| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
Thank you for the complement!
In the Permissions lists, the part of an entry to the left of "/" is the permission that pertains to Folder objects; the part to the right is the permission that relates to File objects. The "List Folder" (aggregated) permission deliberately specifies that the settings apply ONLY for folder objects, NOT for File objects. In the "Advanced Security Settings for ..." dialog box observe the column called "Apply to". For the "List Folder" (aggregated) permissions, "Apply to" says "This folder and subfolders" - there is no mention of Files. Click Edit and observe the same thing in the "Apply onto" box, which you can change if you want to. When you select the "Read" or "Read and Execute" (aggregated) permission, the "Apply to" changes to "This folder, subfolders and files". So, the "List Folder" (aggregated) setting on the Security tab of the folder's Properties applies the following permissions to Folders: Traverse Folder List Folder Read Attributes Read Extended Attributes Read Permissions And absolutely NO permissions at all for Files. Since Users (in your case) have NO PERMISSIONS specified for Files, they can see the list of them, but get "access is denied" if they try to open them. The List Folder (aggregated) setting is useful if you want users to be able to navigate THROUGH a folder (e.g. in Windows Explorer) to subfolders, but not read anything that is in it, just things to which they have been grated Read permission for Files in sub-folders. If you change anything in Advanced, Edit dialog (e.g. the setting in "Apply onto"), you will most likely see a check mark beside "Special" in the Security tab of the ...Properties dialog because you have specified something that is not covered by any of the aggregated settings shown on that dialog. So, it's not "screwy", it is "by design". You can do some very complicated (and consequently confusing, particularly months later!) things with NTFS permissions, so a little experimenting and study might go a long way. I suggest keeping things as simple as you possible can commensurate with satisfying (REAL) business needs. -- Bruce Sanderson http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. "Mrpush" <> wrote in message news  8273890-5289-44C9-8ED4-...> Bruce, > > I reviewed your site, its good. Thanks! > > Here is part of my frustration with Sharing and security. > > I have folder shared as EVERYONE-READ. > > I set SECURITY as EVERYONE-LIST FOLDER CONTENTS. > > This allows me to SEE files in the folders over the network. However I > get > an "access Denied" when I try to open them. Fine. > > Here is the kicker. Go into SECURITY-EVERYONE-LIST FOLDER > CONTENTS-ADVANCED > and it has checked: > > Traverse/Execute file > List Folder/read data > Read Atributes > Read Extended Attributes > Read Permissions > > Ok. I cannot READ ANY data or EXECUTE any file. So why would the first 2 > in > the list be checked???? (they should not be!) > > Now, go back into SECURITY-EVERYONE- and check READ instead of List Folder > Contents. > > Now goto advanced. ITS HAS THE SAME GRANDULAR ITEMS CHECKED AS ABOVE but > now allows me full acces to open and read files! > > This is the screwiest thing I have ever seen! WHY??????? > > Comments? > > Thanks, > > Mark > > > > "Bruce Sanderson" wrote: > >> Think of the Share permissions as being the lock on the door and the NTFS >> permissions as being the lock on the filling cabinet. >> >> The key to filling cabinet is useless if you can't get into the room. >> >> The computer uses the Share permissions to decide whether the user can >> access the Share from another computer at all and what permissions will >> be >> through that Share. The folder and file NTFS permissions are effective >> for >> both local and remote access and give fine grained control over what the >> user can do to the content. Share permissions have no affect on local >> access (asuming the user is refering to the folder using the >> DriveLetter:\ >> as opposed to \\ComputerName\ShareName syntax). >> >> The permissions that a user has when accessing through the Share is the >> minimum of the Share and NTFS permissions. Thus if a user has Full >> Control >> via NTFS, they can do whatever they want when logged on locally. If the >> Share permission is Read, then they can only read files from another >> computer. If you like, the Share permission take precedence over the >> NTFS >> permission, but ONLY when the user is accessing via the Share (e.g. from >> another computer). >> >> In many cases, it is useful set the Share Permissions to Everyone (or >> Authenticated Users) Full Control and manage access control entirly using >> the NTFS permissions only. This simplifies administration and >> troubleshooting without really compromising file security. >> >> Share permissions were (are?) useful for file systems that do not have >> built >> in access control (e.g. FAT or FAT32). For systems like Windows 3.1, 95 >> etc. Share Permissions were the only way to control who could access >> files >> remotely. With NTFS, in most situations, the Share permissions don't add >> anything to file security (access control) that is not already provided >> by >> the NTFS file system, thus the suggestion to set them Full Control for >> all >> users and simplify your life. >> >> A general rule in a domain, to simplify administration, is to NOT add >> user >> accounts to NTFS (or Share) permissions and not create local groups, but >> to >> always use domain groups whose name identifies the resource (share or >> folder) and the granted permissions. That way you can tell who has >> access >> to what by reading the group membership in conjunction with the name of >> the >> group, entirely in AD Users and Computers. If you're interested I can >> post >> (or send you) a set of rules re. group membership etc. that have been >> found >> to be useful in this regard. >> >> -- >> Bruce Sanderson >> http://members.shaw.ca/bsanders >> >> It is perfectly useless to know the right answer to the wrong question. >> >> >> >> "Mrpush" <> wrote in message >> news:3FA2E0D4-AD75-4BF0-A410-... >> > Hi, >> > >> > Did I say I can't stand Sharing and security on Windows? >> > >> > Ooops, just did. >> > >> > Anyway, I'm studying hard on how to understand Sharing vs NTFS. Still >> > makes >> > little sense, but I'm getting better. >> > >> > What I need is a utility that would allow me to AUDIT my entire network >> > and >> > show me all my USERS and GROUPS and what permissions they have, that >> > would >> > be >> > great! >> > >> > Is there any such utility? (freeware would be nice!) >> > >> > I'm aware of the "Effective Permissions" in the settings, but that is >> > only >> > good for a single person/group. >> > >> > I'd like to see a table of users and groups and then all the SHARE / >> > NTSF >> > permissions and what overrides what. >> > >> > Any ideas? >> > >> > Thanks much, >> > >> > Mark >> > >> > (P.S, - why would NTFS permission to "view" not have precedence over >> > Share >> > for viewing files or folders over the network? I'm still scratching my >> > head! >> > =) ) >> >> |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| General Share | Adam | Windows Server | 1 | 07-27-2007 11:33 AM |
| Re: Share Permissions: Deny behaviour | T. Uranjek | Windows Server | 2 | 11-03-2006 05:10 PM |
Linear Mode
