General Discussion - PLEASE help me with this...

Author

PLEASE help me with this...

Ormewood

2002-08-25, 8:37 pm

I know this is a basic question, but I'm working on my first certification, and basic is where I am at the moment.

OK...here is a quote from Jerald Divley's "PassIT" (for 70-215):

"NTFS permissions cannot be applied to shares."

And later in the same text:

"Know that NTFS permissions are used for local file-level security and cannot be applied to a share."

Meanwhile, here's this quote from p. 195 of Microsoft's 70-215 cerification textbook:

"When users gain access to a shared folder on an NTFS partition, you should use either share rights or NTFS permissions but not both."

In fact, it goes on to say:

"NTFS permissions are preferred since permissions can be set on both files and folders."

So what is the deal here? Is the cram book by Jerald Divley just wrong, or am I misunderstanding something basic? Can you apply NTFS permissions to a share, or not?

twister166

2002-08-25, 9:11 pm

Let's do it in reverse, if you want to access a file in an NT/2000 server. Assume that you have all the networks and user accounts setup.

You will need to access the server via the "share" which is a resource on the server created for access. It can be a folder, printer, CD or whatever the server has controll and can share. We will focus on the Folder at this moment.

So, if you would to share that "FOLDER", under FAT16/32, you can only assign the permission to the share. If you are under NTFS, you can then assign the permissions to the sub-folder and/or files.

The permission to access an NTFS permission with Share permission is most restrictive.

Example, assume remote access not local access (means you are getting the resource from network in infront of the server) if you have a share is read only, even the NTFS permission is everyone/full control, you will only have read.

Oppositely speaking, if your Share is eveyone-full control and NTFS is read, you will have read.

Hope this clear it up.

Tech Ranger

2002-08-25, 11:07 pm

NTFS is a file system. This file system allows you to do security at the volume, folder, and file level. If a volume is formatted with NTFS, you can apply NTFS permissions. These permissions apply irrespective of whether you share out the resource. The share permissions is another layer of security. The share permissions apply irrespective of the underlying file system. The most common approach to administering permissions is to leave the share permissions at the default everyone/full control and apply security to NTFS volumes or folders. These permissions typically are assigned to groups. Users inherit the permissions as a consequence of group membership. In the event that both share and NTFS permissions are applied to a resource, the more restrictive permissions take effect.

lardie

2002-08-26, 6:18 am

Have to admit this is one area that confuses me aswell.

So when applying permissions to NTFS and Shares the most restrictive applies !

And when dealing with a user in multiple Groups with different NTFS permissions the least resrictive applies, assuming that no share level permisions are set.

And if a user in multiple groups with different NTFS permissions access's a Share with permissions set the effective permission would be the most restrictive of

Least restrictive NTFS permission vs Share permission ?

Have I described that clearly, and more importantly is it right ?

Man my head hurts now

Tech Ranger

2002-08-26, 7:04 am

If you have read NTFS permissions to a folder, you cannot modify that folder. So I create a folder and give you read permissions. Next week I decide to share out the folder and I leave the default everyone/full control share permission in place. You access the folder remotely. The system opens the door wide open for you to access the folder. you open it. No problem. Now you try to create a file. The share permissions say go ahead, no problem here. Next, since the folder is on an NTFS volume, the acess control list and access control entries are checked. It is determined that you only have the read permission. But, your honor, my client has the full control share permission. Motion denied, counselor. I couldn't give a damn about his share permissions. I am presiding over an NTFS volume. Whether this volume or its folders are shared or not is of no concern to me. Take a walk.
Now, with respect to permissions inherited by group memberships and permissions granted directly. Permissions are cumulative. If you get Read from 1 group and Write from another, you have read and write. The exception to this is the Deny factor. If a permission is Denied, it overrules all other permission settings.
Here it is in a nutshell:
Add up all your NTFS permissions, subtract any Denies.
this is your effective NTFS permission.
Add up all your share permissions. Subtract any denies. This is your effective share permission.
The more restrictive of the 2 is your overall effective permission to a resource if you are accessing that resource over the network.

lardie

2002-08-26, 7:20 am

Cheers Tech Ranger cleared that up nicely yer onor

Ormewood

2002-08-26, 7:23 am

OK...

Suppose you have a shared folder on an NTFS volume.

I understand that if you had subfolders and files in this folder, and if NTFS permissions were assigned to these subfolders and files, that the most restrictive of the share permissions and NTFS permissions would apply to the subfolders and files.

My question is this: Can you apply NTFS permissions to the shared folder itself , rather than to the subfolders and files? I understand that this probably isn't a desirable thing to do; I'm just trying to make sense of Jerald Divley's statement that "NTFS permissions cannot be applied to shares".

Tech Ranger

2002-08-26, 6:24 pm

When you set NTFS permissions for a folder, by default the perms are inherited by all files and subfolders. You can override this setup by unchecking the box at the subfolder or file which says "Allow inheritable permissions from parent to propogate to this object".

Sponsored Links