1

Just a quick one guys, i dont know why i always get confused with this but i do.

If i am to create a share on a server, lets say server01

\server01\companydata

I want to have 4 security groups, group1/2/3/4 will full access to be able to write to that share.

What permissions should i set at the share level and what permissions should i have set at the ntfs level ?

Currently i have Everyone read/write at share level and at ntfs i have the individual teams listed specifically with read/write.

sorry if thi sounds dumb to a lot of you but i always get it mixed up.

5 Spice ups
2

You have it set up correctly

3

well that is a first for me !

i thought the fact that i has everyone as read/write at the share level it would allow all users to write to that location even if they werent part of the 4 groups i mentioned.

1 Spice up
4

Looks good here as well although personally, I use “authenticated users” rather than everyone in the share. This is simply because we have guest users who some company network access but aren’t authenticated. It’s just that extra layer of protection.

5 Spice ups
5

Nope, NTFS permissions are the final check. If they don’t have access there, they don’t have access.

2 Spice ups
6

It’s the way I would do it.

The way permissions work is cumulative to give the least restrictive, then the most restrictive of Share or NTFS wins.

So if “Tom” who is in the “Sales”, “Finance” and “Staff” group has:

Share Permissions -

  • Sales - Read
  • Staff - Modify
  • Finance - Read

NTFS Permissions -

  • Sales - Modify
  • Staff - Modify
  • Finance - Read

His effective NTFS permissions are “Modify” as it’s the least restrictive and his cumulative share permissions are “Modify” as it’s the least restrictive.

Windows then compares the two and applies the most restrictive.

So if we tweak that a little and you have:

Share Permissions -

  • Sales - Read
  • Staff - Read
  • Finance - Read

NTFS Permissions -

  • Sales - Modify
  • Staff - Modify
  • Finance - Read

Your cumulative NTFS permissions are modify but your cumulative share permissions are read, so the most restrictive permissions would be the share permissions.

The reason the best practice is to assign Everyone Full Control is because that way the NTFS permissions will always be the most restrictive (and therefore effective) permissions.

5 Spice ups
7

And it’s a lot easier to keep all of that in one place instead of having to check Share and NTFS every time you want to do something.

8

hutchinsp, I thought I understood your explanation, but the more I read it, the cloudier it became. Can you break that down again, using a different example… :frowning:

Thanks.

Phillip

9

Yes, but such as? :slight_smile:

10

It boils down to this - whatever setting is the strictest is the one that wins. If you have 15 different settings coming in from all over the place, the one that limits the most (like DENIED) will win.

2 Spice ups
11

I don’t agree. If we are talking about just NTFS for a moment, it is cumulative. If you are a member of a read only group and a member of a full control group, you are getting full control. That is the least strict. We see it every day with domain admins

Now combining Sharing and NTFS, then the most strict will take over. If my group is read only on share and full control on NTFS, then I am read only.

In the example above here is what I am seeing,

Share Permissions -

  • Sales - Read
  • Staff - Modify
  • Finance - Read

NTFS Permissions -

  • Sales - Modify

  • Staff - Modify

  • Finance - Read

  • He is modify on that folder with the combined permissions below

Folder Permissions

  • Sales - Read

  • Staff - Modify

  • Finance - Read

  • Those combine together to give you modify on the whole folder

12

Holy cow that became a wall of unorganized test, my bad

13

That’s what I thought we were talking about here. When I said coming in from all over I had meant inherited stuff. I wasn’t clear about what I meant.

Deny, however, wins all the time, if I remember correctly.

14

Yes, Deny trumps all. I was’t sure where your all over was actually coming from because depending on the level, the least strict wins. Precedence also gets into inherited vs explicit but that gets more confusing to type out.

15

Not quite, it doesn’t compare group by group it just looks at the “total” so to speak.

So if your least restrictive Share permission is “Read” and your least restrictive NTFS permission is “Modify” then your overall access is still “Read” because that is the most restrictive when Share and NTFS permissions are compared.

And yes, deny always wins :slight_smile:

16

I just don’t agree with huchings that you have Read Only on that folder

17

It should be. If the Share permission is Read Only, that’s it. The share itself won’t allow anything beyond Read Only to happen.

18

Share Permissions -

  • Sales - Read

  • Staff - Modify

  • Finance - Read

That means your Share Permission on the folder is Modify

19

Try it, but you will :slight_smile:

It’s how you can have a share (we have one full of stuff such as corporate templates) which IT have write access to, but because it’s shared out with read-only access they cannot accidentally modify the contents

20

Unless I am going crazy, I haven’t restricted by Share permissions in forever and haven’t mixed groups but it should be the same as NTFS as in it’s cumulative