Discussion:
Share and NTFS permissions not working as supposed
(too old to reply)
wombatwoo
2007-03-21 14:01:06 UTC
Permalink
Hi

My problem is.... I am trying a new directory structure on a Windows
2003 server, which has a share called Accounts and a directory below,
named Users. I want the accounts group to have read only rights to
the Accounts directory, but full rights to the Users directory.

I am fairly new to Windows permissions, so I have been reading up on
the subject. Everywhere tells me to give the Accounts group full
rights to the Accounts directory share and set the NTFS permissions to
read only. Then give the Accounts group NTFS full rights to the Users
directory, removing inheritance, but copying the rights,

I'm finding that by giving the Accounts group full rights to the
Accounts share, they can create in all of the directories. If I
restrict the share permissions to read only, they cannot create in any
of the directories! I thought that restrictive permissions overruled
any others, so why don't the NTFS permissions on the Accounts
directory (being set as read only) stop the Accounts group from
creating in that directory? It appears to me that the share
permissions are overriding all other permissions.

Can anybody explain this to me? At the moment I have to deny the
Accounts group write rights to the Accounts directory to stop them
creating here.
n***@nospam.postalias
2007-03-21 15:15:08 UTC
Permalink
Lets start over:
Set the share permissions on the “Accounts” share to “authenticated Users”
Change and Read.
This should be the only permission for the share.
Set the NTFS permissions on the “Accounts” directory to “accounts group”
Read & Execute, List, and Read.
Leave the default permissions for system and administrators.


Create the User directory in the Accounts directory. On the Security tab of
the User directory properties you will see that the “User” directory
inherited the Read/list permissions for the to “accounts group”.
With the to “accounts group” selected, check the Modify permission. Click OK
Click OK
Post by wombatwoo
Hi
My problem is.... I am trying a new directory structure on a Windows
2003 server, which has a share called Accounts and a directory below,
named Users. I want the accounts group to have read only rights to
the Accounts directory, but full rights to the Users directory.
I am fairly new to Windows permissions, so I have been reading up on
the subject. Everywhere tells me to give the Accounts group full
rights to the Accounts directory share and set the NTFS permissions to
read only. Then give the Accounts group NTFS full rights to the Users
directory, removing inheritance, but copying the rights,
I'm finding that by giving the Accounts group full rights to the
Accounts share, they can create in all of the directories. If I
restrict the share permissions to read only, they cannot create in any
of the directories! I thought that restrictive permissions overruled
any others, so why don't the NTFS permissions on the Accounts
directory (being set as read only) stop the Accounts group from
creating in that directory? It appears to me that the share
permissions are overriding all other permissions.
Can anybody explain this to me? At the moment I have to deny the
Accounts group write rights to the Accounts directory to stop them
creating here.
wombatwoo
2007-03-22 09:12:55 UTC
Permalink
Set the share permissions on the "Accounts" share to "authenticated Users"
Change and Read.
This should be the only permission for the share.
Set the NTFS permissions on the "Accounts" directory to "accounts group"
Read & Execute, List, and Read.
Leave the default permissions for system and administrators.
Create the User directory in the Accounts directory. On the Security tab of
the User directory properties you will see that the "User" directory
inherited the Read/list permissions for the to "accounts group".
With the to "accounts group" selected, check the Modify permission. Click OK
Click OK
Post by wombatwoo
Hi
My problem is.... I am trying a new directory structure on a Windows
2003 server, which has a share called Accounts and a directory below,
named Users. I want the accounts group to have read only rights to
the Accounts directory, but full rights to the Users directory.
I am fairly new to Windows permissions, so I have been reading up on
the subject. Everywhere tells me to give the Accounts group full
rights to the Accounts directory share and set the NTFS permissions to
read only. Then give the Accounts group NTFS full rights to the Users
directory, removing inheritance, but copying the rights,
I'm finding that by giving the Accounts group full rights to the
Accounts share, they can create in all of the directories. If I
restrict the share permissions to read only, they cannot create in any
of the directories! I thought that restrictive permissions overruled
any others, so why don't the NTFS permissions on the Accounts
directory (being set as read only) stop the Accounts group from
creating in that directory? It appears to me that the share
permissions are overriding all other permissions.
Can anybody explain this to me? At the moment I have to deny the
Accounts group write rights to the Accounts directory to stop them
creating here.- Hide quoted text -
- Show quoted text -
Hi

Thanks for your advice. I've tried what you suggested, but the same
thing happened. Basically, it appears that giving Authenticated users
Change and Read writes overrides any NTFS permissions on that
directory. I also managed to achieve write access to the Accounts
folder with a user who had no NTFS rights to it at all.

I'm beginning to think this is a wider problem, possibly with how our
network is setup??!?
wombatwoo
2007-03-22 11:38:58 UTC
Permalink
Post by wombatwoo
Set thesharepermissionson the "Accounts"shareto "authenticated Users"
Change and Read.
This should be the only permission for theshare.
Set theNTFSpermissionson the "Accounts" directory to "accounts group"
Read & Execute, List, and Read.
Leave the defaultpermissionsfor system and administrators.
Create the User directory in the Accounts directory. On the Security tab of
the User directory properties you will see that the "User" directory
inherited the Read/listpermissionsfor the to "accounts group".
With the to "accounts group" selected, check the Modify permission. Click OK
Click OK
Post by wombatwoo
Hi
My problem is.... I am trying a new directory structure on a Windows
2003 server, which has asharecalled Accounts and a directory below,
named Users. I want the accounts group to have read only rights to
the Accounts directory, but full rights to the Users directory.
I am fairly new to Windowspermissions, so I have been reading up on
the subject. Everywhere tells me to give the Accounts group full
rights to the Accounts directoryshareand set theNTFSpermissionsto
read only. Then give the Accounts groupNTFSfull rights to the Users
directory, removing inheritance, but copying the rights,
I'm finding that by giving the Accounts group full rights to the
Accountsshare, they can create in all of the directories. If I
restrict thesharepermissionsto read only, they cannot create in any
of the directories! I thought that restrictivepermissionsoverruled
any others, so why don't theNTFSpermissionson the Accounts
directory (being set as read only) stop the Accounts group from
creating in that directory? It appears to me that theshare
permissionsare overriding all otherpermissions.
Can anybody explain this to me? At the moment I have to deny the
Accounts group write rights to the Accounts directory to stop them
creating here.- Hide quoted text -
- Show quoted text -
Hi
Thanks for your advice. I've tried what you suggested, but the same
thing happened. Basically, it appears that giving Authenticated users
Change and Read writes overrides anyNTFSpermissionson that
directory. I also managed to achieve write access to the Accounts
folder with a user who had noNTFSrights to it at all.
I'm beginning to think this is a wider problem, possibly with how our
network is setup??!?- Hide quoted text -
- Show quoted text -
I think I have found an answer. I removed the group "Users" from an
unshared directory further up the structure, which had "Special
Access" rights, and now I can do what I require.

I don't think there is a problem with removing this group, but if
anyone out there knows different......... please let me know :)
Debbie Ling
2012-06-20 14:55:38 UTC
Permalink
Hi I read your post and I noticed that you have characters that appear instead of the actual letters. Ex. ???Accounts?

Do you happen to know what causes that? My main Google search was how to prevent that from happening in Microsoft Outlook.

Thx for any help

Debbie
Post by wombatwoo
Hi
My problem is.... I am trying a new directory structure on a Windows
2003 server, which has a share called Accounts and a directory below,
named Users. I want the accounts group to have read only rights to
the Accounts directory, but full rights to the Users directory.
I am fairly new to Windows permissions, so I have been reading up on
the subject. Everywhere tells me to give the Accounts group full
rights to the Accounts directory share and set the NTFS permissions to
read only. Then give the Accounts group NTFS full rights to the Users
directory, removing inheritance, but copying the rights,
I'm finding that by giving the Accounts group full rights to the
Accounts share, they can create in all of the directories. If I
restrict the share permissions to read only, they cannot create in any
of the directories! I thought that restrictive permissions overruled
any others, so why don't the NTFS permissions on the Accounts
directory (being set as read only) stop the Accounts group from
creating in that directory? It appears to me that the share
permissions are overriding all other permissions.
Can anybody explain this to me? At the moment I have to deny the
Accounts group write rights to the Accounts directory to stop them
creating here.
Set the share permissions on the “Accounts” share to “authenticated Users”
Change and Read.
This should be the only permission for the share.
Set the NTFS permissions on the “Accounts” directory to “accounts group”
Read & Execute, List, and Read.
Leave the default permissions for system and administrators.
Create the User directory in the Accounts directory. On the Security tab of
the User directory properties you will see that the “User” directory
inherited the Read/list permissions for the to “accounts group”.
With the to “accounts group” selected, check the Modify permission. Click OK
Click OK
Post by wombatwoo
Hi
Thanks for your advice. I've tried what you suggested, but the same
thing happened. Basically, it appears that giving Authenticated users
Change and Read writes overrides any NTFS permissions on that
directory. I also managed to achieve write access to the Accounts
folder with a user who had no NTFS rights to it at all.
I'm beginning to think this is a wider problem, possibly with how our
network is setup??!?
Post by wombatwoo
I think I have found an answer. I removed the group "Users" from an
unshared directory further up the structure, which had "Special
Access" rights, and now I can do what I require.
I don't think there is a problem with removing this group, but if
anyone out there knows different......... please let me know :)
Char Jackson
2012-06-20 15:04:13 UTC
Permalink
Post by Debbie Ling
Hi I read your post and I noticed that you have characters that appear instead of the actual letters. Ex. ???Accounts?
Do you happen to know what causes that? My main Google search was how to prevent that from happening in Microsoft Outlook.
Thx for any help
Debbie
I'm sure "wombatwoo" is diligently monitoring this five year old
thread and will be along shortly to help you.
Loading...