Domain Admins: I need some share and security help

Discussion in 'OT Technology' started by dimins, Dec 16, 2005.

  1. dimins

    dimins I'll bring the beers ... OT Supporter

    Joined:
    Feb 13, 2002
    Messages:
    3,234
    Likes Received:
    0
    Location:
    Long Island, NY
    I have an NT domain set up and a Windows 2003 Server which houses all of our shared project data. I'm having some sharing and security issues. What I want to do it pretty simple. Let's say I have a shared folder called "SFolder" (on the Win2k3 machine) and I want all domain users to be able to view, but not modify, create, delete anything. What I read is to set the "Share" permissions to give "Everyone" full control, then go into the NTFS "Security" and set "Domain Users" to the correct permissions there at the disk level.

    Shouldn't the most restrictive permission take precidence between the "Share" and NTFS "Security" permissions? And yes, it's an NTFS volume that the share folder resides on.
     
  2. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ
    remove everyone
    add domain users with the view permission
    then add another group with the right permissions
     
  3. dimins

    dimins I'll bring the beers ... OT Supporter

    Joined:
    Feb 13, 2002
    Messages:
    3,234
    Likes Received:
    0
    Location:
    Long Island, NY
    Remove "Everyone" at the Share level?
    Then add Domain Users with Read permissions at the Share level?
    Then add whatever group permissions at the disk level?

    These are two seperate permissions.
     
  4. dimins

    dimins I'll bring the beers ... OT Supporter

    Joined:
    Feb 13, 2002
    Messages:
    3,234
    Likes Received:
    0
    Location:
    Long Island, NY
    I just don't understand the precidence of "Share" (network) and "Security" (NTFS disk level) permissions and the MS site isn't helping. I read the article pertaining to XP at http://www.quepublishing.com/articles/printerfriendly.asp?p=30421 and it says

    So that is what I did and it's not working as expected.
     
    Last edited: Dec 16, 2005
  5. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Yes you are right, share permissions should have everyone write access and then secure thru NTFS. Keep in mind that share permissions in W2K3 has default READ only permissions.

    I'm not sure why it's not working, did you propogate to all chile files and folders?
     
  6. dimins

    dimins I'll bring the beers ... OT Supporter

    Joined:
    Feb 13, 2002
    Messages:
    3,234
    Likes Received:
    0
    Location:
    Long Island, NY
    ok, I did the simplest test I could think of and it's not working properly.

    1) I created a shared folder called "ShareTest"
    2) Under the Share Permissions, I have "Everyone" with Full Control. No other entries are in there. I hit Apply.
    3) Under the "Security" tab I hit Advanced, and added "Everyone" and they have the following checked:
    Traverse Folder
    List Folder
    Read Attributes
    Read Extended Attributes
    Read Permissions
    4) Propegate to all folders and Hit Apply
    5) Log into another machine as a Domain User (not an admin) and I can write files to that folder. I shouldn't have to specifically Deny write access using the Deny column right?
     
  7. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Nope - best practices avoid deny like the plague.

    Whats listed under the security tab of the sharetest folder - do a screenshot of it.
     
  8. dimins

    dimins I'll bring the beers ... OT Supporter

    Joined:
    Feb 13, 2002
    Messages:
    3,234
    Likes Received:
    0
    Location:
    Long Island, NY
  9. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    What about the users user group?
     
  10. dimins

    dimins I'll bring the beers ... OT Supporter

    Joined:
    Feb 13, 2002
    Messages:
    3,234
    Likes Received:
    0
    Location:
    Long Island, NY
    That was it 5Gen_Prelude. Apparently the local "Users" group includes domain users as well.

    Thanks for the help. I appreciate it. :)
     
  11. Penguin Man

    Penguin Man Protect Your Digital Liberties

    Joined:
    Apr 27, 2002
    Messages:
    21,696
    Likes Received:
    0
    Location:
    Edmonton, AB
    Holy crap, I'm glad I don't have to admin any Windows servers :embd:

    I'll take text config files over that any day ;)
     
  12. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    It's not all that hard - windows 2003 even has an effective policy tab that you can check against any user or group you want to find out what the effective policy for the folder/file is.
     
  13. dimins

    dimins I'll bring the beers ... OT Supporter

    Joined:
    Feb 13, 2002
    Messages:
    3,234
    Likes Received:
    0
    Location:
    Long Island, NY
    :werd: Since I am new to most of this it's not always easy, but it's easier than config files IMO.
     
  14. tragicher0

    tragicher0 Before I couldn't even spell DBA, now I are one OT Supporter

    Joined:
    Nov 19, 2005
    Messages:
    16,026
    Likes Received:
    7
    Location:
    Anthem, AZ
    .

    And your permissons look fine to me
     

Share This Page