Rights

[Guest]

I have shared folders and I want to assign permissions to it. Is it better
to assign the group everyone or Domain Users to a share? What is a better
practice? I want to enable a group assigned right to a share to be able to
create documents, make changes to a document, and read a document. Do they
need the modify right?

 

[Steven L Umbach]

First see the link below on special permissions. It refers to XP but applies
to Windows 2000 also. It explains exactly what each "generic" permission can
do that you see on the main security page.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419

It sounds like they need at least read/list/write permissions and maybe
modify that also allows the users to delete. It depends on exactly what kind
of changes they need to do and how the application handles these changes.
Office documents for instance require modify permissions because office
creates a temporary document that the user edits and it is written as the
new document and the old one is deleted if the user saves the document.
Start giving the group less permissions and if they can not do the task then
also give them modify permission.

Always assign permissions with the principle of least privilege in mind.
Everyone means well everyone including guest if that account is enabled on
the computer. Domain users would be better than everyone [assuming anonymous
access is not desired] and if you want only certain domain users to have
access create a domain global group, add the users you want to have access
in that group, and then give that group permissions to the share or add it
to a local group that has access to the share. During your testing if you
change a user's group membership be sure to logoff the user and then logon
again to get a new security token for the user reflecting their new group
membership which can be shown with the support tool whoami if you have any
question.

Just a minor point for the future. Rights are a task that a user can do on
the operating system such as logon locally and change system time and are
found in Local Security Policy/local policies/user rights. When referring to
folder/file access levels you are talking about "permissions" . A user/group
would also need the user right for "access this computer from the network"
in order to access a share and is helpful in securing network
esources. --- Steve

 

[Roger Abell [MVP]]

At the share-level permissions that custom group should have Change
if it is to exercise NTFS grants to create/make changes to/read docs
via a remote network share access.

 

[Jason Tan]

Hello,

Thanks for posting!

I would like to provide you with some more information for your reference:

301198 How To Share Files and Folders Over a Network (Domain) in Windows
2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;301198

324267 How To Share Files and Folders over the Network in a Windows Server
2003 Domain Environment
http://support.microsoft.com/default.aspx?scid=kb;EN-US;324267

Have a nice day!

Best regards,

Jason Tan
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

============================================================================
========================

Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:

BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469

Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page:
http://support.microsoft.com/common/international.aspx
============================================================================
==========================

This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| Thread-Topic: Rights
| thread-index: AcYceqyKg9eSnyo6SguZxCzl619FWQ==
| X-WBNR-Posting-Host: 209.244.152.162
| From: "=?Utf-8?B?R2VvcmdlIFNjaG5laWRlcg==?="
<[email protected]>
| Subject: Rights
| Date: Wed, 18 Jan 2006 14:01:03 -0800
| Lines: 5
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.win2000.security:40316
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I have shared folders and I want to assign permissions to it. Is it
better
| to assign the group everyone or Domain Users to a share? What is a
better
| practice? I want to enable a group assigned right to a share to be able
to
| create documents, make changes to a document, and read a document. Do
they
| need the modify right?
|