Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W2K Security 3

Status
Not open for further replies.
GlenJohnson

GlenJohnson

MIS
Aug 2, 2001
5,203
US
Because of a problem a user had saving info on an Excel spreadsheet yesterday, I had to go on a hunt to truly understand the W2K security issues and where the security rites come from. I use johnsong for testing securiy issues.

1)Create folder on Server ITEST
2)Create Group ITEST in Active Directory.
3)Place in group Administrator and dummy account johnsong
4)johnsong is only a domain user and has Read Only rites in ITEST Group in Active Directory.
5)Place test.txt document in folder ITEST using gjohnson who is a member of admin.
6)In the folder for ITEST, give the Share Permissions for the ITEST group Change and Read.
7)In the folder for ITEST, give the Security = Modify, Read & Execute, List Folder Contents, Read and Write.
8)johnsong accesses the test.txt and adds a line to it. Try to save it and is told he can't.
9)gjohnson accesses the test.txt and adds a line to it. Saves it with no problem, (Expected, he's a member of admin.)
10)In the Share permissions, change ITEST Group to Full Control, Change and Read.
11)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!
12)Remove full contol from Share Properties on Folder ITEST, gives full control to Group ITEST.
13)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!


This means the Share properties on the folders is equal to the permissions given in Active Directory Groups. If I give full control to a group or member under the Share properties of a folder, they will have just that, no matter what security is set in Active Directory. So I would never give Full Control to any folder in the share except to admin. If a person has problems accessing it, I would address it in AD or Security, not the Share tab. Am I wrong in this? Thanks.

Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Sort by date Sort by votes
You're confusing the heck out of me...(not hard to do). What do permissions on AD groups have to do with File permissions? It doesn't matter what permissions a user has on the Group Object in AD where file permissions are concerned. For example:
You create the AD security group ITEST. Don't worry about setting permissions on this group, just populate it. Now, you go to some server and create a share TESTSHARE, and give domain admins "full control" and everyone "change" rights. Now, under that share you create a folder TESTFOLDER. Remove all the permissions given to this folder by default, and add the group ITEST with "Modify" type (RWMD)permissions. Whoever is a member of ITEST will be able to do just about anything except change the actual permissions on the folder. Now, if you go back into AD and change the security on that folder however you like, it should have no effect on the file share....
 
Upvote 0 Downvote
Never really have been clear on Active Directory, even though I did get my MCP. (That was for windows 2000 pro, so it doesn't help with ad) Now your confusing me. Create a share? I know you can create a folder and share it, and I went into AD and created a new shared folder under the ITEST folder, but it doesn't show up. Should I not even worry about security in AD at all, just set it up on the folders. (We only have 250 users, so we're not a big outfit.) Thanks Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Anyway, you should always set the share permissions to everyone Full Control (default) and control NTFS permissions only. The most restrictive permissions always win. So if you have everyone Full Control under SHARE permissions and everyone Read under NTFS, than everyone will only have Read permissions.

That's the way I go and I'm never confused with permissions.

Hope this helps!
:)
 
Upvote 0 Downvote
I meant create a share on your file server, not AD, but it doesn't matter...yeah, basically you set up security directly on the folders using Users and Groups you create in AD. Think of those users and groups just as objects without permissions to any files. You're granting them those permissions directly from the file servers you're working with....
 
Upvote 0 Downvote
If I understand this, then I'm actually making work for myself by setting permissions up in AD and Security tab on the shared folder. Only need to worry about the security on the folders only. Makes sense, and I thought that might be the case, but I thought it would be better to err on more security, not less. Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Correct. The security tab in AD is solely there to grant permissions to manipulate properties, send email as/to, or manipulate child objects of that group object, nothing to do with file permissions on a member server. Hope that clears the waters a bit...
 
Upvote 0 Downvote
Cleared up some question for me too Brontosaurus. Thanks you get a star!
 
Upvote 0 Downvote
Thanks, as usual, you da man! Makes things a lot easier to understand. They should have a seperate Forum just for Active Directory and Security. Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Question, how do I then set up rites for users in groups. If I create a group in AD and add users with different rites, then on the folder, add the group, the security is going to come from ad, so I won't have to add all the users and change their security individually, correct? Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
You can't set up file/directory permissions for individual users within a group. Permissions are applied to the group via the file server, and all members inherit those permissions. If you decide to add an individual user, who is also a member of the group in question, to that file permission set, then as Niavlys said, the more restrictive permissions win. I hope I'm explaining this OK...basically, AD and file permissions are two separate worlds...
 
Upvote 0 Downvote
So your'e saying, If I have a group, with one individual in charge of it with all rites, and other members of the group need read only rites, I can't add the group, and have the security picked up there? I would have to add all members to the folder and set up the security there? What's the point of having groups? Thanks for the help. I am getting a bit confused again. Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
I'm starting to understand. I gave johnsong full control of the object ITEST Group. Then in the ITEST Folder, I have ITEST Group read only rites on the security tab. I then opened the text object, made changes and tried to save it. It wouldn't let me save it, which is what I was expecting based on what you've told me so far. How do I handle multiple users rites on a folder, without having to add them individually? What is the purpose of the groupts? In Novell, you create a security group, place people in that group, and assign the rites within that group. Then, whoever had read only rites to a folder, that's all they had. If they had read/write access to that folder, that's what they got. We didn't have to add each user to a folder. I can't believe MS isn't as easy to use as Novell. Basically, I think I do understand, but don't like what I'm understanding. How do you control rites through NTFS? Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
This is a direct copy and paste from the Microsoft Help File. What's the deal?

To set, view, change, or remove file and folder permissions

Open Windows Explorer, and then locate the file or folder for which you want to set permissions.
Right-click the file or folder, click Properties, and then click the Security tab.
Do one of the following:
To set up permissions for a new group or user, click Add. Type the name of the group or user you want to set permissions for using the format domainname\name, and then click OK to close the dialog box.
To change or remove permissions from an existing group or user, click the name of the group or user.
In Permissions, click Allow or Deny for each permission you want to allow or deny, if necessary. Or, to remove the group or user from the permissions list, click Remove.


Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
I went to the folder ITEST and in the security tab, gave the group ITEST complete rites except Full Control. Everything below that, including modify, read and rite were checked. Then in the group, ITEST, I gave johnsong read only rites. Then I logged on as johnsong, opened the test.txt, added a line to it, and tried to save it. Was told I had only read rites to the folder. The security HAD to come from the Group settings. This is what I thought originally. What everybody has been saying is probably correct unless you uncheck ALLOW INHERITABLE PERMISSIONS FROM PARENT TO PROPOGATE TO THIS OBJECT, and select remove. I'd love to have somebody out there try this and see what happens. Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
OK. First. What's the point of having groups? To make permission administration easier. You create a group with the intention of assigning specific permissions to it, that will affect all the members of that group. So, let's say on your ITEST file server folder, you wanted 20 of your users to have "change" permissions and 20 of your users to have "read" permissions. You'd create 2 groups, ITEST CHANGERS and ITEST READERS, and populate the 2 groups with the appropriate members. Then, you'd right click the folder on your server, add those 2 groups, and assign them permissions. Second, notice in the help file you cut/pasted, that there's NO mention of setting permissions in AD users and computers? Lastly, the "Allow inheritable permissions thing...." works like this: By default, all NTFS file systems under W2K have this checked. Essentially, this means that the "root" permissions of any file system propogate down to ALL the sub-folders unless you state otherwise. For example, say your ITEST folder was located directly on the C: drive of your server. If you leave this box checked, the permissions on the C: drive itself will overwrite whatever permissions you set on the ITEST folder. If you uncheck this box, you're free to manipulate permissions however you'd like.
 
Upvote 0 Downvote
But, I don't want 2 seperate groups. That's double the work. Why have a change group and read group when one group with the security taken care of in the group and not the folders. By doubling up the groups, your doubling up the size of you active directory database. And yes, by unchecking the box, you're free to manipulate permissions however you like, which is what I want. What's the problem? Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Hi Glen, permissions are not given to a group or a user, you have to tell the folder (or file) who will have access to it and how. You don't tell users or group what they have access to. I understand your point of view if you were using Novell before but now it's a bit different.
For the size of the AD database, don't worry about it, that's not an issue.

Hope we're getting clearer
[smile]
 
Upvote 0 Downvote
I'd be interested to see Glen add a few users to the ITEST group and assign differing permissions to each user, then add the group to the security tab of the ITEST folder... I'd be interested in the results, that is. ;)

Will
 
Upvote 0 Downvote
It will be done. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
270
amanua
amanua
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2012.
Replies
0
Views
222
Bigbadjoe
Bigbadjoe
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2008
Replies
1
Views
203
wtotten
wtotten
intel233
  • Locked
  • Question
Export Security Group Info
Replies
1
Views
372
intel233
intel233
ls62
  • Locked
  • Question
W2K3 Server can not browse the internet
Replies
7
Views
307
ls62
ls62

Part and Inventory Search

Sponsor

Back
Top