|
Posted by =?Utf-8?B?S2FybCBMZXZpbnNvbiBb on July 10, 2006, 3:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
the file / folder-level permissions are compared, and you get the most
restrictive of the two. So if you have full-control permissions on the file,
but read-only permissions on the share, you only get read-only permissions
when accessing that file through that share. This is working as expected.
For this reason, typically people will grant full control permissions on all
shares to the Everyone group [or better, the Authenticated Users group], and
then use folder and file level permissions to more granularly control what
users can and can't do. Share-level permissions affect every subdirectory,
there is no granularity.
kind regards,
Karl Levinson, CISSP, MCSE, CCSA, MS MVP
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info
"Roger Abell [MVP]" wrote:
> Explain to him that there are two levels of permissions, filesystem and
> share,
> and that the share permissions set an upper limit on what filesystem
> permissions
> can be used over that connection to the share and its shared content.
> As the share permissions differ, even thought the underlying filesystem is
> the
> same and hence not differing in permissions, it is only possible to use
> those
> permissions to the limit imposed by the connection (i.e. share) in use.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> >I need help here. I have a SBS2003 network with a member server running
> > Windows 2003 Server. I have setup volumes on the machine, i.e. H, T, V
> > drive
> > etc... Now, what I have done is I have shared out these volumes, e.g. T
> > drive
> > with the Share to have Everyone=Read. The Security tab also has the same,
> > Everyone=Read.
> >
> > Now, a user has setup a folder in T drive (called EEE) and shared this as
> > well. This time, the share permissions are for that user only=Full
> > Control,
> > and in the security tab that user is set to=Full Control.
> >
> > Via Network Neighbourhood>Windows Network>etc... the user can paste into
> > the
> > subfolder in T drive (shared as EEE) with no problem, but when he goes
> > through machinename\T\EEE he is unable to.
> >
> > He does not understand the fact that right-clicking the EEE folder has the
> > same permissions (i.e. Full Control is greyed out) but going in via the
> > correct share he will have different rights.
> >
> > He believes that no matter what, that user has the same permissions via
> > any
> > share he goes through on T drive - i.e. T or EEE.
> >
> > Furthermore, I need to understand the logic myself before I speak to him,
> > so
> > please can someone make me understand this.
> >
> > Thanks,
> >
> > S
>
>
>
| 
XML site map