none
More restrictive sharing permission?

    Question

  • Hello,

    Our users homedirectory in AD user object is set to \\SERVER1.domain.com\Shares\Users\user1

    On SERVER1 following folders and shares exist

    d:\Shares

    Share name: Shares

    Sharing permissions: Everyone-Full

    d:\Shares\Users

    Share name: Users

    Sharing permissions: Everyone-Full

    I would like to prevent a small test group from writing data to their home folder, but allow them to read data. All other users should have full control to this share as far as sharing permissions are concerned.

    I had a thought that when two competing share permissions exist, the more restrictive - wins. This is true when comparing NTFS and Share permissions, but I'm talking about sharing permissions only.

    If I set following share permissions, user is still able to modify contents of a share. So this means that when duplicate share permissions exist, more allowing permissions are effective?

    Everyone-Full

    My test user (DOMAIN\user1) - Read

    Am I missing something, or is this true? Thank you already for response!

    Thursday, April 11, 2013 8:08 AM

Answers

  • Hi,

    No, Deny take over Allow, but for allow rule it just compute them. (a binary OR if I can tell it that way)

    The DOMAIN\user got Read but as it's in the group Everyone he got the Full Control flag too.

    You will have to set the NTFS permission, as if you try to make a deny on write for the user it will select Read too in the share permission. Unless you remove Everyone and do a AD's group for that.

    Thanks



    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Thursday, April 11, 2013 2:15 PM
    Moderator

All replies

  • Hi,

    No, Deny take over Allow, but for allow rule it just compute them. (a binary OR if I can tell it that way)

    The DOMAIN\user got Read but as it's in the group Everyone he got the Full Control flag too.

    You will have to set the NTFS permission, as if you try to make a deny on write for the user it will select Read too in the share permission. Unless you remove Everyone and do a AD's group for that.

    Thanks



    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Thursday, April 11, 2013 2:15 PM
    Moderator
  • Hi Yagmoth,

    Thank you for clarification.

    I ended up to replace Everyone ACL with proper security groups.

    Friday, April 19, 2013 8:49 AM