Share Permissions
I feel embarrassed to ask this, but I'm not proud, so here it goes:
I have a folder called USERS.
Under this folder are individual user folders (i.e. DGrohl, JPJones, JHomme)
My question: I use a VBScript to backup the folder and it's failing with a permission denied error. When I right click on the folder, under Sharing, i have "Share this Folder" with the name "Users". In the Permissions Tab, Administrators
have Full Control, and so does Everyone. On the Security tab, permissions are more granular.
What's the proper way to do this? Ultimately what I want, is for DGrohl to be able to login, get the Users folder and see anything in that root. He can see JPJones folder, but he should not be able to see into it. He should only be able to see into
and write to his folder. Same for all users. Administrator should be able to see into all folders for the backup script to function properly.
What's the right way with the permissions? Should I ignore permissions altogether on the Share tab?
August 3rd, 2010 4:39pm
Usually you control access with NTFS permissions and grant full control
on share permissions.
Access Based Enumeration has been around since 2003 SP1, so this might
handle the visibility problem.
http://technet.microsoft.com/en-us/library/cc784710(WS.10).aspx
http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
-- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2010 5:13pm
Differences between Authenticated Users, Domain Users, and Everyone groups
http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Differences%20between%20Authenticated%20Users,%20Domain%20Users,%20and%20Everyone%20groups.aspx
Recommended NTFS Permissions for New Drives
http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Permissions%20for%20New%20Drives.aspx
Creator Owner Explained
http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx
The Golden Rules of Permissions Administration
http://networkadminkb.com/Shared%20Documents/The%20Golden%20Rules%20of%20Permissions%20Administration.aspx
Axioms of Permissions Administration
http://networkadminkb.com/Shared%20Documents/Axioms%20of%20Permissions%20Administration.aspx
Always make sure SYSTEM has FULL CONTROL, as well as the Local Administrator Group. Creator Owner is not needed on New drives (non-C drives) used for file sharing.
Ultimately, doing security is about creating an devloping a philosophy, there are many out there. The one below is mine and works for most situations. This is just a simlified explaination of how the Axioms and Golden Rules are applied.
For shares you should do the following
1) Everyone - Read (optional not really needed but a nice just in case)
2) Authenticated Users - Change
3) Local Administators - Full Control
4) File Strucutre Administrators - Full Control
For Share note the following:
Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure.
You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share. This allows them to remotely administrater shares without being local administartors.
For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories.
1) Authenticated Users - Read
2) Local Administators - Full Control
3) File Strucutre Administrators - Full Control
4) SYSTEM - Full Control
For NTFS in this situation note:
Alway limited Authenticated Users to Read to pervent non-admin users chaning folders and creating files here.
You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
For NTFS permissions where users need to write data, stop inheritance, copy permissions and replace Authenticated users to two different groups
1) Directory group - Read Only
2) Directory group - Read and Write
3) Local Administators - Full Control
4) File Strucutre Administrators - Full Control
5) SYSTEM - Full Control
For NTFS in this situation note:
Alway remove Authenticated Users so the appropriate group(s) limit access
You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
August 3rd, 2010 6:10pm
OK, I know I marked this as answered, but once again, I'm stumped. A little history:
At one point I turned on Folder Replication (I think it's called that, where the user's My Docs and Local Settings are synched with the server at each logon and logoff). I have since disabled it, though it still happens for some users like a possessed
demon.
So anyway, here's where it fails. Here's the directory tree:
Users
Debbie
Desktop
Anything in a user's Desktop folder is inaccessible to the Administrator. I must go to EACH item in this folder, take ownership, then add Admin with full rights. This will be a bad thing with many users.
At the USERS level, for Sharing I have Admin, Everyone, and SYSTEM, all with Full control. Same on the Security tab. The check box to Allow Inheritable Permissions under Advanced is NOT CHECKED.
For DEBBIE, Debbie and Admin have full control. The check box to Allow Inheritable Permissions under Advanced is NOT CHECKED.
For DESKTOP, same as above.
Why is it just this Desktop folder? What the %$&%#$ am I doing wrong, lol!!
Appreciate any help.
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2010 10:27pm