ntfs folder permissions are bum

Discussion in 'MCDST' started by derkit, Sep 27, 2007.

  1. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    yep, you heard it here - it's official :(:(
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  2. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Uh... why? :blink
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  3. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    LOL - just trying to get my head around them.... as well as trying to get my virtual xp machine to allow me to use them correct (otherwise known as derkit trying to understand WTF is going on!)

    Why do so many people have issues with these permissions??
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  4. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Then the problem *really* doesn't have to do with NTFS folder permissions and more has to do with "user error", right? :twisted:
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. stuPeas

    stuPeas Megabyte Poster

    774
    12
    76
    I had a nightmare with them as well when I was learning server administration. Wait till you have to combine them with share permissions. Then it gets pretty complicated. :blink
     
    Certifications: C&G Electronic, CIW Associate (v5).
    WIP: CIW (Website Design Manager)
  6. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    g*t :D

    it is user error - you're spot on..... just trying to muddle through them - I understand what they do, but I'm not satisfied until I can do it myself......

    calm down - one step at a time :)
    That's next on my list to look at - then we have effective permissions :eek:
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  7. stuPeas

    stuPeas Megabyte Poster

    774
    12
    76
    Dont get me wrong, I've never actualy, Physicaly done it on a machine (I wish i could afford a new OS and a couple more PC's), I only know the theory.

    Good luck matey :D
     
    Certifications: C&G Electronic, CIW Associate (v5).
    WIP: CIW (Website Design Manager)
  8. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    Everything is diffucult at first. When the coin drops, you wonder why you ever had a problem with it.
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  9. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    trying to get List Folder Contents on folders to work... but when I select it from the "basic" list, the special permissions indicate that I can navigate through the folders (like read & execute) by default.

    Does that mean if I want List Folder Contents only, I'll also need to modify the special perms?
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  10. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Actually my folders' "basic" perms are List Folder Contents only but the special perms are down as Read & Execute...

    I've deleted the ACE that I want to give access to and recreated it, but the above still happens as default??


    =======

    I guess my aim is to have a physical example of what "List Folder Contents" does because at the moment I can't see how it would work. Allow a user to see what is inside the top folder but without being able to delve into the folder tree further.

    If I set the basic perms as "list folder contents" it doesn't seem to have any affect at all - it reacts the same way as Read & Execute.
    If I remove all the perms except for List Folder/Read Data in the special perms, it still does the same but only restricts me from accessing files.

    Something that seems simple, 1 tick, permission to see whats in the top folder, has got strangely more complex.... am I making sense?? :dry
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  11. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    In practice, it is recommended to open Share permissions up to Everyone with Full Control, and apply the NTFS permissions that you want to specify (for the exam, you certainly need to know how the permissions combine).

    Trivia question: Why is it done this way around rather than in reverse (open up NTFS to Everyone/Full, and apply the specific Share permissions)?
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  12. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Some permissions include "List Folder Contents". Remove everything except "List Folder Contents" and see what happens...
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  13. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    Normally when someone needs list folder contents, he needs it because he wants to be able to do something with it (read, start a program). What would be the purpose of having a folder in which you can only see the dir and nothing else?

    Also remember that some permissions are there just to be compatible with some programs.
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  14. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    I'm having to stretch reality a bit... but perhaps there's a user who needs to be able to verify that a coworker has uploaded a report, but the user should not have rights to view the report. Sure, that'd rarely (if ever) happen in real life... but... there's an obscure scenario where it could be necessary.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  15. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    The same thing I've already mentioned. It allows me to see through the entire folder tree. I am unable to access the text files.



    I've tried setting no basic permissions, and have put List Folder/Read Data as ALLOW and Traverse Folder/Execute File as DENY - this still allows be to traverse through the folders.... but shouldn't? Should it?

    10mins later.......

    Actually yes it shold according to Technet Linky it says
    "For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions on the traversed folders. (Applies to folders only.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.)"

    and of course I'm not using any group policies yet......


    :oops:
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  16. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Just editted the group policy and removed the users and everyone account..... and guess what, it works exactly like I expected it to :git [​IMG] [​IMG]:drummer

    Now I've managed that, onto the next Folder permission.

    Hope my thoughts entertained you over the past hour or so.
    Thanks for the pointers :)
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  17. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Ah, now I understand what you're trying to say. You're going to be able to see through the entire folder tree if you've got inheritance enabled. Kill inheritance at the next lower folder level, and you'll see that those permissions don't propagate to child folders.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  18. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Sorry for not explaining myself better - the inheritance I killed some time ago and it still wasn't allowing me to stop the exploration - it wasn't until that group policy break through that what I expected to happen with the folder permissions actually happened..... that'll teach me for getting to far involved where I don't need to be :)
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  19. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    And I've just numptied again..... the List Folder Contents did work at my first attempt, I just read the text book incorrectly - I took it that the permission listed the contents from the first folder level only and not for the entire tree.

    [​IMG]

    Thats 2 hours of my life gone :)
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  20. GiddyG

    GiddyG Terabyte Poster Gold Member

    2,471
    42
    140
    Setting my self up for a fall here, but what the heck... I assume that you would set the permissions on the share as higher just the once, and then use NTFS permissions on somethig like a group to control the access, bearing in mind that when you combine Share and NTFS permissions the most restrictive wins?

    You always know that the share has Everyone with FC, so you merely restrict using NTFS perms.

    For example Everyone has FC, and Sales group has Change. Result is that anyone in Sales has Change.
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.