Directory Permissions - What gives?

[Dragos CAMARA]

what i see you agree with me :
you cut or leave everyone with read only and "add proper group"
authenticated users

--
Dragos CAMARA
MCSA Windows 2003 server


"jj johnson" wrote:

> Dragos,
> I do agree with SBS Rocker and Paul in Detroit with one exception and I add
> "Authenticated Users=FULL" and remove the Everyone group. IMHO that is all
> that is required at the Share level. You control security at the NTFS folder
> level. As far as best practices are concerned in the "old days" as many of
> you are referrring to it was by "default" that at the Share level
> Everyone=FULL. Now in W2k3 it is default Everyone=Read. Here is another good
> article regarding the reasoning for the change and "best practices" with
> share and ntfs permssions. And Dragos you don't even want to get into why
> you do not control security at the Share level. Share permissions are
> basically used to allow acces to the shared resource and not used to control
> security. You use NTFS Folder and File permissions for that.
>
> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
> news:CE8670EA-0F71-47A5-BE85-5132B7F7875C@microsoft.com...
> > hi,
> > i dont agree with the best practices to give everyone full permisions on
> > the
> > share. Best practices is to check and add the groups proper there.
> >
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "SBS Rocker" wrote:
> >
> >> I think I may know what your problems are. You say..........
> >>
> >> "I gave the user Full Control NTFS AND Folder Share permissions."
> >> does the group Everyone=READ on the Share permissions still there ? If so
> >> you need to remove the user=FULL and change Everyone=FULL on the share
> >> permissions. No need to add a user to the share permissions and give him
> >> FULL access. By industry best practices when creating a Share the default
> >> would be Everyone=FULL.
> >>
> >>
> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message
> >> news:9D378ED8-BCBA-40FD-A231-29B22CB11366@microsoft.com...
> >> >I gave the user Full Control NTFS AND Folder Share permissions.
> >> >
> >> > Even if I'm logged on as Administrator, I still can't push anything
> >> > down,
> >> > but I can pull files across without any issues.
> >> >
> >> > I'm stumped.
> >> >
> >> > "SBS Rocker" wrote:
> >> >
> >> >> What are the share permissions? When you say you gave the user FULL
> >> >> control
> >> >> do you mean FULL NTFS permissions?
> >> >>
> >> >> "Andrew" <Andrew@discussions.microsoft.com> wrote in message
> >> >> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
> >> >> >I shared a directory with one of our Windows 2003 servers and gave a
> >> >> >user
> >> >> > Full Control accesss to that directory. However, from his computer
> >> >> > where
> >> >> > he
> >> >> > is logged on, he can't copy and paste anything to that directory.
> >> >> > If
> >> >> > he
> >> >> > remote desktop's into the server and logs on as himself, he can
> >> >> > browse
> >> >> > to
> >> >> > another network share and pull the file over without any problems.
> >> >> >
> >> >> > I never had this problem in Windows 2000. How do I configure a
> >> >> > directory
> >> >> > on
> >> >> > a Windows 2003 server so that people can "push" files to that folder
> >> >> > without
> >> >> > logging onto the server locally and "pulling" the files over?
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

 

[Dragos CAMARA]

Louis respond to that problem if you think that group everyone is best
practices to have full control on share permission:

junioradm full ntfs permission on folder FA
group A internal users -rights to administer members to junioradm
group B external users

restrict group B to have any access to folder FA whatever mistakes make
junioradm on ntfs permisions or on group A membership.

--
Dragos CAMARA
MCSA Windows 2003 server


"Albert Louis" wrote:

> hmmmmmmmmmm this is all very interesting. Sure would like to see what Dragos
> response is to Eagles10 question. Dragos I'm almost embarrassed to have read
> your reply to Andrew instructing him to secure his folders at the share
> level using groups. Makes the rest of us MCSA's look like we have no
> creditability
>
>
> "Eagles10" <bogus@bogus.net> wrote in message
> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl...
> > wow!!! looks like I stumbled into a very interesting thread. Did anyone
> > ever resolve Andrew's issues? Let me throw in my cents here and try not to
> > offend anyone. I'm going to have to agree with SBS Rocker simply because
> > if you start applying users and groups at the share level you are creating
> > more work and managing the ntfs folder permissions becomes quite a task
> > Rocker is correct. You need to apply Everyone=FULL at the share level. I'm
> > not sure what Dragos was thinking about offering his suggestion to add
> > groups to the share permissions. Afterall he is a MCSA and he should know
> > better than that.
> >
> > Dragos what happens if I give Group A FULL share permissions and Modify
> > NTFS permissions on the folder. Now I have a subfolder that requires part
> > od the users of Group A to have Modify and a new Group B to have read
> > access yet some of the members of Group B are members of Group A. Now what
> > are you going to do?
> >
> >
> >
> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message
> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
> >>I shared a directory with one of our Windows 2003 servers and gave a user
> >> Full Control accesss to that directory. However, from his computer where
> >> he
> >> is logged on, he can't copy and paste anything to that directory. If he
> >> remote desktop's into the server and logs on as himself, he can browse to
> >> another network share and pull the file over without any problems.
> >>
> >> I never had this problem in Windows 2000. How do I configure a directory
> >> on
> >> a Windows 2003 server so that people can "push" files to that folder
> >> without
> >> logging onto the server locally and "pulling" the files over?
> >
> >
>
>
>

 

[Dragos CAMARA]

hi,
you dont offend nobody, but dont think the share permissions level like a
banal think wich was introduced by microsoft only the admin to have to click
more when make a sharing.

as your problem is simple if you thinked twice before you post - i dont said
to make all the permissions by sharing permissions, in fact i will modify
your problem like that :
assume you have a junior administrator and you dont want that he to give
the rights to that folder to group C -but allow him to give rights to others
groups- what are you doing?
and assume you have hundred of that servers a tens of junior administrators
-you will apply the same "best practice" with everyone full rights on shares
permissions? i dont think so , but ofcourse you are free to do what do you
want, but do not tell that a full rights to group Everyone is a best practice.

in best practices wich are linked by SBS Rocker it sais about authenticated
users not about Everyone group so it's like i said add proper groups there
and do not envolve Everyone group with full rights.
--
Dragos CAMARA
MCSA Windows 2003 server


"Eagles10" wrote:

> wow!!! looks like I stumbled into a very interesting thread. Did anyone ever
> resolve Andrew's issues? Let me throw in my cents here and try not to offend
> anyone. I'm going to have to agree with SBS Rocker simply because if you
> start applying users and groups at the share level you are creating more
> work and managing the ntfs folder permissions becomes quite a task Rocker
> is correct. You need to apply Everyone=FULL at the share level. I'm not sure
> what Dragos was thinking about offering his suggestion to add groups to the
> share permissions. Afterall he is a MCSA and he should know better than
> that.
>
> Dragos what happens if I give Group A FULL share permissions and Modify NTFS
> permissions on the folder. Now I have a subfolder that requires part od the
> users of Group A to have Modify and a new Group B to have read access yet
> some of the members of Group B are members of Group A. Now what are you
> going to do?
>
>
>
> "Andrew" <Andrew@discussions.microsoft.com> wrote in message
> news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
> >I shared a directory with one of our Windows 2003 servers and gave a user
> > Full Control accesss to that directory. However, from his computer where
> > he
> > is logged on, he can't copy and paste anything to that directory. If he
> > remote desktop's into the server and logs on as himself, he can browse to
> > another network share and pull the file over without any problems.
> >
> > I never had this problem in Windows 2000. How do I configure a directory
> > on
> > a Windows 2003 server so that people can "push" files to that folder
> > without
> > logging onto the server locally and "pulling" the files over?
>
>
>

 

[SBS Rocker]

Now that's what everyone here is talking about Dragos. You are creating more
work. If you had the parent folder shared at Everyone=FULL or even better
Authenticated Users=FULL you'll never have to modify the share permissions
again no matter what type of access you need to grant in the folder or sub
folder. All security is now controlled and managed at the NFTS folder and
sub folder levels.
There was a reason why pre W2K3 by default for a share was Everyone=FULL.
Now they have changed it to Everyone=Read. You may not agree with having
Everyone=FULL at the share level but you seem to agree with Authenticated
Users=FULL at the share level. Isn't the Guest account a member of Everyone
as well as Authenicated Users? That siad if you did it that way there would
be no reason to creating new groups or removing groups at share level.
Correct? All you would need to do at the parent FolderA and sub folderB now
is create one new group and give them Read access. Copy the inherited NTFS
permissions from the parent folder and add Group B and have inheritance
turned on at the sub level to all child folders.
That is the reasoning behind why you only need to apply one group at the
share level so you don't have to go back and do all the extra work at the
share level as you just explained.



"Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com...
> simple as a walking in a park :
> create a group C give ntfs share permisions to that group, add group A and
> B
> to C, remove group A from share permission, give NTFS rights acording to
> group A and B.
>
> everyone group full access : includes anyone who has access to network
> resources, including the Guest account - so keep to guest account with
> that
> rights
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "Albert Louis" wrote:
>
>> hmmmmmmmmmm this is all very interesting. Sure would like to see what
>> Dragos
>> response is to Eagles10 question. Dragos I'm almost embarrassed to have
>> read
>> your reply to Andrew instructing him to secure his folders at the share
>> level using groups. Makes the rest of us MCSA's look like we have no
>> creditability
>>
>>
>> "Eagles10" <bogus@bogus.net> wrote in message
>> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl...
>> > wow!!! looks like I stumbled into a very interesting thread. Did anyone
>> > ever resolve Andrew's issues? Let me throw in my cents here and try not
>> > to
>> > offend anyone. I'm going to have to agree with SBS Rocker simply
>> > because
>> > if you start applying users and groups at the share level you are
>> > creating
>> > more work and managing the ntfs folder permissions becomes quite a task
>> > Rocker is correct. You need to apply Everyone=FULL at the share level.
>> > I'm
>> > not sure what Dragos was thinking about offering his suggestion to add
>> > groups to the share permissions. Afterall he is a MCSA and he should
>> > know
>> > better than that.
>> >
>> > Dragos what happens if I give Group A FULL share permissions and Modify
>> > NTFS permissions on the folder. Now I have a subfolder that requires
>> > part
>> > od the users of Group A to have Modify and a new Group B to have read
>> > access yet some of the members of Group B are members of Group A. Now
>> > what
>> > are you going to do?
>> >
>> >
>> >
>> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message
>> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
>> >>I shared a directory with one of our Windows 2003 servers and gave a
>> >>user
>> >> Full Control accesss to that directory. However, from his computer
>> >> where
>> >> he
>> >> is logged on, he can't copy and paste anything to that directory. If
>> >> he
>> >> remote desktop's into the server and logs on as himself, he can browse
>> >> to
>> >> another network share and pull the file over without any problems.
>> >>
>> >> I never had this problem in Windows 2000. How do I configure a
>> >> directory
>> >> on
>> >> a Windows 2003 server so that people can "push" files to that folder
>> >> without
>> >> logging onto the server locally and "pulling" the files over?
>> >
>> >
>>
>>
>>

 

[SBS Rocker]

Oh I forgot to mention Group C which is a copy of Group A minus the members
of Group B. Which means you copy the inheritance from the parent folder,
remove Group A and Add Group B and Group C. But nothing else needed to be
done at the share level is required.

"SBS Rocker" <noreply@NoDomain.com> wrote in message
news:%23VrSs7hyHHA.4824@TK2MSFTNGP02.phx.gbl...
> Now that's what everyone here is talking about Dragos. You are creating
> more work. If you had the parent folder shared at Everyone=FULL or even
> better Authenticated Users=FULL you'll never have to modify the share
> permissions again no matter what type of access you need to grant in the
> folder or sub folder. All security is now controlled and managed at the
> NFTS folder and sub folder levels.
> There was a reason why pre W2K3 by default for a share was Everyone=FULL.
> Now they have changed it to Everyone=Read. You may not agree with having
> Everyone=FULL at the share level but you seem to agree with Authenticated
> Users=FULL at the share level. Isn't the Guest account a member of
> Everyone as well as Authenicated Users? That siad if you did it that way
> there would be no reason to creating new groups or removing groups at
> share level. Correct? All you would need to do at the parent FolderA and
> sub folderB now is create one new group and give them Read access. Copy
> the inherited NTFS permissions from the parent folder and add Group B and
> have inheritance turned on at the sub level to all child folders.
> That is the reasoning behind why you only need to apply one group at the
> share level so you don't have to go back and do all the extra work at the
> share level as you just explained.
>
>
>
> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
> news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com...
>> simple as a walking in a park :
>> create a group C give ntfs share permisions to that group, add group A
>> and B
>> to C, remove group A from share permission, give NTFS rights acording to
>> group A and B.
>>
>> everyone group full access : includes anyone who has access to network
>> resources, including the Guest account - so keep to guest account with
>> that
>> rights
>> --
>> Dragos CAMARA
>> MCSA Windows 2003 server
>>
>>
>> "Albert Louis" wrote:
>>
>>> hmmmmmmmmmm this is all very interesting. Sure would like to see what
>>> Dragos
>>> response is to Eagles10 question. Dragos I'm almost embarrassed to have
>>> read
>>> your reply to Andrew instructing him to secure his folders at the share
>>> level using groups. Makes the rest of us MCSA's look like we have no
>>> creditability
>>>
>>>
>>> "Eagles10" <bogus@bogus.net> wrote in message
>>> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl...
>>> > wow!!! looks like I stumbled into a very interesting thread. Did
>>> > anyone
>>> > ever resolve Andrew's issues? Let me throw in my cents here and try
>>> > not to
>>> > offend anyone. I'm going to have to agree with SBS Rocker simply
>>> > because
>>> > if you start applying users and groups at the share level you are
>>> > creating
>>> > more work and managing the ntfs folder permissions becomes quite a
>>> > task
>>> > Rocker is correct. You need to apply Everyone=FULL at the share level.
>>> > I'm
>>> > not sure what Dragos was thinking about offering his suggestion to add
>>> > groups to the share permissions. Afterall he is a MCSA and he should
>>> > know
>>> > better than that.
>>> >
>>> > Dragos what happens if I give Group A FULL share permissions and
>>> > Modify
>>> > NTFS permissions on the folder. Now I have a subfolder that requires
>>> > part
>>> > od the users of Group A to have Modify and a new Group B to have read
>>> > access yet some of the members of Group B are members of Group A. Now
>>> > what
>>> > are you going to do?
>>> >
>>> >
>>> >
>>> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message
>>> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
>>> >>I shared a directory with one of our Windows 2003 servers and gave a
>>> >>user
>>> >> Full Control accesss to that directory. However, from his computer
>>> >> where
>>> >> he
>>> >> is logged on, he can't copy and paste anything to that directory. If
>>> >> he
>>> >> remote desktop's into the server and logs on as himself, he can
>>> >> browse to
>>> >> another network share and pull the file over without any problems.
>>> >>
>>> >> I never had this problem in Windows 2000. How do I configure a
>>> >> directory
>>> >> on
>>> >> a Windows 2003 server so that people can "push" files to that folder
>>> >> without
>>> >> logging onto the server locally and "pulling" the files over?
>>> >
>>> >
>>>
>>>
>>>
>
>

 

[Dragos CAMARA]

i can agree that authenticated users can be a best practices, but you make
again a VERY BAD MISTAKE : guest account isn't member of authenticated users
group (you have to read and learn more)

The Everyone group often contains the same set of users as the Users and
Authenticated Users groups. However, if you've enabled the Guest account,
you'll find that users who have logged on as Guest are members of Everyone
but not members of Users or Authenticated Users.

The difference between the Users and Authenticated Users groups is a bit
more esoteric.
Windows networks include the ability to have computer-to-computer
connections that involve null sessions. Computers use these sessions to
exchange lists of shared folders, printers, and other network resources
workstations use null sessions to connect to domain controllers (DCs) before
users authenticate to the domain.

--
Dragos CAMARA
MCSA Windows 2003 server


"SBS Rocker" wrote:

> Now that's what everyone here is talking about Dragos. You are creating more
> work. If you had the parent folder shared at Everyone=FULL or even better
> Authenticated Users=FULL you'll never have to modify the share permissions
> again no matter what type of access you need to grant in the folder or sub
> folder. All security is now controlled and managed at the NFTS folder and
> sub folder levels.
> There was a reason why pre W2K3 by default for a share was Everyone=FULL.
> Now they have changed it to Everyone=Read. You may not agree with having
> Everyone=FULL at the share level but you seem to agree with Authenticated
> Users=FULL at the share level. Isn't the Guest account a member of Everyone
> as well as Authenicated Users? That siad if you did it that way there would
> be no reason to creating new groups or removing groups at share level.
> Correct? All you would need to do at the parent FolderA and sub folderB now
> is create one new group and give them Read access. Copy the inherited NTFS
> permissions from the parent folder and add Group B and have inheritance
> turned on at the sub level to all child folders.
> That is the reasoning behind why you only need to apply one group at the
> share level so you don't have to go back and do all the extra work at the
> share level as you just explained.
>
>
>
> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
> news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com...
> > simple as a walking in a park :
> > create a group C give ntfs share permisions to that group, add group A and
> > B
> > to C, remove group A from share permission, give NTFS rights acording to
> > group A and B.
> >
> > everyone group full access : includes anyone who has access to network
> > resources, including the Guest account - so keep to guest account with
> > that
> > rights
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "Albert Louis" wrote:
> >
> >> hmmmmmmmmmm this is all very interesting. Sure would like to see what
> >> Dragos
> >> response is to Eagles10 question. Dragos I'm almost embarrassed to have
> >> read
> >> your reply to Andrew instructing him to secure his folders at the share
> >> level using groups. Makes the rest of us MCSA's look like we have no
> >> creditability
> >>
> >>
> >> "Eagles10" <bogus@bogus.net> wrote in message
> >> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl...
> >> > wow!!! looks like I stumbled into a very interesting thread. Did anyone
> >> > ever resolve Andrew's issues? Let me throw in my cents here and try not
> >> > to
> >> > offend anyone. I'm going to have to agree with SBS Rocker simply
> >> > because
> >> > if you start applying users and groups at the share level you are
> >> > creating
> >> > more work and managing the ntfs folder permissions becomes quite a task
> >> > Rocker is correct. You need to apply Everyone=FULL at the share level.
> >> > I'm
> >> > not sure what Dragos was thinking about offering his suggestion to add
> >> > groups to the share permissions. Afterall he is a MCSA and he should
> >> > know
> >> > better than that.
> >> >
> >> > Dragos what happens if I give Group A FULL share permissions and Modify
> >> > NTFS permissions on the folder. Now I have a subfolder that requires
> >> > part
> >> > od the users of Group A to have Modify and a new Group B to have read
> >> > access yet some of the members of Group B are members of Group A. Now
> >> > what
> >> > are you going to do?
> >> >
> >> >
> >> >
> >> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message
> >> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
> >> >>I shared a directory with one of our Windows 2003 servers and gave a
> >> >>user
> >> >> Full Control accesss to that directory. However, from his computer
> >> >> where
> >> >> he
> >> >> is logged on, he can't copy and paste anything to that directory. If
> >> >> he
> >> >> remote desktop's into the server and logs on as himself, he can browse
> >> >> to
> >> >> another network share and pull the file over without any problems.
> >> >>
> >> >> I never had this problem in Windows 2000. How do I configure a
> >> >> directory
> >> >> on
> >> >> a Windows 2003 server so that people can "push" files to that folder
> >> >> without
> >> >> logging onto the server locally and "pulling" the files over?
> >> >
> >> >
> >>
> >>
> >>
>
>
>

 

[SBS Rocker]

OK I can agree with that and "I stand corrected" on the guest account. So in
a nutshell best to apply "Authenticated Users" = FULL at the share level and
that's all that needs to be done at the share level. But your way of
creating new groups and applying it at the share level is not necessary or
best practices. I'm out of this thread........ I hope Andrew got his answer


"Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
news:853B95FE-8EAA-4C7B-91FD-9AEEA43BDDC0@microsoft.com...
>i can agree that authenticated users can be a best practices, but you make
> again a VERY BAD MISTAKE : guest account isn't member of authenticated
> users
> group (you have to read and learn more)
>
> The Everyone group often contains the same set of users as the Users and
> Authenticated Users groups. However, if you've enabled the Guest account,
> you'll find that users who have logged on as Guest are members of Everyone
> but not members of Users or Authenticated Users.
>
> The difference between the Users and Authenticated Users groups is a bit
> more esoteric.
> Windows networks include the ability to have computer-to-computer
> connections that involve null sessions. Computers use these sessions to
> exchange lists of shared folders, printers, and other network resources
> workstations use null sessions to connect to domain controllers (DCs)
> before
> users authenticate to the domain.
>
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "SBS Rocker" wrote:
>
>> Now that's what everyone here is talking about Dragos. You are creating
>> more
>> work. If you had the parent folder shared at Everyone=FULL or even better
>> Authenticated Users=FULL you'll never have to modify the share
>> permissions
>> again no matter what type of access you need to grant in the folder or
>> sub
>> folder. All security is now controlled and managed at the NFTS folder and
>> sub folder levels.
>> There was a reason why pre W2K3 by default for a share was Everyone=FULL.
>> Now they have changed it to Everyone=Read. You may not agree with having
>> Everyone=FULL at the share level but you seem to agree with Authenticated
>> Users=FULL at the share level. Isn't the Guest account a member of
>> Everyone
>> as well as Authenicated Users? That siad if you did it that way there
>> would
>> be no reason to creating new groups or removing groups at share level.
>> Correct? All you would need to do at the parent FolderA and sub folderB
>> now
>> is create one new group and give them Read access. Copy the inherited
>> NTFS
>> permissions from the parent folder and add Group B and have inheritance
>> turned on at the sub level to all child folders.
>> That is the reasoning behind why you only need to apply one group at the
>> share level so you don't have to go back and do all the extra work at the
>> share level as you just explained.
>>
>>
>>
>> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
>> news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com...
>> > simple as a walking in a park :
>> > create a group C give ntfs share permisions to that group, add group A
>> > and
>> > B
>> > to C, remove group A from share permission, give NTFS rights acording
>> > to
>> > group A and B.
>> >
>> > everyone group full access : includes anyone who has access to network
>> > resources, including the Guest account - so keep to guest account with
>> > that
>> > rights
>> > --
>> > Dragos CAMARA
>> > MCSA Windows 2003 server
>> >
>> >
>> > "Albert Louis" wrote:
>> >
>> >> hmmmmmmmmmm this is all very interesting. Sure would like to see what
>> >> Dragos
>> >> response is to Eagles10 question. Dragos I'm almost embarrassed to
>> >> have
>> >> read
>> >> your reply to Andrew instructing him to secure his folders at the
>> >> share
>> >> level using groups. Makes the rest of us MCSA's look like we have no
>> >> creditability
>> >>
>> >>
>> >> "Eagles10" <bogus@bogus.net> wrote in message
>> >> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl...
>> >> > wow!!! looks like I stumbled into a very interesting thread. Did
>> >> > anyone
>> >> > ever resolve Andrew's issues? Let me throw in my cents here and try
>> >> > not
>> >> > to
>> >> > offend anyone. I'm going to have to agree with SBS Rocker simply
>> >> > because
>> >> > if you start applying users and groups at the share level you are
>> >> > creating
>> >> > more work and managing the ntfs folder permissions becomes quite a
>> >> > task
>> >> > Rocker is correct. You need to apply Everyone=FULL at the share
>> >> > level.
>> >> > I'm
>> >> > not sure what Dragos was thinking about offering his suggestion to
>> >> > add
>> >> > groups to the share permissions. Afterall he is a MCSA and he should
>> >> > know
>> >> > better than that.
>> >> >
>> >> > Dragos what happens if I give Group A FULL share permissions and
>> >> > Modify
>> >> > NTFS permissions on the folder. Now I have a subfolder that requires
>> >> > part
>> >> > od the users of Group A to have Modify and a new Group B to have
>> >> > read
>> >> > access yet some of the members of Group B are members of Group A.
>> >> > Now
>> >> > what
>> >> > are you going to do?
>> >> >
>> >> >
>> >> >
>> >> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message
>> >> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
>> >> >>I shared a directory with one of our Windows 2003 servers and gave a
>> >> >>user
>> >> >> Full Control accesss to that directory. However, from his computer
>> >> >> where
>> >> >> he
>> >> >> is logged on, he can't copy and paste anything to that directory.
>> >> >> If
>> >> >> he
>> >> >> remote desktop's into the server and logs on as himself, he can
>> >> >> browse
>> >> >> to
>> >> >> another network share and pull the file over without any problems.
>> >> >>
>> >> >> I never had this problem in Windows 2000. How do I configure a
>> >> >> directory
>> >> >> on
>> >> >> a Windows 2003 server so that people can "push" files to that
>> >> >> folder
>> >> >> without
>> >> >> logging onto the server locally and "pulling" the files over?
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

 

[Dragos CAMARA]

and if Group A have 10k users and Group B have 15k users how a create and
maintain that group C?
and again if i delegate the rights to maintain that share how i will
restrict the delegated admin to not give rights to group D but can give
rights to what other group he wants?
--
Dragos CAMARA
MCSA Windows 2003 server


"SBS Rocker" wrote:

> Oh I forgot to mention Group C which is a copy of Group A minus the members
> of Group B. Which means you copy the inheritance from the parent folder,
> remove Group A and Add Group B and Group C. But nothing else needed to be
> done at the share level is required.
>
> "SBS Rocker" <noreply@NoDomain.com> wrote in message
> news:%23VrSs7hyHHA.4824@TK2MSFTNGP02.phx.gbl...
> > Now that's what everyone here is talking about Dragos. You are creating
> > more work. If you had the parent folder shared at Everyone=FULL or even
> > better Authenticated Users=FULL you'll never have to modify the share
> > permissions again no matter what type of access you need to grant in the
> > folder or sub folder. All security is now controlled and managed at the
> > NFTS folder and sub folder levels.
> > There was a reason why pre W2K3 by default for a share was Everyone=FULL.
> > Now they have changed it to Everyone=Read. You may not agree with having
> > Everyone=FULL at the share level but you seem to agree with Authenticated
> > Users=FULL at the share level. Isn't the Guest account a member of
> > Everyone as well as Authenicated Users? That siad if you did it that way
> > there would be no reason to creating new groups or removing groups at
> > share level. Correct? All you would need to do at the parent FolderA and
> > sub folderB now is create one new group and give them Read access. Copy
> > the inherited NTFS permissions from the parent folder and add Group B and
> > have inheritance turned on at the sub level to all child folders.
> > That is the reasoning behind why you only need to apply one group at the
> > share level so you don't have to go back and do all the extra work at the
> > share level as you just explained.
> >
> >
> >
> > "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
> > news:707B3AF6-BA71-4A69-B0A6-04807F047C1A@microsoft.com...
> >> simple as a walking in a park :
> >> create a group C give ntfs share permisions to that group, add group A
> >> and B
> >> to C, remove group A from share permission, give NTFS rights acording to
> >> group A and B.
> >>
> >> everyone group full access : includes anyone who has access to network
> >> resources, including the Guest account - so keep to guest account with
> >> that
> >> rights
> >> --
> >> Dragos CAMARA
> >> MCSA Windows 2003 server
> >>
> >>
> >> "Albert Louis" wrote:
> >>
> >>> hmmmmmmmmmm this is all very interesting. Sure would like to see what
> >>> Dragos
> >>> response is to Eagles10 question. Dragos I'm almost embarrassed to have
> >>> read
> >>> your reply to Andrew instructing him to secure his folders at the share
> >>> level using groups. Makes the rest of us MCSA's look like we have no
> >>> creditability
> >>>
> >>>
> >>> "Eagles10" <bogus@bogus.net> wrote in message
> >>> news:%233TvKRWyHHA.4276@TK2MSFTNGP05.phx.gbl...
> >>> > wow!!! looks like I stumbled into a very interesting thread. Did
> >>> > anyone
> >>> > ever resolve Andrew's issues? Let me throw in my cents here and try
> >>> > not to
> >>> > offend anyone. I'm going to have to agree with SBS Rocker simply
> >>> > because
> >>> > if you start applying users and groups at the share level you are
> >>> > creating
> >>> > more work and managing the ntfs folder permissions becomes quite a
> >>> > task
> >>> > Rocker is correct. You need to apply Everyone=FULL at the share level.
> >>> > I'm
> >>> > not sure what Dragos was thinking about offering his suggestion to add
> >>> > groups to the share permissions. Afterall he is a MCSA and he should
> >>> > know
> >>> > better than that.
> >>> >
> >>> > Dragos what happens if I give Group A FULL share permissions and
> >>> > Modify
> >>> > NTFS permissions on the folder. Now I have a subfolder that requires
> >>> > part
> >>> > od the users of Group A to have Modify and a new Group B to have read
> >>> > access yet some of the members of Group B are members of Group A. Now
> >>> > what
> >>> > are you going to do?
> >>> >
> >>> >
> >>> >
> >>> > "Andrew" <Andrew@discussions.microsoft.com> wrote in message
> >>> > news:BF348C3A-D097-4852-AFB2-71978C5D6F81@microsoft.com...
> >>> >>I shared a directory with one of our Windows 2003 servers and gave a
> >>> >>user
> >>> >> Full Control accesss to that directory. However, from his computer
> >>> >> where
> >>> >> he
> >>> >> is logged on, he can't copy and paste anything to that directory. If
> >>> >> he
> >>> >> remote desktop's into the server and logs on as himself, he can
> >>> >> browse to
> >>> >> another network share and pull the file over without any problems.
> >>> >>
> >>> >> I never had this problem in Windows 2000. How do I configure a
> >>> >> directory
> >>> >> on
> >>> >> a Windows 2003 server so that people can "push" files to that folder
> >>> >> without
> >>> >> logging onto the server locally and "pulling" the files over?
> >>> >
> >>> >
> >>>
> >>>
> >>>
> >
> >
>
>
>