Security and Sharing

R

Rockitman

I have a folder that I've created a share on. How come there are more
security permissions than share permissions?

I don't understand this stuff. I want a group to be able to write files to
the directory but if I give them Write rights in Security it doesn't work.

When I go to share permissions, there are very limited rights available,
Full Control, Read, and Change. Where are the write rights??
 
S

S. Pidgorny

There are also prmissions on file system. Permissions on share only controls
and potentially limit operations through the network sharing mechanism
permissions on file system are required as well.

Thisnk of share permission as a visa. In any country, there are citizens
that don't require a visa (full control), those who come with visas (read),
and people without visas or on a blacklist (both have no access). However,
when they are already in the country, different controls apply.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
news:28711AB6-FABC-48F8-B36D-9C28E440CB05@microsoft.com...
>I have a folder that I've created a share on. How come there are more
> security permissions than share permissions?
>
> I don't understand this stuff. I want a group to be able to write files
> to
> the directory but if I give them Write rights in Security it doesn't work.
>
> When I go to share permissions, there are very limited rights available,
> Full Control, Read, and Change. Where are the write rights??
 
R

Rockitman

I am trying very very hard to understand all of this and am failing miserably.

I have a d: drive. I have created a folder called docs. I want group A
to have read and file scan rights to this folder and all of it's subfolders.
I also have a user, who will be responsible for creating folders under this
Docs folder, placing files in these folders, and possibly renaming them as
well as the folders themselves, in case she makes a mistake. I just don't
want her to have any delete rights.
So, with this scenario, can you please explain in detail how I would go
about doing this? Please explain in DETAIL. Do I need to create a share?
Why?? "S. Pidgorny <MVP>" wrote:

> There are also prmissions on file system. Permissions on share only controls
> and potentially limit operations through the network sharing mechanism
> permissions on file system are required as well.
>
> Thisnk of share permission as a visa. In any country, there are citizens
> that don't require a visa (full control), those who come with visas (read),
> and people without visas or on a blacklist (both have no access). However,
> when they are already in the country, different controls apply.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
> news:28711AB6-FABC-48F8-B36D-9C28E440CB05@microsoft.com...
> >I have a folder that I've created a share on. How come there are more
> > security permissions than share permissions?
> >
> > I don't understand this stuff. I want a group to be able to write files
> > to
> > the directory but if I give them Write rights in Security it doesn't work.
> >
> > When I go to share permissions, there are very limited rights available,
> > Full Control, Read, and Change. Where are the write rights??
>
>
>
 
R

Roger Abell [MVP]

A user must have both share level and filesystem level permissions if they
are to access over the network.
When they are logged in locally only the filesystem permissions are needed.
When they access over the network they can do anything that the filesystem
allows to them provided that the share level permissions are not less.
For example, your scenario had a couple of categories of users, but none
of them will be setting permissions, so they will not use permissions
greater
than change (i.e. full). If the filesystem set things so that your
categories of
accounts could do exactly and only what you want when logged in locally,
then granting them change at the share level would let them do everything
they are allowed at the filesystem (but nothing else as the filesystem will
not allow it). If at the share level you were to only give them read, then
even though the filesystem would let them do more they could not do any
more then read when the access is over the network.
The share level permissions set an upper limit on what can be done over
the network, provided that the filesystem allows it. The share level
permissions never cause an account to be able to do more than the
filesystem allows to the account.
In your scenario you want one category of account to be able to have
"read and file scan rights". I am not sure what you mean by the second.
If you want then to be able to read files and browse the folder structure
then you would grant then List and Read on the filesystem, and you
would grant them at least Read at the share level.
The other category is not quite as simple. If you had not say they
should not be able to delete then at the uppermost folder you could just
grant them List and grant them Modify Subfolders and Files (you need
to click advanced after you grant Modify in order to reduce it from
This folder, subfolders and files to just Subfolders and files)
In order for this category of user to use all of their filesystem perms
over the network they would need at least Change share level perms.
Now, you said they should not be able to delete. You can accomplish
that a couply ways. One is to use the advanced view of the filesystem
perms just described and remove the check mark on the deletes.
However this might not be what you expect as some things, like
renames, actually require delete.

Roger


"Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
news:46041F0A-C954-498C-98E9-6142C28A2BEA@microsoft.com...
>I am trying very very hard to understand all of this and am failing
>miserably.
>
> I have a d: drive. I have created a folder called docs. I want group A
> to have read and file scan rights to this folder and all of it's
> subfolders.
> I also have a user, who will be responsible for creating folders under
> this
> Docs folder, placing files in these folders, and possibly renaming them as
> well as the folders themselves, in case she makes a mistake. I just don't
> want her to have any delete rights.
> So, with this scenario, can you please explain in detail how I would go
> about doing this? Please explain in DETAIL. Do I need to create a
> share?
> Why?? "S. Pidgorny <MVP>" wrote:
>
>> There are also prmissions on file system. Permissions on share only
>> controls
>> and potentially limit operations through the network sharing mechanism
>> permissions on file system are required as well.
>>
>> Thisnk of share permission as a visa. In any country, there are citizens
>> that don't require a visa (full control), those who come with visas
>> (read),
>> and people without visas or on a blacklist (both have no access).
>> However,
>> when they are already in the country, different controls apply.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
>> news:28711AB6-FABC-48F8-B36D-9C28E440CB05@microsoft.com...
>> >I have a folder that I've created a share on. How come there are more
>> > security permissions than share permissions?
>> >
>> > I don't understand this stuff. I want a group to be able to write
>> > files
>> > to
>> > the directory but if I give them Write rights in Security it doesn't
>> > work.
>> >
>> > When I go to share permissions, there are very limited rights
>> > available,
>> > Full Control, Read, and Change. Where are the write rights??
>>
>>
>>
 
R

Rockitman

Finally!! Somebody has explained this so that I can understand!! Thanks a
million Roger, it makes crystal clear sense now!!

"Roger Abell [MVP]" wrote:

> A user must have both share level and filesystem level permissions if they
> are to access over the network.
> When they are logged in locally only the filesystem permissions are needed.
> When they access over the network they can do anything that the filesystem
> allows to them provided that the share level permissions are not less.
> For example, your scenario had a couple of categories of users, but none
> of them will be setting permissions, so they will not use permissions
> greater
> than change (i.e. full). If the filesystem set things so that your
> categories of
> accounts could do exactly and only what you want when logged in locally,
> then granting them change at the share level would let them do everything
> they are allowed at the filesystem (but nothing else as the filesystem will
> not allow it). If at the share level you were to only give them read, then
> even though the filesystem would let them do more they could not do any
> more then read when the access is over the network.
> The share level permissions set an upper limit on what can be done over
> the network, provided that the filesystem allows it. The share level
> permissions never cause an account to be able to do more than the
> filesystem allows to the account.
> In your scenario you want one category of account to be able to have
> "read and file scan rights". I am not sure what you mean by the second.
> If you want then to be able to read files and browse the folder structure
> then you would grant then List and Read on the filesystem, and you
> would grant them at least Read at the share level.
> The other category is not quite as simple. If you had not say they
> should not be able to delete then at the uppermost folder you could just
> grant them List and grant them Modify Subfolders and Files (you need
> to click advanced after you grant Modify in order to reduce it from
> This folder, subfolders and files to just Subfolders and files)
> In order for this category of user to use all of their filesystem perms
> over the network they would need at least Change share level perms.
> Now, you said they should not be able to delete. You can accomplish
> that a couply ways. One is to use the advanced view of the filesystem
> perms just described and remove the check mark on the deletes.
> However this might not be what you expect as some things, like
> renames, actually require delete.
>
> Roger
>
>
> "Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
> news:46041F0A-C954-498C-98E9-6142C28A2BEA@microsoft.com...
> >I am trying very very hard to understand all of this and am failing
> >miserably.
> >
> > I have a d: drive. I have created a folder called docs. I want group A
> > to have read and file scan rights to this folder and all of it's
> > subfolders.
> > I also have a user, who will be responsible for creating folders under
> > this
> > Docs folder, placing files in these folders, and possibly renaming them as
> > well as the folders themselves, in case she makes a mistake. I just don't
> > want her to have any delete rights.
> > So, with this scenario, can you please explain in detail how I would go
> > about doing this? Please explain in DETAIL. Do I need to create a
> > share?
> > Why?? "S. Pidgorny <MVP>" wrote:
> >
> >> There are also prmissions on file system. Permissions on share only
> >> controls
> >> and potentially limit operations through the network sharing mechanism
> >> permissions on file system are required as well.
> >>
> >> Thisnk of share permission as a visa. In any country, there are citizens
> >> that don't require a visa (full control), those who come with visas
> >> (read),
> >> and people without visas or on a blacklist (both have no access).
> >> However,
> >> when they are already in the country, different controls apply.
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
> >>
> >> "Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
> >> news:28711AB6-FABC-48F8-B36D-9C28E440CB05@microsoft.com...
> >> >I have a folder that I've created a share on. How come there are more
> >> > security permissions than share permissions?
> >> >
> >> > I don't understand this stuff. I want a group to be able to write
> >> > files
> >> > to
> >> > the directory but if I give them Write rights in Security it doesn't
> >> > work.
> >> >
> >> > When I go to share permissions, there are very limited rights
> >> > available,
> >> > Full Control, Read, and Change. Where are the write rights??
> >>
> >>
> >>
>
>
>
 
R

Roger Abell [MVP]

"Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
news:FE1D5F0B-68AB-4FAF-9ACD-7047E9FAAC11@microsoft.com...
> Finally!! Somebody has explained this so that I can understand!! Thanks
> a
> million Roger, it makes crystal clear sense now!!

Good it worked for you.
Another thing that might have helped is if you had followed up on the
replies
in the other thread you started, giving feedback of what did and what did
not make sense of the replies.

Roger


>
> "Roger Abell [MVP]" wrote:
>
>> A user must have both share level and filesystem level permissions if
>> they
>> are to access over the network.
>> When they are logged in locally only the filesystem permissions are
>> needed.
>> When they access over the network they can do anything that the
>> filesystem
>> allows to them provided that the share level permissions are not less.
>> For example, your scenario had a couple of categories of users, but none
>> of them will be setting permissions, so they will not use permissions
>> greater
>> than change (i.e. full). If the filesystem set things so that your
>> categories of
>> accounts could do exactly and only what you want when logged in locally,
>> then granting them change at the share level would let them do everything
>> they are allowed at the filesystem (but nothing else as the filesystem
>> will
>> not allow it). If at the share level you were to only give them read,
>> then
>> even though the filesystem would let them do more they could not do any
>> more then read when the access is over the network.
>> The share level permissions set an upper limit on what can be done over
>> the network, provided that the filesystem allows it. The share level
>> permissions never cause an account to be able to do more than the
>> filesystem allows to the account.
>> In your scenario you want one category of account to be able to have
>> "read and file scan rights". I am not sure what you mean by the second.
>> If you want then to be able to read files and browse the folder structure
>> then you would grant then List and Read on the filesystem, and you
>> would grant them at least Read at the share level.
>> The other category is not quite as simple. If you had not say they
>> should not be able to delete then at the uppermost folder you could just
>> grant them List and grant them Modify Subfolders and Files (you need
>> to click advanced after you grant Modify in order to reduce it from
>> This folder, subfolders and files to just Subfolders and files)
>> In order for this category of user to use all of their filesystem perms
>> over the network they would need at least Change share level perms.
>> Now, you said they should not be able to delete. You can accomplish
>> that a couply ways. One is to use the advanced view of the filesystem
>> perms just described and remove the check mark on the deletes.
>> However this might not be what you expect as some things, like
>> renames, actually require delete.
>>
>> Roger
>>
>>
>> "Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
>> news:46041F0A-C954-498C-98E9-6142C28A2BEA@microsoft.com...
>> >I am trying very very hard to understand all of this and am failing
>> >miserably.
>> >
>> > I have a d: drive. I have created a folder called docs. I want
>> > group A
>> > to have read and file scan rights to this folder and all of it's
>> > subfolders.
>> > I also have a user, who will be responsible for creating folders under
>> > this
>> > Docs folder, placing files in these folders, and possibly renaming them
>> > as
>> > well as the folders themselves, in case she makes a mistake. I just
>> > don't
>> > want her to have any delete rights.
>> > So, with this scenario, can you please explain in detail how I would
>> > go
>> > about doing this? Please explain in DETAIL. Do I need to create a
>> > share?
>> > Why?? "S. Pidgorny <MVP>" wrote:
>> >
>> >> There are also prmissions on file system. Permissions on share only
>> >> controls
>> >> and potentially limit operations through the network sharing
>> >> mechanism
>> >> permissions on file system are required as well.
>> >>
>> >> Thisnk of share permission as a visa. In any country, there are
>> >> citizens
>> >> that don't require a visa (full control), those who come with visas
>> >> (read),
>> >> and people without visas or on a blacklist (both have no access).
>> >> However,
>> >> when they are already in the country, different controls apply.
>> >>
>> >> --
>> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> >> -= F1 is the key =-
>> >>
>> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>> >>
>> >> "Rockitman" <Rockitman@discussions.microsoft.com> wrote in message
>> >> news:28711AB6-FABC-48F8-B36D-9C28E440CB05@microsoft.com...
>> >> >I have a folder that I've created a share on. How come there are
>> >> >more
>> >> > security permissions than share permissions?
>> >> >
>> >> > I don't understand this stuff. I want a group to be able to write
>> >> > files
>> >> > to
>> >> > the directory but if I give them Write rights in Security it doesn't
>> >> > work.
>> >> >
>> >> > When I go to share permissions, there are very limited rights
>> >> > available,
>> >> > Full Control, Read, and Change. Where are the write rights??
>> >>
>> >>
>> >>
>>
>>
>>
 
You must log in or register to reply here.

Similar threads

R
Unique permissions for subfolder in shared folder
Replies
0
Views
52
Raz Aspir
R
N
Sharing then removing the sharing of a folder is not restoring original permission entries, why so?
Replies
0
Views
51
narendra bhagwat
N
S
Unable to give a non Domain Admin access to rename a Computer through delegated permissions
Replies
0
Views
30
Stokesy_889
S
A
Access Denied Error on File Share after C Drive Expansion on Windows Server 2016
Replies
0
Views
21
Alaa Omar1
A
D
Network Credentials problem in sharing files: How can I get access?
Replies
0
Views
31
DJsPaperPlace
D
Back
Top Bottom