For general share level perms I use "Authenticated Users - Change", unless a special device like printer or something needs to hit it in which case I use "Everyone - Change". I then use NTFS to lock down everything underneath it. IIRC when using ADUC and specifying a user home directory (I use GPO now and not this) I think that folder had to have <domain\user> - Full control at the share AND NTFS, but it's been a few years...
I try to keep Share level perms simple and use NTFS to get granular. And I feel for those inheriting environments where user accounts are in the ACL and not groups. A couple of %dayjobs% ago it was so bad that when it came time to move to new storage it was far easier to nuke, pave and create groups and redo the ACL's than to try and figure out what was where. Doesn't "Authenticated users - Full" allow anyone that's authenticated to rename the share itself? Dave -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Thursday, July 02, 2015 6:44 AM To: [email protected] Subject: Re: [NTSysADM] permission/ share life lesson On Thu, Jul 2, 2015 at 8:40 AM, Rankin, James R <[email protected]> wrote: > > But you wouldn't ever want to change the share perms, at least not in my > experience, once they're set once they're set forever. That's what we do. Share permissions are "Authenticated Users" Full. And then use AD groups on the NTFS permissions - 1 group for RWXD, 1 for RO. Since security is the more restrictive of the 2, all we have to worry about is AD group membership. Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender, delete this email and destroy all copies.
