NTFS Permissions and shares

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello...
Just trying to get my head around NTFS permissions and shares on a workgroup. My understanding is that if you are not on a domain ie in a workgroup, you cant use NTFS permissions to restrict user access by users on other machines to folders on your machine, and have to instead rely on share permissions. If this is the case how do you assign access to user accounts on other machines in the share tab? On my machine the only location it is allowing me to select users from is the local machine.

Sorry if this sounds confused but I am a bit.!!

Any advice will be welcome.


John

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

you use NTFS permissions to restrict users on local and remote machines.
You use share permissions to restrict users from remote locations.
Share permissions apply to folders on any type of file system.
NTFS permisions apply to folders and files only on NTFS file systems.
Generaly administrators share folders and files by sharing a folder with the grant full control on the share to the everyone group and restrict access to the files by NTFS permissions.

Hope that helps.

 

thanks.... But what I cant understand is how to share a folder (in a workgroup environment)with a group or a user on another machine other than by using the everyone group. In both the security tab and the sharing tab when you go to add a user or group the location button is only offering the local machine.
Im probably being really dense here but...... lol

John

 

You have to create local user accounts for the remote users and give those accounts NTFS permissions.

 

Yes and just to add a little to what Freddy said, the accounts must have the same user name and *password* on all machines. It is the user name and password combination that is the key. So, in your workgroup of say three computers, create an account for your users on all three machines.

In a domain, the user accounts are authenticated by a single machine, the DC (domain controller) and that issues a token to the client at log-in which is then used by the ACL (access control lists) etc to determine whether the user is allowed access to any given resource.

 

Great answer, Bluerinse!

 

Things won't necessarily work in the all situations in the way you've described. If different users have different needs and restrictions to shares then different accounts have to be used. IIRC you can still create local groups and users in a workgroup, and a combination of these can be used for share and NTFS permissions to restrict/allow access as required/needed.

 

Agreed Freddy but I didn't want to delve too deeply because I wanted to keep it straight forward so as not to confuse the OP.

Pete

 

You probably have a point, but I think this stuff should be learned to be done right the first time. It doesn't take any longer to learn it from the right perspective to tell the truth, and it helps cut down on insecurely configured systems, and people having to learn things the hard way the second time around. If you have time to learn it twice, you have time to learn it right the first time.

MS taught this stuff for years with no thought to security practices, and the legacy they gave us is millions of insecurely configured systems. They should have been teaching it right from day one and a whole lot of problems out in the business world might have very well been avoided.

 

Thanks for the help guys. So as long as a user on another pc in the workgroup has the same account name asnd password as one on the local machine they can use the permissions assigned to that local account ?

 

Yup. That's about it. If you create a local group and place the users in it you can assign the share permissions by that, and then either use different groups or specific user accounts for the NTFS permissions.

It's almost always advisable to use group permissions as then all you have to do is add or delete users from the groups. You don't end up changing your actual NTFS permissions all the time. It's much easier to keep track of that way.