Share permissions conflicting with NTFS permissions

Discussion in 'Server Security' started by Greg, May 18, 2006.

  1. Greg

    Greg Guest

    I have a Share with the Domain Users group assigned Read access. In the
    subfolders I have individual user accounts assigned with Various NTFS File
    Permissions= Change, Write, even Full Control. None of these users can do
    anything in the subfolders unless I go back to the Share Folder Permissions,
    and grant Change, or Full Control. What am I overlooking here? This is on
    Windows 2003
    Greg, May 18, 2006
    1. Advertisements

  2. Greg

    Greg Guest

    I also wanted to mention I don't have the "DENY" option checked for anything.
    Greg, May 18, 2006
    1. Advertisements

  3. This is working as expected. When Share permissions and NTFS file
    permissions are different, you only get the most restrictive of the two. In
    your example, people would only be able to Read at most when accessing those
    files through the network. Because NTFS file permissions are so much more
    granular than Share permissions, most people usually assign that share Full
    Control [or the highest level of permissions required across the network] to
    Everyone or better yet to Authenticated Users, and then scale back the
    permissions granularly using NTFS file and folder permissions.
    Karl Levinson, May 18, 2006
  4. Hi,

    What you are seeing is correct result (by design). You have to take maximum
    permissions from NTFS (e.g. write) and maximum permission from share (e.g.
    read). Now _most_ restrictive permission from both (in above case read) will
    be enforced on users accessing this share.
    Miha Pihler [MVP], May 18, 2006
  5. Greg

    Greg Guest

    Wow, thank you for the quick repsonse, I could have sworn that on MS suppport
    page if a user has read on one share and write in a subfolder, Write would be
    the dominant one, but I remember now that it is SHARE and NTFS permissions
    that will do most restrictive, I let the support article confuse me, and
    thank you for reminding me. If I do give domain users Write or Full Control
    on the share permissions, will I have to go to each subfolder in the share
    and imply DENY on NTFS shares I don't want certain users access to? I guess
    the simple question is will I stop Write or Full Access rights granted from
    the SHARE permissons, by sying don't inherit this from upper folder?

    THank you both for your quick responses and expertise
    Greg, May 18, 2006
  6. Hi,

    In most cases permission of Change on the share should be enough. Still it
    is very good idea as you suggest to remove Everyone and e.g. add Domain
    Users group share permissions.
    My advice here would be to create a new group called e.g. "IT Write access
    to data folder". Now throw all users that need access to this folder to this
    new group and add NTFS permissions of Write to this group. Remove all other
    groups or users from NTFS permissions.
    If there are people that need only read access create another group called
    e.g. "IT Read Only access to data folder" and add it to NTFS permissions
    with appropriate permissions (Read Only).
    As mentioned before -- create new groups, remove the ones that are added to
    the folder. You can remove them by removing Inherit attribute on the
    folder... Now only groups that you added will have access to the
    Miha Pihler [MVP], May 18, 2006
  7. Greg

    Greg Guest

    THank you, it is much clearer to me now


    Greg, May 18, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.