• home
  • forum
  • my
  • kt
  • download
    • home / Operating Systems / Windows / Tips

    Share Permissions Mixing with NTFS

    Author: 2009-03-20 09:41:12 From:

    Sharing and NTFS work the same way. When you go through the share, you have particular permissions that have been given to you. Now, if you have been given full control permissions, you only have to worry about the NTFS side. Actually, this is the highly suggested best practice to share permissions.

    However, in the event this wasn’t done and someone grants read-only through the share, the person who accesses a folder on the NTFS side is given full control, but it no longer matters because the share has already ruled them out.

    The way to work out shares is the down-down-across method.

    Add up all the share permissions cumulatively, then the NTFS, and then go across, as shown in Table 1.

    Table 1: The Down-Down-Across Method

    Code:
    Objects 	Share Permissions 		NTFS Permissions 	Effective Permissions
UserJoe 	    Full Control 			              Modify 		 	              Modify
Managers 	   Change 			                 Deny: Read 		         Write, Delete

    So if we just look at UserJoe, we see how his permissions move across and allow the editing capabilities. But if we put UserJoe into the Managers group, how would we figure out the permissions? If we just went across for both UserJoe and Managers, it might appear that UserJoe’s permissions would still be edited. But by using the down-down-across method, we would see full control through the share, deny: read (but allow write and delete)—basically UserJoe would have write and delete permissions.

    For instance, what if you have a folder called Files in another folder called Folders on your C drive: C:\Folders\Files. If you share it out to UserJoe as full control and you share Files out to UserJoe as read, you have an interesting dilemma. If UserJoe tries to access the share through the Files share, his permission is read. But if you go through the Folders share, UserJoe gets Full Control and then can access the Files folder, which still would be Full Control because you are already through the share. Then permissions on the NTFS side would have to be added into the mix.

    You can always open Computer Management and expand out the shares to then see the permissions set on each one of the shares by viewing the properties. From the same place, you can see the NTFS permissions set, too.

    A command-line tool that admin can play with comes from the Windows 2003 Resource Kit, it is called SRVCHECK.EXE. This tool specifies the shares on the local or a remote machine.

    discuss this topic to forum

    [Print][Close][Bookmark:digg+,reddit+,del.icio.us+,dzone+]

    relation tutorial

    No information

    Category

      Administration (27)
      Development (6)
      Direct 3d (0)
      Networking (60)
      Tips (93)

    New

    Hot

    JCWcn.com
    Copyright © 2007 All rights reserved