File Permission

  • Thread starter Thread starter diane walker
  • Start date Start date
D

diane walker

We are running Windows 2000 (Member Server). I just share a folder. Then,
click on OK. Then, I right-click the folder, select Properties. Under
Sharing tab, Permissions button, I see EVERYONE group has Full Control. Is
this the correct way to share a folder? Is it necessary to have EVERYONE
group?

I usually setup permissions under Security tab. What is the correct way to
setup permissions on share folders?

Thanks.
 
Try this URL

http://www.microsoft.com/technet/tr...rodtechnol/windows2000serv/deploy/c13w2kad.as

----- diane walker wrote: ----

We are running Windows 2000 (Member Server). I just share a folder. Then
click on OK. Then, I right-click the folder, select Properties. Unde
Sharing tab, Permissions button, I see EVERYONE group has Full Control. I
this the correct way to share a folder? Is it necessary to have EVERYON
group

I usually setup permissions under Security tab. What is the correct way t
setup permissions on share folders

Thanks
 
diane walker said:
We are running Windows 2000 (Member Server). I just share a folder. Then,
click on OK. Then, I right-click the folder, select Properties. Under
Sharing tab, Permissions button, I see EVERYONE group has Full Control. Is
this the correct way to share a folder? Is it necessary to have EVERYONE
group?

I usually setup permissions under Security tab. What is the correct way to
setup permissions on share folders?

Thanks.
Click to expand...


If you are sharing a folder off an NTFS file system, there really is no need
to modify the share permissions, which only apply OVER a network.
Concentrate on the NTFS permissions which apply both locally and over the
network. Besides, ntfs permissions allow for a much more precise control and
granularity.

You need to keep in mind that the end result permission is the most
restrictive of the 2 types of security. Evryone can access the share but the
internal NTFS limits the access to a specific file or specific folder if
any.

Nowhere is it recommended to follow this "only rely on NTFS security".
Should you decide that some group alone should be the only entity to view a
share in network neighbourhood, by all means, change the share security.
 
Thank you very much for your quick response. I would like to clarify my
understanding.

So, you would leave the default share permission as EVERYONE with Full
Control. Then, you would setup individual group permissions under Security
tab. For example, you would leave the default EVERYONE share permission and
setup Accounting group with Read access and Sales group with Change access
under Security tab.

Thanks.
 
Diane Walker said:
Thank you very much for your quick response. I would like to clarify my
understanding.

So, you would leave the default share permission as EVERYONE with Full
Control. Then, you would setup individual group permissions under Security
tab. For example, you would leave the default EVERYONE share permission and
setup Accounting group with Read access and Sales group with Change access
under Security tab.
Click to expand...

That's correct. Note the "advanced" NTFS permissions in the security tab as
well. You can configure a group's NTFS permissions to the folder itself and
also define the subobject's security (folders and files within share)
differently [note the "Apply to" listbox in advanced permissions].
Inheritence applies as well should any new objects be created.

I don't want to create overload here but you can also organize your Sales
group by creating an OU (Organizational Unit) in AD Users and computers.
Call the OU "Sales", move the Sales group into the Sales OU. Since an OU can
also hold Shares and printers as well as users, groups and computers, you
can delegate administrative rights to an OU object within Sales to a
designated individual (delegation Wizard). Whats nice is that if "Sally"
joins the Sales group, she then inherits a lot more than the security
permissions associated with her group (OUs can link with GPOs).

Lastly, its relevent to understand how groups are engineered to be used in
an NT environment. This is an issue that pops up a lot with administrators
that haven't had NT4 experience.
Users should go into Global groups. Global groups should not be given
permissions to resources. Global groups go into Local groups. Local groups
can be given permissions to resources. The Acronym is UGLP. This is not a
hard rule, its perfectly understandable to place an admin, for example, into
a local admin group.

Instead of giving a Global group called Sales permissions to a resource. Cre
ate a Local group called "ShareLocalGroup" or whatever at the file server.
Give the Sales group membership in the ShareLocalGroup. Give permissions to
ShareLocalGroup only (Sales inherits).
 
Thank you very much. You clarified my understanding.

SaltPeter said:
Diane Walker said:
Thank you very much for your quick response. I would like to clarify my
understanding.

So, you would leave the default share permission as EVERYONE with Full
Control. Then, you would setup individual group permissions under Security
tab. For example, you would leave the default EVERYONE share permission and
setup Accounting group with Read access and Sales group with Change access
under Security tab.
Click to expand...

That's correct. Note the "advanced" NTFS permissions in the security tab as
well. You can configure a group's NTFS permissions to the folder itself and
also define the subobject's security (folders and files within share)
differently [note the "Apply to" listbox in advanced permissions].
Inheritence applies as well should any new objects be created.

I don't want to create overload here but you can also organize your Sales
group by creating an OU (Organizational Unit) in AD Users and computers.
Call the OU "Sales", move the Sales group into the Sales OU. Since an OU can
also hold Shares and printers as well as users, groups and computers, you
can delegate administrative rights to an OU object within Sales to a
designated individual (delegation Wizard). Whats nice is that if "Sally"
joins the Sales group, she then inherits a lot more than the security
permissions associated with her group (OUs can link with GPOs).

Lastly, its relevent to understand how groups are engineered to be used in
an NT environment. This is an issue that pops up a lot with administrators
that haven't had NT4 experience.
Users should go into Global groups. Global groups should not be given
permissions to resources. Global groups go into Local groups. Local groups
can be given permissions to resources. The Acronym is UGLP. This is not a
hard rule, its perfectly understandable to place an admin, for example, into
a local admin group.

Instead of giving a Global group called Sales permissions to a resource. Cre
ate a Local group called "ShareLocalGroup" or whatever at the file server.
Give the Sales group membership in the ShareLocalGroup. Give permissions to
ShareLocalGroup only (Sales inherits).
Thanks.

correct
way no
need control
and but
the view
Click to expand...
Click to expand...
 
Back
Top