It's all about inheritance - if the share doesn't have full control set for some set of users, then the ability of those users to take ownership on the files/directories underneath won't work, when accessed through the share.
Kurt On Thu, Jul 2, 2015 at 7:59 AM, Matthew Topper <[email protected]> wrote: > On the share? I didn't think the actual share even had an owner the way the > folder did. > > Matthew Topper > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Rankin, James R > Sent: Thursday, July 2, 2015 10:50 AM > To: [email protected] > Subject: Re: [NTSysADM] permission/ share life lesson > > And take ownership permission, IIRC > > ------- > > James Rankin | Director | TaloSys | 07809668579 Sent from my Blackberry > > -----Original Message----- > From: Matthew Topper <[email protected]> > Sender: "[email protected]" <[email protected]> > Date: Thu, 2 Jul 2015 15:13:01 > To: [email protected]<[email protected]> > Reply-To: "[email protected]" <[email protected]> > Subject: RE: [NTSysADM] permission/ share life lesson > > I didn't think so. I had this question earlier and found this: > > https://technet.microsoft.com/en-us/library/cc784499%28v=ws.10%29.aspx > > Full Control > Full Control is the default permission that is assigned to the > Administrators group on the local computer. Full Control allows all Read and > Change permissions, plus: > > Changing permissions (NTFS files and folders only) > > > Matthew Topper > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Dave Lum > Sent: Thursday, July 2, 2015 10:10 AM > To: [email protected] > Subject: RE: [NTSysADM] permission/ share life lesson > > For general share level perms I use "Authenticated Users - Change", unless a > special device like printer or something needs to hit it in which case I use > "Everyone - Change". I then use NTFS to lock down everything underneath it. > IIRC when using ADUC and specifying a user home directory (I use GPO now and > not this) I think that folder had to have <domain\user> - Full control at the > share AND NTFS, but it's been a few years... > > I try to keep Share level perms simple and use NTFS to get granular. And I > feel for those inheriting environments where user accounts are in the ACL and > not groups. A couple of %dayjobs% ago it was so bad that when it came time to > move to new storage it was far easier to nuke, pave and create groups and > redo the ACL's than to try and figure out what was where. > > Doesn't "Authenticated users - Full" allow anyone that's authenticated to > rename the share itself? > > Dave > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael Leone > Sent: Thursday, July 02, 2015 6:44 AM > To: [email protected] > Subject: Re: [NTSysADM] permission/ share life lesson > > On Thu, Jul 2, 2015 at 8:40 AM, Rankin, James R <[email protected]> > wrote: >> >> But you wouldn't ever want to change the share perms, at least not in my >> experience, once they're set once they're set forever. > > That's what we do. Share permissions are "Authenticated Users" Full. > And then use AD groups on the NTFS permissions - 1 group for RWXD, 1 for RO. > > Since security is the more restrictive of the 2, all we have to worry about > is AD group membership. > > > Attention: Information contained in this message and or attachments is > intended only for the recipient(s) named above and may contain confidential > and or privileged material that is protected under State or Federal law. If > you are not the intended recipient, any disclosure, copying, distribution or > action taken on it is prohibited. If you believe you have received this email > in error, please contact the sender, delete this email and destroy all copies.
