Sorry, thought you were talking NTFS :-)
------- James Rankin | Director | TaloSys | 07809668579 Sent from my Blackberry -----Original Message----- From: Matthew Topper <[email protected]> Sender: "[email protected]" <[email protected]> Date: Thu, 2 Jul 2015 15:59:29 To: [email protected]<[email protected]> Reply-To: "[email protected]" <[email protected]> Subject: RE: [NTSysADM] permission/ share life lesson On the share? I didn't think the actual share even had an owner the way the folder did. Matthew Topper -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rankin, James R Sent: Thursday, July 2, 2015 10:50 AM To: [email protected] Subject: Re: [NTSysADM] permission/ share life lesson And take ownership permission, IIRC ------- James Rankin | Director | TaloSys | 07809668579 Sent from my Blackberry -----Original Message----- From: Matthew Topper <[email protected]> Sender: "[email protected]" <[email protected]> Date: Thu, 2 Jul 2015 15:13:01 To: [email protected]<[email protected]> Reply-To: "[email protected]" <[email protected]> Subject: RE: [NTSysADM] permission/ share life lesson I didn't think so. I had this question earlier and found this: https://technet.microsoft.com/en-us/library/cc784499%28v=ws.10%29.aspx Full Control Full Control is the default permission that is assigned to the Administrators group on the local computer. Full Control allows all Read and Change permissions, plus: Changing permissions (NTFS files and folders only) Matthew Topper -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dave Lum Sent: Thursday, July 2, 2015 10:10 AM To: [email protected] Subject: RE: [NTSysADM] permission/ share life lesson For general share level perms I use "Authenticated Users - Change", unless a special device like printer or something needs to hit it in which case I use "Everyone - Change". I then use NTFS to lock down everything underneath it. IIRC when using ADUC and specifying a user home directory (I use GPO now and not this) I think that folder had to have <domain\user> - Full control at the share AND NTFS, but it's been a few years... I try to keep Share level perms simple and use NTFS to get granular. And I feel for those inheriting environments where user accounts are in the ACL and not groups. A couple of %dayjobs% ago it was so bad that when it came time to move to new storage it was far easier to nuke, pave and create groups and redo the ACL's than to try and figure out what was where. Doesn't "Authenticated users - Full" allow anyone that's authenticated to rename the share itself? Dave -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Thursday, July 02, 2015 6:44 AM To: [email protected] Subject: Re: [NTSysADM] permission/ share life lesson On Thu, Jul 2, 2015 at 8:40 AM, Rankin, James R <[email protected]> wrote: > > But you wouldn't ever want to change the share perms, at least not in my > experience, once they're set once they're set forever. That's what we do. Share permissions are "Authenticated Users" Full. And then use AD groups on the NTFS permissions - 1 group for RWXD, 1 for RO. Since security is the more restrictive of the 2, all we have to worry about is AD group membership. Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender, delete this email and destroy all copies.
