Server 2003 share permissions

Server 2003 share permissions: Posted by matt mgs on January 13th, 2005; Can anybody please let me know what I am doing wrong?

I am new to server 2003 and cannot work out why we seem to be having so many
problems with file sharing.

Whilst users can open documents in shared folders most of the time they can
not save them.

All of the sharing permissions and security settings appear to be ok but
users still get error messages. Either disk is full or write protected or
access denied, usually the first.

I have looked at the read only atribute on the folder which is this new
greyed out tick and it does not seem to matter what I do with this it has no
affect on the folder or its contents.; Posted by Pegasus \(MVP\) on January 13th, 2005; "matt mgs" <matt mgs@discussions.microsoft.com> wrote in message
news:E0961C6D-E268-43E2-9193-FCBECFD9595A@microsoft.com...
Do not use share permissions - set them to "full control" for everyone.
Use NTFS permissions instead - they are much more powerful.; Posted by Dmitry Korolyov [MVP] on January 13th, 2005; By default, Windows Server 2003 assigns "everyone - Read" permissions to
shares. This is different from Windows 2000 where "Everyone - Full Control"
was assigned. So all you have to do is to modify share permissions.

--
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Directory Services

"matt mgs" <matt mgs@discussions.microsoft.com> wrote in message
news:E0961C6D-E268-43E2-9193-FCBECFD9595A@microsoft.com...; Posted by Steve on January 13th, 2005; While this will get you up and running quickly (which is a good thing),
you'll eventually want to set both NTFS *and* share permissions to the
appropriate level. It's extra work up front, but it gives you more control
and security down the road (which is a very good thing).

-Steve

"Pegasus (MVP)" wrote:; Posted by Pegasus \(MVP\) on January 13th, 2005; I disagree. If you set your NTFS permissions to "Read only" for
group A, and "No access" for group B, then doing the the same
thing for the share permissions creates twice the amount of work
but does not give you twice the security.

Furthermore, group permissions are very coarse. They do not
have the fine granularity of NTFS permissions. The result is
that you end up with different types of permissions, which is
confusing. It defies the KISS principle.

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:00CBE13C-8E23-4D57-BB7B-1303E07D5D88@microsoft.com...; Posted by Steve on January 13th, 2005; While I am a big fan of KISS, there are a few reasons I like to combine a
simple share level permission with granular NTFS permissions. I typically
apply "Authenticated Users:Change" permissions to the share level for the
following reasons...

1) Allowing "Everyone:Full Control" permissions on the share allows anyone
plugging into my network the ability to peek into a share. A share level ACL
insures a user has at least some sort of account on my system before they can
view a file.

2) If you give "Everyone:Full Control" access to the share, users with full
permissions on a file/folder can remove the Administrator, or otherwise muck
around with the ACL. I have just enough distrust for our users that I think
this extra security is a good idea.

3) The few additional mouse-clicks can avoid future problems. I am, at
times, somewhat harried and forgetful. On more than one occasion I (or a
cow-orker) have added a file or folder to a share and not properly secured it
with NTFS/it hasn't inherited appropriate permissions. This at least
guarantees some level of security on an inadvertently unsecured file (see #2).

Many say share level permissions have been made obsolete by the widespread
use of NTFS, and you'll find no argument from me about how much better NTFS
secures files...there's no comparison. I also agree you would be nuts to try
to apply complex permissions on the share, trying to mirror your NTFS
permissions. But, IMHO, it is a simple process to just apply "Authenticated
Users:Change" permissions (or whatever is appropriate for your environment)
any time you create a new share as an ounce of prevention. I suppose in the
end it comes down to personal preference. YMMV, but this approach has worked
well for me.

-Steve Tyrol

"Pegasus (MVP)" wrote:; Posted by Pegasus \(MVP\) on January 13th, 2005; There are obviously at least two different schools of thought
about the best method to tie down a system. You feel
comfortable with your method, I feel comfortable with mine.
In closing this discussion I would still like to add some
comments - see below.

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:01B5912C-271B-4DB8-A3F4-43E169BB3653@microsoft.com...
- A authenticated but unauthorised user can connect to any share
but he won't see anything at all.
- A user who is not authenticated will get challenged for an account
name / password before he gets connected to the share.

get knocked out by a user.
- If you are concerned about users modifying the ACL then you can give
them "Modify" rather than "Full Control" rights under NTFS. In other
words, you would use a single tool to grant access rights, not two.

Similar Posts

Installing Share Point Portal Server 2003 (Windows Server) by miku
Customizing alert in Share Point Portal Server 2003 (Windows Server) by miku
Windows 2003 server- permissions and sharing (Windows Server) by Julie K
Share address book to clients under Win 2003 Fax Server (Windows Server) by Alex Chan
Windows 2003 share folder access through Proxy server (Windows XP) by Spiderman