none
folder sharing question RRS feed

  • Question

  • Dear all, 

    What's the difference between the setting as listed as below:

    Sharing

    Advancd Sharing

    Tuesday, June 25, 2019 3:14 PM

All replies

  • You can control access by managing share permissions and file permissions. Share permissions act as a filter to file permissions. If you have "administrators full control" on the file security, but only "everyone read" on the share permissions, then administrators will not be able to update the files when accessed through the share. The "everyone read" on the share will prevent the update.

    The "advanced sharing" button allows you to manage the share permissions. 

    The "share" button is what I will call "simple sharing". It creates a share and puts "administrators full" and "everyone full" on the share permissions. On the file permissions, it disables inheritance, adds your account as owner (admin in the example that follows) and adds the user that you select (I used testuser). It will remove the Users group, but leaves SYSTEM and Administrators in place. 

    In the advanced sharing, you are only managing the share permissions. You would still have to click on the security tab to verify that your users have access at the file level. 

    From an admin command prompt here is an example. 

    Here are the file permissions on the root folder.


    C:\>icacls c:\temp\
    c:\temp\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
             BUILTIN\Administrators:(OI)(CI)(F)
             BUILTIN\Users:(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

    Note that Users has been removed and my testuser account was added.

    C:\>icacls c:\temp\SimpleShare
    c:\temp\SimpleShare TEST10B\Admin:(OI)(CI)(F)
                        TEST10B\testuser:(OI)(CI)(RX)
                        NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                        BUILTIN\Administrators:(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

    Note the (I), this indicates that these permissions are inherited from the parent folder.

    C:\>icacls c:\temp\AdvancedShare
    c:\temp\AdvancedShare NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                          BUILTIN\Administrators:(I)(OI)(CI)(F)
                          BUILTIN\Users:(I)(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

    Share permissions are wide open. Since everyone has full control, the Administrators entry is not needed. 

    C:\>net share simpleshare
    Share name        SimpleShare
    Path              C:\temp\SimpleShare
    Remark
    Maximum users     No limit
    Users
    Caching           Manual caching of documents
    Permission        BUILTIN\Administrators, FULL
                      Everyone, FULL
    The command completed successfully.

    Here I added the testuser through the "Advanced Sharing" dialog. It only applies to the share permissions. Since everyone already has read, the testuser entry is not needed. 


    C:\>net share advancedshare
    Share name        AdvancedShare
    Path              C:\temp\AdvancedShare
    Remark
    Maximum users     No limit
    Users
    Caching           Manual caching of documents
    Permission        Everyone, READ
                      TEST10B\testuser, READ

    The command completed successfully.

    C:\>

    • Edited by MotoX80 Tuesday, June 25, 2019 5:03 PM
    Tuesday, June 25, 2019 4:55 PM
  • 你好,

    In short, the "Share" button sets filesystem permissions. The "Advanced Sharing" button sets CIFS share permissions.

    Permissions are processed like this for a network user:

    Computer (Remote Login) => Share (Advanced Sharing) => Filesystem (Security)

    If a user is blocked at any stage they cannot proceed any further.

    The long answer:

    The 'Basic' sharing dialog does not apply any permissions on the share level.

    Instead it defaults share-level security to allow all and any permissions you set are applied directly to the underlying filesystem. All ACLs are parsed in turn so by setting share-level permissions to allow everything just means control gets deferred to the filesystem itself.

    The reasons for this are simple - so there is just one set of permissions to manage and the same rules are applied to both local and remote access. This is to avoid any conflicts and confusion for basic users. It is the "basic"/"home user" option after all.

    The "Advanced Sharing" option for administrators applies an additional level of share-level permissions that only act on remote/network access.

    This allows advanced users to apply an additional level of access control for network access only, but does not apply any rules to the filesystem itself. As with all ACLs, users must pass both sets of permissions to gain access so giving users access to the share, but not the filesystem, would not work - hence why this option is protected behind an "Advanced" button.

    So...can anyone explain how these are related and which one takes precedence?

    They are not related. Neither takes precedence.

    how does one share a folder on and have any sort of confidence that the users one puts there will actually have access to that share?

    Use the basic Sharing dialog.

    If one share is a completely different share of the same name then one would think Windows would warn that you're overwriting a share that you'd already carefully set up, but no such warning appears.

    They are not different shares. You cannot have multiple shares of the same name.

    I have added 4 people with specific rules in the Sharing section but when i go to Advanced Sharing, Everyone has full access. Can i remove this Full Access ? what are the rules?

    You can try, but it is needed for the standard Sharing permissions to work.

    Source:

    https://superuser.com/questions/897180/whats-the-difference-between-sharing-and-advanced-sharing-in-windows-server-200/985536

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    此致


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 26, 2019 1:46 AM
    Moderator
  • Dear all, 

    Is there suggestion for how to prevent add everyone to security and permission setting ? Is there tool to scan computers in ldap which computers have everyone setting ? Thanks a lot.

    Sunday, June 30, 2019 3:15 AM
  • I don't think that there is any way to prevent it.

    There are some Powershell scripts in the TechNet repository that may work for you.

    https://gallery.technet.microsoft.com/scriptcenter/Gets-shares-on-servers-CSV-0dfc8aa5

    https://gallery.technet.microsoft.com/scriptcenter/List-Share-Permissions-83f8c419
    You can also use the builtin PS cmdlet's.

    Get-SmbShare | Get-SmbShareAccess

    See https://blog.techsnips.io/how-to-enumerate-file-shares-on-a-remote-windows-computer-with-powershell/

     
    Sunday, June 30, 2019 2:24 PM