GlenJohnson
MIS
Because of a problem a user had saving info on an Excel spreadsheet yesterday, I had to go on a hunt to truly understand the W2K security issues and where the security rites come from. I use johnsong for testing securiy issues.
1)Create folder on Server ITEST
2)Create Group ITEST in Active Directory.
3)Place in group Administrator and dummy account johnsong
4)johnsong is only a domain user and has Read Only rites in ITEST Group in Active Directory.
5)Place test.txt document in folder ITEST using gjohnson who is a member of admin.
6)In the folder for ITEST, give the Share Permissions for the ITEST group Change and Read.
7)In the folder for ITEST, give the Security = Modify, Read & Execute, List Folder Contents, Read and Write.
8)johnsong accesses the test.txt and adds a line to it. Try to save it and is told he can't.
9)gjohnson accesses the test.txt and adds a line to it. Saves it with no problem, (Expected, he's a member of admin.)
10)In the Share permissions, change ITEST Group to Full Control, Change and Read.
11)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!
12)Remove full contol from Share Properties on Folder ITEST, gives full control to Group ITEST.
13)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!
This means the Share properties on the folders is equal to the permissions given in Active Directory Groups. If I give full control to a group or member under the Share properties of a folder, they will have just that, no matter what security is set in Active Directory. So I would never give Full Control to any folder in the share except to admin. If a person has problems accessing it, I would address it in AD or Security, not the Share tab. Am I wrong in this? Thanks.
Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
1)Create folder on Server ITEST
2)Create Group ITEST in Active Directory.
3)Place in group Administrator and dummy account johnsong
4)johnsong is only a domain user and has Read Only rites in ITEST Group in Active Directory.
5)Place test.txt document in folder ITEST using gjohnson who is a member of admin.
6)In the folder for ITEST, give the Share Permissions for the ITEST group Change and Read.
7)In the folder for ITEST, give the Security = Modify, Read & Execute, List Folder Contents, Read and Write.
8)johnsong accesses the test.txt and adds a line to it. Try to save it and is told he can't.
9)gjohnson accesses the test.txt and adds a line to it. Saves it with no problem, (Expected, he's a member of admin.)
10)In the Share permissions, change ITEST Group to Full Control, Change and Read.
11)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!
12)Remove full contol from Share Properties on Folder ITEST, gives full control to Group ITEST.
13)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!
This means the Share properties on the folders is equal to the permissions given in Active Directory Groups. If I give full control to a group or member under the Share properties of a folder, they will have just that, no matter what security is set in Active Directory. So I would never give Full Control to any folder in the share except to admin. If a person has problems accessing it, I would address it in AD or Security, not the Share tab. Am I wrong in this? Thanks.
Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
![[wink]](/data/assets/smilies/wink.gif "[wink] [wink]")