NTFS file system, thus the suggestion to set them Full Control for

> >> all

> >> users and simplify your life.

> >>

> >> A general rule in a domain, to simplify administration, is to NOT add

> >> user

> >> accounts to NTFS (or Share) permissions and not create local groups, but

> >> to

> >> always use domain groups whose name identifies the resource (share or

> >> folder) and the granted permissions. That way you can tell who has

> >> access

> >> to what by reading the group membership in conjunction with the name of

> >> the

> >> group, entirely in AD Users and Computers. If you're interested I can

> >> post

> >> (or send you) a set of rules re. group membership etc. that have been

> >> found

> >> to be useful in this regard.

> >>

> >> --

> >> Bruce Sanderson

> >> http://members.shaw.ca/bsanders

> >>

> >> It is perfectly useless to know the right answer to the wrong question.

> >>

> >>

> >>

> >> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> >> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

> >> > Hi,

> >> >

> >> > Did I say I can't stand Sharing and security on Windows?

> >> >

> >> > Ooops, just did.

> >> >

> >> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

> >> > makes

> >> > little sense, but I'm getting better.

> >> >

> >> > What I need is a utility that would allow me to AUDIT my entire network

> >> > and

> >> > show me all my USERS and GROUPS and what permissions they have, that

> >> > would

> >> > be

> >> > great!

> >> >

> >> > Is there any such utility? (freeware would be nice!)

> >> >

> >> > I'm aware of the "Effective Permissions" in the settings, but that is

> >> > only

> >> > good for a single person/group.

> >> >

> >> > I'd like to see a table of users and groups and then all the SHARE /

> >> > NTSF

> >> > permissions and what overrides what.

> >> >

> >> > Any ideas?

> >> >

> >> > Thanks much,

> >> >

> >> > Mark

> >> >

> >> > (P.S, - why would NTFS permission to "view" not have precedence over

> >> > Share

> >> > for viewing files or folders over the network? I'm still scratching my

> >> > head!

> >> > =) )

> >>

> >>

>

>

[Guest data meister]

RE: Share and NTSF permissions...

 

 

 

"Mrpush" wrote:

> Hi,

>

> Did I say I can't stand Sharing and security on Windows?

>

> Ooops, just did.

>

> Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still makes

> little sense, but I'm getting better.

>

> What I need is a utility that would allow me to AUDIT my entire network and

> show me all my USERS and GROUPS and what permissions they have, that would be

> great!

>

> Is there any such utility? (freeware would be nice!)

>

> I'm aware of the "Effective Permissions" in the settings, but that is only

> good for a single person/group.

>

> I'd like to see a table of users and groups and then all the SHARE / NTSF

> permissions and what overrides what.

>

> Any ideas?

>

> Thanks much,

>

> Mark

>

> (P.S, - why would NTFS permission to "view" not have precedence over Share

> for viewing files or folders over the network? I'm still scratching my head!

> =) )

[Guest data meister]

Re: Share and NTSF permissions...

 

I'm not sure where to ask this but my question related to share folder

permissions. We have 5 main folders on a shared drive. Only our IT

administrator has full control to either delete one of these folders or to

create a new one. Within those main folders all users have read/write/modify

permissions. They can create subfolders but cannot delete subfolder. But I

just had a problem where someone dragged and dropped one of the main folders

into another one. I was then unable to pull that folder back out because I

don't have permissions to enable that. Is there a restriction that can be

used so that an individual would be prevented from dragging and dropping?

I do not see anything in the permissions list that would prevent the dragging

and dropping.

 

"Bruce Sanderson" wrote:

> Thank you for the complement!

>

> In the Permissions lists, the part of an entry to the left of "/" is the

> permission that pertains to Folder objects; the part to the right is the

> permission that relates to File objects.

>

> The "List Folder" (aggregated) permission deliberately specifies that the

> settings apply ONLY for folder objects, NOT for File objects. In the

> "Advanced Security Settings for ..." dialog box observe the column called

> "Apply to". For the "List Folder" (aggregated) permissions, "Apply to" says

> "This folder and subfolders" - there is no mention of Files. Click Edit and

> observe the same thing in the "Apply onto" box, which you can change if you

> want to. When you select the "Read" or "Read and Execute" (aggregated)

> permission, the "Apply to" changes to "This folder, subfolders and files".

>

> So, the "List Folder" (aggregated) setting on the Security tab of the

> folder's Properties applies the following permissions to Folders:

>

> Traverse Folder

> List Folder

> Read Attributes

> Read Extended Attributes

> Read Permissions

>

> And absolutely NO permissions at all for Files. Since Users (in your case)

> have NO PERMISSIONS specified for Files, they can see the list of them, but

> get "access is denied" if they try to open them.

>

> The List Folder (aggregated) setting is useful if you want users to be able

> to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders, but

> not read anything that is in it, just things to which they have been grated

> Read permission for Files in sub-folders.

>

> If you change anything in Advanced, Edit dialog (e.g. the setting in "Apply

> onto"), you will most likely see a check mark beside "Special" in the

> Security tab of the ...Properties dialog because you have specified

> something that is not covered by any of the aggregated settings shown on

> that dialog.

>

> So, it's not "screwy", it is "by design". You can do some very complicated

> (and consequently confusing, particularly months later!) things with NTFS

> permissions, so a little experimenting and study might go a long way. I

> suggest keeping things as simple as you possible can commensurate with

> satisfying (REAL) business needs.

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

>

>

> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> news:D8273890-5289-44C9-8ED4-A3DD30960CA6@microsoft.com...

> > Bruce,

> >

> > I reviewed your site, its good. Thanks!

> >

> > Here is part of my frustration with Sharing and security.

> >

> > I have folder shared as EVERYONE-READ.

> >

> > I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

> >

> > This allows me to SEE files in the folders over the network. However I

> > get

> > an "access Denied" when I try to open them. Fine.

> >

> > Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER

> > CONTENTS-ADVANCED

> > and it has checked:

> >

> > Traverse/Execute file

> > List Folder/read data

> > Read Atributes

> > Read Extended Attributes

> > Read Permissions

> >

> > Ok. I cannot READ ANY data or EXECUTE any file. So why would the first 2

> > in

> > the list be checked???? (they should not be!)

> >

> > Now, go back into SECURITY-EVERYONE- and check READ instead of List Folder

> > Contents.

> >

> > Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE but

> > now allows me full acces to open and read files!

> >

> > This is the screwiest thing I have ever seen! WHY???????

> >

> > Comments?

> >

> > Thanks,

> >

> > Mark

> >

> >

> >

> > "Bruce Sanderson" wrote:

> >

> >> Think of the Share permissions as being the lock on the door and the NTFS

> >> permissions as being the lock on the filling cabinet.

> >>

> >> The key to filling cabinet is useless if you can't get into the room.

> >>

> >> The computer uses the Share permissions to decide whether the user can

> >> access the Share from another computer at all and what permissions will

> >> be

> >> through that Share. The folder and file NTFS permissions are effective

> >> for

> >> both local and remote access and give fine grained control over what the

> >> user can do to the content. Share permissions have no affect on local

> >> access (asuming the user is refering to the folder using the

> >> DriveLetter:\

> >> as opposed to \\ComputerName\ShareName syntax).

> >>

> >> The permissions that a user has when accessing through the Share is the

> >> minimum of the Share and NTFS permissions. Thus if a user has Full

> >> Control

> >> via NTFS, they can do whatever they want when logged on locally. If the

> >> Share permission is Read, then they can only read files from another

> >> computer. If you like, the Share permission take precedence over the

> >> NTFS

> >> permission, but ONLY when the user is accessing via the Share (e.g. from

> >> another computer).

> >>

> >> In many cases, it is useful set the Share Permissions to Everyone (or

> >> Authenticated Users) Full Control and manage access control entirly using

> >> the NTFS permissions only. This simplifies administration and

> >> troubleshooting without really compromising file security.

> >>

> >> Share permissions were (are?) useful for file systems that do not have

> >> built

> >> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

> >> etc. Share Permissions were the only way to control who could access

> >> files

> >> remotely. With NTFS, in most situations, the Share permissions don't add

> >> anything to file security (access control) that is not already provided

> >> by

> >> the NTFS file system, thus the suggestion to set them Full Control for

> >> all

> >> users and simplify your life.

> >>

> >> A general rule in a domain, to simplify administration, is to NOT add

> >> user

> >> accounts to NTFS (or Share) permissions and not create local groups, but

> >> to

> >> always use domain groups whose name identifies the resource (share or

> >> folder) and the granted permissions. That way you can tell who has

> >> access

> >> to what by reading the group membership in conjunction with the name of

> >> the

> >> group, entirely in AD Users and Computers. If you're interested I can

> >> post

> >> (or send you) a set of rules re. group membership etc. that have been

> >> found

> >> to be useful in this regard.

> >>

> >> --

> >> Bruce Sanderson

> >> http://members.shaw.ca/bsanders

> >>

> >> It is perfectly useless to know the right answer to the wrong question.

> >>

> >>

> >>

> >> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> >> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

> >> > Hi,

> >> >

> >> > Did I say I can't stand Sharing and security on Windows?

> >> >

> >> > Ooops, just did.

> >> >

> >> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

> >> > makes

> >> > little sense, but I'm getting better.

> >> >

> >> > What I need is a utility that would allow me to AUDIT my entire network

> >> > and

> >> > show me all my USERS and GROUPS and what permissions they have, that

> >> > would

> >> > be

> >> > great!

> >> >

> >> > Is there any such utility? (freeware would be nice!)

> >> >

> >> > I'm aware of the "Effective Permissions" in the settings, but that is

> >> > only

> >> > good for a single person/group.

> >> >

> >> > I'd like to see a table of users and groups and then all the SHARE /

> >> > NTSF

> >> > permissions and what overrides what.

> >> >

> >> > Any ideas?

> >> >

> >> > Thanks much,

> >> >

> >> > Mark

> >> >

> >> > (P.S, - why would NTFS permission to "view" not have precedence over

> >> > Share

> >> > for viewing files or folders over the network? I'm still scratching my

> >> > head!

> >> > =) )

> >>

> >>

>

>

[Guest Mrpush]

Re: Share and NTSF permissions...

 

Hi,

 

Dragging and dropping is esentially "CREATING" a copy or move of a

file/folder in another folder.

 

Therefore, if the folders that are "dragged to" have "Create Files - Create

Folders" permissions, then you can drag and drop to them.

 

If you remove these permissions, then you get an error when you try to drag

and drop. However this may mess up your intended permissions for the folder

to begin with.

 

Hope that helps a little, but not sure that it is a solution for you.

 

Mark

 

"data meister" wrote:

> I'm not sure where to ask this but my question related to share folder

> permissions. We have 5 main folders on a shared drive. Only our IT

> administrator has full control to either delete one of these folders or to

> create a new one. Within those main folders all users have read/write/modify

> permissions. They can create subfolders but cannot delete subfolder. But I

> just had a problem where someone dragged and dropped one of the main folders

> into another one. I was then unable to pull that folder back out because I

> don't have permissions to enable that. Is there a restriction that can be

> used so that an individual would be prevented from dragging and dropping?

> I do not see anything in the permissions list that would prevent the dragging

> and dropping.

>

> "Bruce Sanderson" wrote:

>

> > Thank you for the complement!

> >

> > In the Permissions lists, the part of an entry to the left of "/" is the

> > permission that pertains to Folder objects; the part to the right is the

> > permission that relates to File objects.

> >

> > The "List Folder" (aggregated) permission deliberately specifies that the

> > settings apply ONLY for folder objects, NOT for File objects. In the

> > "Advanced Security Settings for ..." dialog box observe the column called

> > "Apply to". For the "List Folder" (aggregated) permissions, "Apply to" says

> > "This folder and subfolders" - there is no mention of Files. Click Edit and

> > observe the same thing in the "Apply onto" box, which you can change if you

> > want to. When you select the "Read" or "Read and Execute" (aggregated)

> > permission, the "Apply to" changes to "This folder, subfolders and files".

> >

> > So, the "List Folder" (aggregated) setting on the Security tab of the

> > folder's Properties applies the following permissions to Folders:

> >

> > Traverse Folder

> > List Folder

> > Read Attributes

> > Read Extended Attributes

> > Read Permissions

> >

> > And absolutely NO permissions at all for Files. Since Users (in your case)

> > have NO PERMISSIONS specified for Files, they can see the list of them, but

> > get "access is denied" if they try to open them.

> >

> > The List Folder (aggregated) setting is useful if you want users to be able

> > to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders, but

> > not read anything that is in it, just things to which they have been grated

> > Read permission for Files in sub-folders.

> >

> > If you change anything in Advanced, Edit dialog (e.g. the setting in "Apply

> > onto"), you will most likely see a check mark beside "Special" in the

> > Security tab of the ...Properties dialog because you have specified

> > something that is not covered by any of the aggregated settings shown on

> > that dialog.

> >

> > So, it's not "screwy", it is "by design". You can do some very complicated

> > (and consequently confusing, particularly months later!) things with NTFS

> > permissions, so a little experimenting and study might go a long way. I

> > suggest keeping things as simple as you possible can commensurate with

> > satisfying (REAL) business needs.

> >

> > --

> > Bruce Sanderson

> > http://members.shaw.ca/bsanders

> >

> > It is perfectly useless to know the right answer to the wrong question.

> >

> >

> >

> > "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> > news:D8273890-5289-44C9-8ED4-A3DD30960CA6@microsoft.com...

> > > Bruce,

> > >

> > > I reviewed your site, its good. Thanks!

> > >

> > > Here is part of my frustration with Sharing and security.

> > >

> > > I have folder shared as EVERYONE-READ.

> > >

> > > I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

> > >

> > > This allows me to SEE files in the folders over the network. However I

> > > get

> > > an "access Denied" when I try to open them. Fine.

> > >

> > > Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER

> > > CONTENTS-ADVANCED

> > > and it has checked:

> > >

> > > Traverse/Execute file

> > > List Folder/read data

> > > Read Atributes

> > > Read Extended Attributes

> > > Read Permissions

> > >

> > > Ok. I cannot READ ANY data or EXECUTE any file. So why would the first 2

> > > in

> > > the list be checked???? (they should not be!)

> > >

> > > Now, go back into SECURITY-EVERYONE- and check READ instead of List Folder

> > > Contents.

> > >

> > > Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE but

> > > now allows me full acces to open and read files!

> > >

> > > This is the screwiest thing I have ever seen! WHY???????

> > >

> > > Comments?

> > >

> > > Thanks,

> > >

> > > Mark

> > >

> > >

> > >

> > > "Bruce Sanderson" wrote:

> > >

> > >> Think of the Share permissions as being the lock on the door and the NTFS

> > >> permissions as being the lock on the filling cabinet.

> > >>

> > >> The key to filling cabinet is useless if you can't get into the room.

> > >>

> > >> The computer uses the Share permissions to decide whether the user can

> > >> access the Share from another computer at all and what permissions will

> > >> be

> > >> through that Share. The folder and file NTFS permissions are effective

> > >> for

> > >> both local and remote access and give fine grained control over what the

> > >> user can do to the content. Share permissions have no affect on local

> > >> access (asuming the user is refering to the folder using the

> > >> DriveLetter:\

> > >> as opposed to \\ComputerName\ShareName syntax).

> > >>

> > >> The permissions that a user has when accessing through the Share is the

> > >> minimum of the Share and NTFS permissions. Thus if a user has Full

> > >> Control

> > >> via NTFS, they can do whatever they want when logged on locally. If the

> > >> Share permission is Read, then they can only read files from another

> > >> computer. If you like, the Share permission take precedence over the

> > >> NTFS

> > >> permission, but ONLY when the user is accessing via the Share (e.g. from

> > >> another computer).

> > >>

> > >> In many cases, it is useful set the Share Permissions to Everyone (or

> > >> Authenticated Users) Full Control and manage access control entirly using

> > >> the NTFS permissions only. This simplifies administration and

> > >> troubleshooting without really compromising file security.

> > >>

> > >> Share permissions were (are?) useful for file systems that do not have

> > >> built

> > >> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

> > >> etc. Share Permissions were the only way to control who could access

> > >> files

> > >> remotely. With NTFS, in most situations, the Share permissions don't add

> > >> anything to file security (access control) that is not already provided

> > >> by

> > >> the NTFS file system, thus the suggestion to set them Full Control for

> > >> all

> > >> users and simplify your life.

> > >>

> > >> A general rule in a domain, to simplify administration, is to NOT add

> > >> user

> > >> accounts to NTFS (or Share) permissions and not create local groups, but

> > >> to

> > >> always use domain groups whose name identifies the resource (share or

> > >> folder) and the granted permissions. That way you can tell who has

> > >> access

> > >> to what by reading the group membership in conjunction with the name of

> > >> the

> > >> group, entirely in AD Users and Computers. If you're interested I can

> > >> post

> > >> (or send you) a set of rules re. group membership etc. that have been

> > >> found

> > >> to be useful in this regard.

> > >>

> > >> --

> > >> Bruce Sanderson

> > >> http://members.shaw.ca/bsanders

> > >>

> > >> It is perfectly useless to know the right answer to the wrong question.

> > >>

> > >>

> > >>

> > >> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> > >> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

> > >> > Hi,

> > >> >

> > >> > Did I say I can't stand Sharing and security on Windows?

> > >> >

> > >> > Ooops, just did.

> > >> >

> > >> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

> > >> > makes

> > >> > little sense, but I'm getting better.

> > >> >

> > >> > What I need is a utility that would allow me to AUDIT my entire network

> > >> > and

> > >> > show me all my USERS and GROUPS and what permissions they have, that

> > >> > would

> > >> > be

> > >> > great!

> > >> >

> > >> > Is there any such utility? (freeware would be nice!)

> > >> >

> > >> > I'm aware of the "Effective Permissions" in the settings, but that is

> > >> > only

> > >> > good for a single person/group.

> > >> >

> > >> > I'd like to see a table of users and groups and then all the SHARE /

> > >> > NTSF

> > >> > permissions and what overrides what.

> > >> >

> > >> > Any ideas?

> > >> >

> > >> > Thanks much,

> > >> >

> > >> > Mark

> > >> >

> > >> > (P.S, - why would NTFS permission to "view" not have precedence over

> > >> > Share

> > >> > for viewing files or folders over the network? I'm still scratching my

> > >> > head!

> > >> > =) )

> > >>

> > >>

> >

> >

[Guest Mrpush]

Re: Share and NTSF permissions...

 

Bruce,

 

Here is another mind blower for me.

 

I have a folder with everyone-read share, everyone FULL security. This

applies to "this folder , subfolders, files".

 

Now, I created a new folder INSIDE the above folder. I give it USER A -

share, and USER A - full security, nothng else.

 

I can access this new folder with ANY USER and delete the files and folders

in it.

 

Should the new folder security not "override" the existing host folder

security?

 

I think it should else if you go and create a new folder anywhere deep in

the file structure, you now have to go and review all the "higher" folder

securities to make sure it's not avaible to the world!

 

AHHHHHHHHHHHHHHHHHHHHHHH! This makes no logical sense to me!

 

I'm still finding ways to scratch my head with this.

 

Thanks,

 

Mark

 

 

 

"Bruce Sanderson" wrote:

> Thank you for the complement!

>

> In the Permissions lists, the part of an entry to the left of "/" is the

> permission that pertains to Folder objects; the part to the right is the

> permission that relates to File objects.

>

> The "List Folder" (aggregated) permission deliberately specifies that the

> settings apply ONLY for folder objects, NOT for File objects. In the

> "Advanced Security Settings for ..." dialog box observe the column called

> "Apply to". For the "List Folder" (aggregated) permissions, "Apply to" says

> "This folder and subfolders" - there is no mention of Files. Click Edit and

> observe the same thing in the "Apply onto" box, which you can change if you

> want to. When you select the "Read" or "Read and Execute" (aggregated)

> permission, the "Apply to" changes to "This folder, subfolders and files".

>

> So, the "List Folder" (aggregated) setting on the Security tab of the

> folder's Properties applies the following permissions to Folders:

>

> Traverse Folder

> List Folder

> Read Attributes

> Read Extended Attributes

> Read Permissions

>

> And absolutely NO permissions at all for Files. Since Users (in your case)

> have NO PERMISSIONS specified for Files, they can see the list of them, but

> get "access is denied" if they try to open them.

>

> The List Folder (aggregated) setting is useful if you want users to be able

> to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders, but

> not read anything that is in it, just things to which they have been grated

> Read permission for Files in sub-folders.

>

> If you change anything in Advanced, Edit dialog (e.g. the setting in "Apply

> onto"), you will most likely see a check mark beside "Special" in the

> Security tab of the ...Properties dialog because you have specified

> something that is not covered by any of the aggregated settings shown on

> that dialog.

>

> So, it's not "screwy", it is "by design". You can do some very complicated

> (and consequently confusing, particularly months later!) things with NTFS

> permissions, so a little experimenting and study might go a long way. I

> suggest keeping things as simple as you possible can commensurate with

> satisfying (REAL) business needs.

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

>

>

> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> news:D8273890-5289-44C9-8ED4-A3DD30960CA6@microsoft.com...

> > Bruce,

> >

> > I reviewed your site, its good. Thanks!

> >

> > Here is part of my frustration with Sharing and security.

> >

> > I have folder shared as EVERYONE-READ.

> >

> > I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

> >

> > This allows me to SEE files in the folders over the network. However I

> > get

> > an "access Denied" when I try to open them. Fine.

> >

> > Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER

> > CONTENTS-ADVANCED

> > and it has checked:

> >

> > Traverse/Execute file

> > List Folder/read data

> > Read Atributes

> > Read Extended Attributes

> > Read Permissions

> >

> > Ok. I cannot READ ANY data or EXECUTE any file. So why would the first 2

> > in

> > the list be checked???? (they should not be!)

> >

> > Now, go back into SECURITY-EVERYONE- and check READ instead of List Folder

> > Contents.

> >

> > Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE but

> > now allows me full acces to open and read files!

> >

> > This is the screwiest thing I have ever seen! WHY???????

> >

> > Comments?

> >

> > Thanks,

> >

> > Mark

> >

> >

> >

> > "Bruce Sanderson" wrote:

> >

> >> Think of the Share permissions as being the lock on the door and the NTFS

> >> permissions as being the lock on the filling cabinet.

> >>

> >> The key to filling cabinet is useless if you can't get into the room.

> >>

> >> The computer uses the Share permissions to decide whether the user can

> >> access the Share from another computer at all and what permissions will

> >> be

> >> through that Share. The folder and file NTFS permissions are effective

> >> for

> >> both local and remote access and give fine grained control over what the

> >> user can do to the content. Share permissions have no affect on local

> >> access (asuming the user is refering to the folder using the

> >> DriveLetter:\

> >> as opposed to \\ComputerName\ShareName syntax).

> >>

> >> The permissions that a user has when accessing through the Share is the

> >> minimum of the Share and NTFS permissions. Thus if a user has Full

> >> Control

> >> via NTFS, they can do whatever they want when logged on locally. If the

> >> Share permission is Read, then they can only read files from another

> >> computer. If you like, the Share permission take precedence over the

> >> NTFS

> >> permission, but ONLY when the user is accessing via the Share (e.g. from

> >> another computer).

> >>

> >> In many cases, it is useful set the Share Permissions to Everyone (or

> >> Authenticated Users) Full Control and manage access control entirly using

> >> the NTFS permissions only. This simplifies administration and

> >> troubleshooting without really compromising file security.

> >>

> >> Share permissions were (are?) useful for file systems that do not have

> >> built

> >> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95

> >> etc. Share Permissions were the only way to control who could access

> >> files

> >> remotely. With NTFS, in most situations, the Share permissions don't add

> >> anything to file security (access control) that is not already provided

> >> by

> >> the NTFS file system, thus the suggestion to set them Full Control for

> >> all

> >> users and simplify your life.

> >>

> >> A general rule in a domain, to simplify administration, is to NOT add

> >> user

> >> accounts to NTFS (or Share) permissions and not create local groups, but

> >> to

> >> always use domain groups whose name identifies the resource (share or

> >> folder) and the granted permissions. That way you can tell who has

> >> access

> >> to what by reading the group membership in conjunction with the name of

> >> the

> >> group, entirely in AD Users and Computers. If you're interested I can

> >> post

> >> (or send you) a set of rules re. group membership etc. that have been

> >> found

> >> to be useful in this regard.

> >>

> >> --

> >> Bruce Sanderson

> >> http://members.shaw.ca/bsanders

> >>

> >> It is perfectly useless to know the right answer to the wrong question.

> >>

> >>

> >>

> >> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

> >> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

> >> > Hi,

> >> >

> >> > Did I say I can't stand Sharing and security on Windows?

> >> >

> >> > Ooops, just did.

> >> >

> >> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still

> >> > makes

> >> > little sense, but I'm getting better.

> >> >

> >> > What I need is a utility that would allow me to AUDIT my entire network

> >> > and

> >> > show me all my USERS and GROUPS and what permissions they have, that

> >> > would

> >> > be

> >> > great!

> >> >

> >> > Is there any such utility? (freeware would be nice!)

> >> >

> >> > I'm aware of the "Effective Permissions" in the settings, but that is

> >> > only

> >> > good for a single person/group.

> >> >

> >> > I'd like to see a table of users and groups and then all the SHARE /

> >> > NTSF

> >> > permissions and what overrides what.

> >> >

> >> > Any ideas?

> >> >

> >> > Thanks much,

> >> >

> >> > Mark

> >> >

> >> > (P.S, - why would NTFS permission to "view" not have precedence over

> >> > Share

> >> > for viewing files or folders over the network? I'm still scratching my

> >> > head!

> >> > =) )

> >>

> >>

>

>

[Guest Bruce Sanderson]

Re: Share and NTSF permissions...

 

Having worked with NTFS and Share permissions for years, I have acquired a

certain amount of knowledge, but I don't consider myself an "all knowing

expert" on permissions.

 

I do know, though that you have to look at the permissions very carefully,

both where you are moving from and where you are moving to.

 

You might find you can Copy the folder back to its original location (target

in this case) and Delete the contents - sub folders and files - in the

"wrong" location (source in this case), but not delete the source container

folder itself. You might have to ask the "IT Administrator" to complete

this final step.

 

Unfortunately, it is a common occurrence for someone to accidentally Move a

folder from one place to another in folder hierarchy because the default

drag and drop action is Move. Especially with today's high resolution

monitors, one can accidentaly press the left mouse button while moving the

mouse pointer across the hierarchy in the left pane of Explorer,

accidentally Move something and not know what you Moved to where - I've done

this myself more than once. This can be ameliorated somewhat by changing

the "Drag Height" and "Drag Width" settings - unfortunatly there is no GUI

or Group Policy setting for this (I seem to recall that TweakUI can adjust

these). The registry entries are in the registry at

HKEY_CURRENT_USER\Control Panel\Desktop.

 

There's a few things to keep in mind:

 

1. when you "Move" folder or file - which is the default action for drag and

drop inside a folder hierarchy - the permissions that the file or folder had

in it original location (source) will be applied to the folder or file in

its new location (target) - that is, inherited permissions won't be

definitive for things Moved into a folder.

 

when you "Copy" a folder or file (e.g. using the right mouse button during

drag and drop), the objects inherit the permissions from the target folder

 

For this reason, I suggest always using the right mouse button for

dragging and dropping and Copying the file or folder, then Delete it from

the source.

 

2. the default for CREATOR OWNER appears to be Full Control - Subfolders and

files only - I often remove CREATOR OWNER from parent folders so that

different people don't get different permissions on some objects just

because they created it

 

3. if you don't have the required "Delete..." permissions, then you may be

able to Copy from the source, but not Move because Move implies Delete in

the source

 

4. the aggregated Permission called "Modify" includes "Delete", but not

"Delete subfolders and files"

 

http://technet2.microsoft.com/windowsserver/en/library/e4be109f-5547-4df8-90f0-4d885dc302e71033.mspx?mfr=true

has a fairly good explanation of what the individual permissions mean,

including the difference between "Delete" and "Delete subfolders and files".

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"data meister" <datameister@discussions.microsoft.com> wrote in message

news:710B5E62-CD84-476C-9228-4EA434CBF9D1@microsoft.com...

> I'm not sure where to ask this but my question related to share folder

> permissions. We have 5 main folders on a shared drive. Only our IT

> administrator has full control to either delete one of these folders or to

> create a new one. Within those main folders all users have

> read/write/modify

> permissions. They can create subfolders but cannot delete subfolder. But

> I

> just had a problem where someone dragged and dropped one of the main

> folders

> into another one. I was then unable to pull that folder back out because

> I

> don't have permissions to enable that. Is there a restriction that can be

> used so that an individual would be prevented from dragging and dropping?

> I do not see anything in the permissions list that would prevent the

> dragging

> and dropping.

>

> "Bruce Sanderson" wrote:

>

>> Thank you for the complement!

>>

>> In the Permissions lists, the part of an entry to the left of "/" is the

>> permission that pertains to Folder objects; the part to the right is the

>> permission that relates to File objects.

>>

>> The "List Folder" (aggregated) permission deliberately specifies that the

>> settings apply ONLY for folder objects, NOT for File objects. In the

>> "Advanced Security Settings for ..." dialog box observe the column called

>> "Apply to". For the "List Folder" (aggregated) permissions, "Apply to"

>> says

>> "This folder and subfolders" - there is no mention of Files. Click Edit

>> and

>> observe the same thing in the "Apply onto" box, which you can change if

>> you

>> want to. When you select the "Read" or "Read and Execute" (aggregated)

>> permission, the "Apply to" changes to "This folder, subfolders and

>> files".

>>

>> So, the "List Folder" (aggregated) setting on the Security tab of the

>> folder's Properties applies the following permissions to Folders:

>>

>> Traverse Folder

>> List Folder

>> Read Attributes

>> Read Extended Attributes

>> Read Permissions

>>

>> And absolutely NO permissions at all for Files. Since Users (in your

>> case)

>> have NO PERMISSIONS specified for Files, they can see the list of them,

>> but

>> get "access is denied" if they try to open them.

>>

>> The List Folder (aggregated) setting is useful if you want users to be

>> able

>> to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders,

>> but

>> not read anything that is in it, just things to which they have been

>> grated

>> Read permission for Files in sub-folders.

>>

>> If you change anything in Advanced, Edit dialog (e.g. the setting in

>> "Apply

>> onto"), you will most likely see a check mark beside "Special" in the

>> Security tab of the ...Properties dialog because you have specified

>> something that is not covered by any of the aggregated settings shown on

>> that dialog.

>>

>> So, it's not "screwy", it is "by design". You can do some very

>> complicated

>> (and consequently confusing, particularly months later!) things with NTFS

>> permissions, so a little experimenting and study might go a long way. I

>> suggest keeping things as simple as you possible can commensurate with

>> satisfying (REAL) business needs.

>>

>> --

>> Bruce Sanderson

>> http://members.shaw.ca/bsanders

>>

>> It is perfectly useless to know the right answer to the wrong question.

>>

>>

>>

>> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

>> news:D8273890-5289-44C9-8ED4-A3DD30960CA6@microsoft.com...

>> > Bruce,

>> >

>> > I reviewed your site, its good. Thanks!

>> >

>> > Here is part of my frustration with Sharing and security.

>> >

>> > I have folder shared as EVERYONE-READ.

>> >

>> > I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

>> >

>> > This allows me to SEE files in the folders over the network. However I

>> > get

>> > an "access Denied" when I try to open them. Fine.

>> >

>> > Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER

>> > CONTENTS-ADVANCED

>> > and it has checked:

>> >

>> > Traverse/Execute file

>> > List Folder/read data

>> > Read Atributes

>> > Read Extended Attributes

>> > Read Permissions

>> >

>> > Ok. I cannot READ ANY data or EXECUTE any file. So why would the first

>> > 2

>> > in

>> > the list be checked???? (they should not be!)

>> >

>> > Now, go back into SECURITY-EVERYONE- and check READ instead of List

>> > Folder

>> > Contents.

>> >

>> > Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE

>> > but

>> > now allows me full acces to open and read files!

>> >

>> > This is the screwiest thing I have ever seen! WHY???????

>> >

>> > Comments?

>> >

>> > Thanks,

>> >

>> > Mark

>> >

>> >

>> >

>> > "Bruce Sanderson" wrote:

>> >

>> >> Think of the Share permissions as being the lock on the door and the

>> >> NTFS

>> >> permissions as being the lock on the filling cabinet.

>> >>

>> >> The key to filling cabinet is useless if you can't get into the room.

>> >>

>> >> The computer uses the Share permissions to decide whether the user can

>> >> access the Share from another computer at all and what permissions

>> >> will

>> >> be

>> >> through that Share. The folder and file NTFS permissions are

>> >> effective

>> >> for

>> >> both local and remote access and give fine grained control over what

>> >> the

>> >> user can do to the content. Share permissions have no affect on local

>> >> access (asuming the user is refering to the folder using the

>> >> DriveLetter:\

>> >> as opposed to \\ComputerName\ShareName syntax).

>> >>

>> >> The permissions that a user has when accessing through the Share is

>> >> the

>> >> minimum of the Share and NTFS permissions. Thus if a user has Full

>> >> Control

>> >> via NTFS, they can do whatever they want when logged on locally. If

>> >> the

>> >> Share permission is Read, then they can only read files from another

>> >> computer. If you like, the Share permission take precedence over the

>> >> NTFS

>> >> permission, but ONLY when the user is accessing via the Share (e.g.

>> >> from

>> >> another computer).

>> >>

>> >> In many cases, it is useful set the Share Permissions to Everyone (or

>> >> Authenticated Users) Full Control and manage access control entirly

>> >> using

>> >> the NTFS permissions only. This simplifies administration and

>> >> troubleshooting without really compromising file security.

>> >>

>> >> Share permissions were (are?) useful for file systems that do not have

>> >> built

>> >> in access control (e.g. FAT or FAT32). For systems like Windows 3.1,

>> >> 95

>> >> etc. Share Permissions were the only way to control who could access

>> >> files

>> >> remotely. With NTFS, in most situations, the Share permissions don't

>> >> add

>> >> anything to file security (access control) that is not already

>> >> provided

>> >> by

>> >> the NTFS file system, thus the suggestion to set them Full Control for

>> >> all

>> >> users and simplify your life.

>> >>

>> >> A general rule in a domain, to simplify administration, is to NOT add

>> >> user

>> >> accounts to NTFS (or Share) permissions and not create local groups,

>> >> but

>> >> to

>> >> always use domain groups whose name identifies the resource (share or

>> >> folder) and the granted permissions. That way you can tell who has

>> >> access

>> >> to what by reading the group membership in conjunction with the name

>> >> of

>> >> the

>> >> group, entirely in AD Users and Computers. If you're interested I can

>> >> post

>> >> (or send you) a set of rules re. group membership etc. that have been

>> >> found

>> >> to be useful in this regard.

>> >>

>> >> --

>> >> Bruce Sanderson

>> >> http://members.shaw.ca/bsanders

>> >>

>> >> It is perfectly useless to know the right answer to the wrong

>> >> question.

>> >>

>> >>

>> >>

>> >> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

>> >> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

>> >> > Hi,

>> >> >

>> >> > Did I say I can't stand Sharing and security on Windows?

>> >> >

>> >> > Ooops, just did.

>> >> >

>> >> > Anyway, I'm studying hard on how to understand Sharing vs NTFS.

>> >> > Still

>> >> > makes

>> >> > little sense, but I'm getting better.

>> >> >

>> >> > What I need is a utility that would allow me to AUDIT my entire

>> >> > network

>> >> > and

>> >> > show me all my USERS and GROUPS and what permissions they have, that

>> >> > would

>> >> > be

>> >> > great!

>> >> >

>> >> > Is there any such utility? (freeware would be nice!)

>> >> >

>> >> > I'm aware of the "Effective Permissions" in the settings, but that

>> >> > is

>> >> > only

>> >> > good for a single person/group.

>> >> >

>> >> > I'd like to see a table of users and groups and then all the SHARE /

>> >> > NTSF

>> >> > permissions and what overrides what.

>> >> >

>> >> > Any ideas?

>> >> >

>> >> > Thanks much,

>> >> >

>> >> > Mark

>> >> >

>> >> > (P.S, - why would NTFS permission to "view" not have precedence over

>> >> > Share

>> >> > for viewing files or folders over the network? I'm still scratching

>> >> > my

>> >> > head!

>> >> > =) )

>> >>

>> >>

>>

>>

[Guest Bruce Sanderson]

Re: Share and NTSF permissions...

 

The only (NTFS) permissions that are relevant are those assigned to a

particular object, and in some cases (e.g. a delete action) those of the

immediate parent; these all appear in the Security, Advanced Properties

dialog of the object. Note that this includes any permissions inherited

from the parent object - these appear "greyed out" - not changeable.

 

For inherited permissions, the Advanced dialog shows from where in the path

to the object the permissions are inherited from.

 

When access is remote - that is via a Share, then the Share permissions are

also relevant, but those can only reduce a user's permission, not enhance

it. For example, if the NTFS permission a user has been granted is Full

Control, but they are accessing the object through a Share that grants only

Read permission, the user will only be able to Read, not change, delete or

add children. Conversly, if the NTFS permissions a user has been granted is

only Read, but they are accessing via a Share that grants them Full Control,

they still will only be able to Read the object - they won't be able to

change, add or delete the object.

 

I tried to reproduce your situation without success. It would seem I'm

missing some vital pieces of information about your particular scenario.

Here's the scenario I tested:

 

Computers involved (both are domain members):

XPSP2 - a workstation used for remote access via the Shares (has Windows

XP SP2 installed)

2003SP2VM - the (file) server hosting the shared folders (has Windows

Server 2003 SP2 installed)

 

User accounts involved:

bruceadmin - domain user account that is a member of the local

Administrators group on both computers

brucen - a domain user account that is only a member of the local Users

and Remoted Desktop Users groups on both computers

T1 - a domain user account that is only a member of the local Users and

Remoted Desktop Users groups on both computers

 

Folders on 2003SP2VM - all of the objects were created by brucadmin (an

administrator) and have their Owner attribute set to

2003SP2VM\Administrators

 

d:\ (root of partition with drive letter d) - Permissions (note that these

are not the default permissions)

2003SP2VM\Administrators - Full Control

2003SP2VM\SYSTEM - Full Control

2003SP2VM\Users - List Folder Contents

d:\Test - NOT shared - No Permissions are inherited from the parent (root

of the d partititon) NTFS permissions are:

2003SP2VM\Administrators - Full Control

2003SP2VM\SYSTEM - Full Control

2003SP2VM\Everyone - Read & Execute, List Folder Contents, Read

d:\Test\AllModify - Shared as AllModify - No Permissions are inherited

from the parent (d:\Test) NTFS permissions are:

2003SP2VM\Administrators - Full Control

2003SP2VM\SYSTEM - Full Control

2003SP2VM\Everyone - Modify

Share Permissions - Everyone - Read

d:\Test\AllModify\T1Only - Shared as T1Only - No Permissions are inherited

from the parent (d:\Test\AllModify) NTFS permissions are:

2003SP2VM\Administrators - Full Control

2003SP2VM\SYSTEM - Full Control

domain\T1- Modify

Share Permissions - domain\T1 - Read

 

Test Scenarios:

A. T1 logs on Locally at 2003SP2VM (logon via Remote Desktop Connection is

equivalent to local logon for these scenarios)

Share Permissions are not relevant becuase access is NOT via either of

the Shares

A.1 logon with T1

A.2. open Windows Explorer

A.3. navigate to D:\Test\AllModify\T1Only

A.4. create a new folder (e.g. d:\Test\AllModify\T1Only\T1) and a new

file (e.g. d:\Test\AllModify\T1Only\t1.txt)

A.5. observe that the Permissions are inherited from the T1Only folder

A.6. delete both of the newly created objects

A.7. delete T1Only (T1 is a member of Everyone, which has Modify

permission, which includes Delete)

A.8. delete ModifyAll (T1 is a member of Everyone, which has Modify

permission, which includes Delete)

A.9. attempt to delete Test - access is denied

A.10. logoff

 

B. using an administrative user account (e.g. bruceadmin) re-create the

folders with the permissions the same as before - notice that the Share

definitions, including the Share permissions, still exist and don't need to

be re-created

B.1 create a new folder and a new file under T1Only (e.g. same as at

step A.4)

 

C. bruen logs on locally at 2003SP2VM

C.1. open Windows Explorer

C.2. navigate to D:\Test\AllModify and click T1Only - observe access

is denied

C.3. select AllModify

C4. create a new folder (e.g. All) and a new file (e.g.

d:\Test\AllModify\All.txt)

C.5. observe that the permissions have been inherited from

d:\Test\AllModify

C.6. delete both of the newly created objects

C.7. attempt to delete d:\Test\AllModify - observe that access is

denied because T1Only can not be deleted

C.8. logoff

 

D. T1 logs on locally at XPSP2 to access the Shares remotely

D1. click Start, Run; key \\2003SP2VM\ - observe that both AllModify

and T1Only appear in the drop down list; select AllModify

D.2. observe that the folder T1Only is shown as a child of AllModify

and also as a seperate item (Share) in the left pane under 2003sp2vm

D3. attempt to create a new folder in AllModify - observe access is

denied - this is because the Share permissions are only Read

D.4. attempt to create a new folder in AllModify\T1Only - access is

denied - Share permissions are only Read

D.5. open the file created in step B.1.; change the content; click

File, Save; observe the error - Share permissions are only Read, so the file

can not be Changed

D.6. click Cancel, close the file again, selecting not to save

D.7. attempt to delete the file (e.g. t1.txt) - observe that access is

denied

D.8. attempt to delete the folder AllModify\T1Only\T1 - observe that

access is denied

D.9. in the left pane of Explorer, select the Share T1Only

D.10. repeat the change and delete attempts (i.e. steps D.3. through

D.8.) - observe that the results are the same - the Share permissions are

only Read

 

E. brucen logs on locally at XPSP2 to access the Shares remotely

E1. click Start, Run; key \\2003SP2VM\ - observe that both AllModify

and T1Only appear in the drop down list; select AllModify

E.2. observe that the folder T1Only is shown as a child of AllModify

and also as a seperate item (Share) in the left pane under 2003sp2vm

E.3. attempt to create a new folder in AllModify - observe access is

denied - this is because the Share permissions are only Read

E.4. in the left pane, click AllModify\T1Only - access is denied -

although Share permissions are Read, brucen has no permissions via NTFS ,

which means no access

E.5. in the left pane of Explorer, select the Share T1Only - observe

that access is denied

 

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

news:4BE6181B-37FC-479C-9D24-A134DF0A61D8@microsoft.com...

> Bruce,

>

> Here is another mind blower for me.

>

> I have a folder with everyone-read share, everyone FULL security. This

> applies to "this folder , subfolders, files".

>

> Now, I created a new folder INSIDE the above folder. I give it USER A -

> share, and USER A - full security, nothng else.

>

> I can access this new folder with ANY USER and delete the files and

> folders

> in it.

>

> Should the new folder security not "override" the existing host folder

> security?

>

> I think it should else if you go and create a new folder anywhere deep in

> the file structure, you now have to go and review all the "higher" folder

> securities to make sure it's not avaible to the world!

>

> AHHHHHHHHHHHHHHHHHHHHHHH! This makes no logical sense to me!

>

> I'm still finding ways to scratch my head with this.

>

> Thanks,

>

> Mark

>

>

>

> "Bruce Sanderson" wrote:

>

>> Thank you for the complement!

>>

>> In the Permissions lists, the part of an entry to the left of "/" is the

>> permission that pertains to Folder objects; the part to the right is the

>> permission that relates to File objects.

>>

>> The "List Folder" (aggregated) permission deliberately specifies that the

>> settings apply ONLY for folder objects, NOT for File objects. In the

>> "Advanced Security Settings for ..." dialog box observe the column called

>> "Apply to". For the "List Folder" (aggregated) permissions, "Apply to"

>> says

>> "This folder and subfolders" - there is no mention of Files. Click Edit

>> and

>> observe the same thing in the "Apply onto" box, which you can change if

>> you

>> want to. When you select the "Read" or "Read and Execute" (aggregated)

>> permission, the "Apply to" changes to "This folder, subfolders and

>> files".

>>

>> So, the "List Folder" (aggregated) setting on the Security tab of the

>> folder's Properties applies the following permissions to Folders:

>>

>> Traverse Folder

>> List Folder

>> Read Attributes

>> Read Extended Attributes

>> Read Permissions

>>

>> And absolutely NO permissions at all for Files. Since Users (in your

>> case)

>> have NO PERMISSIONS specified for Files, they can see the list of them,

>> but

>> get "access is denied" if they try to open them.

>>

>> The List Folder (aggregated) setting is useful if you want users to be

>> able

>> to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders,

>> but

>> not read anything that is in it, just things to which they have been

>> grated

>> Read permission for Files in sub-folders.

>>

>> If you change anything in Advanced, Edit dialog (e.g. the setting in

>> "Apply

>> onto"), you will most likely see a check mark beside "Special" in the

>> Security tab of the ...Properties dialog because you have specified

>> something that is not covered by any of the aggregated settings shown on

>> that dialog.

>>

>> So, it's not "screwy", it is "by design". You can do some very

>> complicated

>> (and consequently confusing, particularly months later!) things with NTFS

>> permissions, so a little experimenting and study might go a long way. I

>> suggest keeping things as simple as you possible can commensurate with

>> satisfying (REAL) business needs.

>>

>> --

>> Bruce Sanderson

>> http://members.shaw.ca/bsanders

>>

>> It is perfectly useless to know the right answer to the wrong question.

>>

>>

>>

>> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

>> news:D8273890-5289-44C9-8ED4-A3DD30960CA6@microsoft.com...

>> > Bruce,

>> >

>> > I reviewed your site, its good. Thanks!

>> >

>> > Here is part of my frustration with Sharing and security.

>> >

>> > I have folder shared as EVERYONE-READ.

>> >

>> > I set SECURITY as EVERYONE-LIST FOLDER CONTENTS.

>> >

>> > This allows me to SEE files in the folders over the network. However I

>> > get

>> > an "access Denied" when I try to open them. Fine.

>> >

>> > Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER

>> > CONTENTS-ADVANCED

>> > and it has checked:

>> >

>> > Traverse/Execute file

>> > List Folder/read data

>> > Read Atributes

>> > Read Extended Attributes

>> > Read Permissions

>> >

>> > Ok. I cannot READ ANY data or EXECUTE any file. So why would the first

>> > 2

>> > in

>> > the list be checked???? (they should not be!)

>> >

>> > Now, go back into SECURITY-EVERYONE- and check READ instead of List

>> > Folder

>> > Contents.

>> >

>> > Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE

>> > but

>> > now allows me full acces to open and read files!

>> >

>> > This is the screwiest thing I have ever seen! WHY???????

>> >

>> > Comments?

>> >

>> > Thanks,

>> >

>> > Mark

>> >

>> >

>> >

>> > "Bruce Sanderson" wrote:

>> >

>> >> Think of the Share permissions as being the lock on the door and the

>> >> NTFS

>> >> permissions as being the lock on the filling cabinet.

>> >>

>> >> The key to filling cabinet is useless if you can't get into the room.

>> >>

>> >> The computer uses the Share permissions to decide whether the user can

>> >> access the Share from another computer at all and what permissions

>> >> will

>> >> be

>> >> through that Share. The folder and file NTFS permissions are

>> >> effective

>> >> for

>> >> both local and remote access and give fine grained control over what

>> >> the

>> >> user can do to the content. Share permissions have no affect on local

>> >> access (asuming the user is refering to the folder using the

>> >> DriveLetter:\

>> >> as opposed to \\ComputerName\ShareName syntax).

>> >>

>> >> The permissions that a user has when accessing through the Share is

>> >> the

>> >> minimum of the Share and NTFS permissions. Thus if a user has Full

>> >> Control

>> >> via NTFS, they can do whatever they want when logged on locally. If

>> >> the

>> >> Share permission is Read, then they can only read files from another

>> >> computer. If you like, the Share permission take precedence over the

>> >> NTFS

>> >> permission, but ONLY when the user is accessing via the Share (e.g.

>> >> from

>> >> another computer).

>> >>

>> >> In many cases, it is useful set the Share Permissions to Everyone (or

>> >> Authenticated Users) Full Control and manage access control entirly

>> >> using

>> >> the NTFS permissions only. This simplifies administration and

>> >> troubleshooting without really compromising file security.

>> >>

>> >> Share permissions were (are?) useful for file systems that do not have

>> >> built

>> >> in access control (e.g. FAT or FAT32). For systems like Windows 3.1,

>> >> 95

>> >> etc. Share Permissions were the only way to control who could access

>> >> files

>> >> remotely. With NTFS, in most situations, the Share permissions don't

>> >> add

>> >> anything to file security (access control) that is not already

>> >> provided

>> >> by

>> >> the NTFS file system, thus the suggestion to set them Full Control for

>> >> all

>> >> users and simplify your life.

>> >>

>> >> A general rule in a domain, to simplify administration, is to NOT add

>> >> user

>> >> accounts to NTFS (or Share) permissions and not create local groups,

>> >> but

>> >> to

>> >> always use domain groups whose name identifies the resource (share or

>> >> folder) and the granted permissions. That way you can tell who has

>> >> access

>> >> to what by reading the group membership in conjunction with the name

>> >> of

>> >> the

>> >> group, entirely in AD Users and Computers. If you're interested I can

>> >> post

>> >> (or send you) a set of rules re. group membership etc. that have been

>> >> found

>> >> to be useful in this regard.

>> >>

>> >> --

>> >> Bruce Sanderson

>> >> http://members.shaw.ca/bsanders

>> >>

>> >> It is perfectly useless to know the right answer to the wrong

>> >> question.

>> >>

>> >>

>> >>

>> >> "Mrpush" <Mrpush@discussions.microsoft.com> wrote in message

>> >> news:3FA2E0D4-AD75-4BF0-A410-1E6CC06B0FA4@microsoft.com...

>> >> > Hi,

>> >> >

>> >> > Did I say I can't stand Sharing and security on Windows?

>> >> >

>> >> > Ooops, just did.

>> >> >

>> >> > Anyway, I'm studying hard on how to understand Sharing vs NTFS.

>> >> > Still

>> >> > makes

>> >> > little sense, but I'm getting better.

>> >> >

>> >> > What I need is a utility that would allow me to AUDIT my entire

>> >> > network

>> >> > and

>> >> > show me all my USERS and GROUPS and what permissions they have, that

>> >> > would

>> >> > be

>> >> > great!

>> >> >

>> >> > Is there any such utility? (freeware would be nice!)

>> >> >

>> >> > I'm aware of the "Effective Permissions" in the settings, but that

>> >> > is

>> >> > only

>> >> > good for a single person/group.

>> >> >

>> >> > I'd like to see a table of users and groups and then all the SHARE /

>> >> > NTSF

>> >> > permissions and what overrides what.

>> >> >

>> >> > Any ideas?

>> >> >

>> >> > Thanks much,

>> >> >

>> >> > Mark

>> >> >

>> >> > (P.S, - why would NTFS permission to "view" not have precedence over

>> >> > Share

>> >> > for viewing files or folders over the network? I'm still scratching

>> >> > my

>> >> > head!

>> >> > =) )

>> >>

>> >>

>>

>>