When you set up a shared folder, you need to set up shared permissions on that folder. If you’re using NTFS, you will also need to set up NTFS security on the folder. Since both shared permissions and NTFS security are in effect when the user is remote, what happens when the two conflict?
These are the two basic rules of thumb:
■ The local permission is the NTFS permission.
■ The remote permission is the more restrictive set of permissions between NTFS and shared.
This is easy to do as long as you do it in steps. Let’s look at Figure 11.14 and walk through the process of figuring out what wpanek has for rights.
FIGURE 11.14 NTFS security and shared permissions example
Shared permissions StromWind Documents NTFS security
Marketing R | Sales R | R&D R | Local = ? Remote = ? wpanek Marketing Sales R&D | Marketing RX | Sales R | R&D FC |
As you can see, wpanek belongs to three groups (Marketing, Sales, and R&D), and all three groups have settings for the StormWind Documents folder. In the figure, you will notice that there are two questions: Remote = ? and Local = ? That’s what you need to figure out— what are wpanek’s effective permissions when he is sitting at the computer that shares the folder, and what are his effective permissions when he connects to the folder from another computer (remotely)? To figure this out, follow these steps:
- Add up the permissions on each side separately.
Remember, permissions and security are additive. You get the highest permission. So, if you look at each side, the highest shared permission is the Read permission. The NTFS security side should add up to equal Full Control. Thus, now you have Read permission on shared and Full Control on NTFS.
2. Determine the local permissions.
Shared permissions do not apply when you are local to the data. Only NTFS would apply. Thus, the local permission would be Full Control.
3. Determine the remote permissions.
Remember, the remote permission is the most restrictive set of permissions between NTFS and shared. Since Read is more restrictive than Full Control, the remote permission would be Read.
Let’s try another. Look at Figure 11.15, and see whether you can come up with wpanek’s local and remote permissions.
FIGURE 11.15 NTFS security and shared permissions
Shared permissions StromWind Documents NTFS security
Marketing R | Sales R | R&D FC | Local = ? Remote = ? wpanek Marketing Sales R&D | Marketing R | Sales R | R&D R |
Your answer should match the following:
Local = Read
Remote = Read
Remember, first you add up each side to get the highest level of rights. NTFS would be Read, and shared would be Full Control. The local permission is always just NTFS (shared does not apply to local permissions), and remote permission is whichever permission (NTFS or shared) is the most restrictive (which would be Read on the NTFS side).
Exercise 11.9 walks you through the process of setting both NTFS and shared permissions. This exercise assumes that you have Active Directory installed on the server and you have some groups created. If you do not, go to Computer Management (right-c lick Start ➪ Computer Management) and under Local Users and Groups, create a new group that can be used in this exercise.
EXERCISE 11.9
Configuring Shared and NTFS Settings
- Create a new folder in the root directory of your C: partition and name it Test Share.
- Right- click the Test Share folder you created and choose Properties.
- Click the Sharing tab and then click the Advanced Sharing button. Select Share This Folder. Make sure the share name is Test Share (see Figure 11.16).
FIGURE 11.16 Advanced Sharing
4. Click the Permissions button. Click Add. When the Select User page appears, choose a group from Active Directory or from the local group you created. (I used the Sales group.) Once you find your group, click OK.
5. The Permissions dialog box appears. With your group highlighted, click the Allow check box next to Full Control and click OK. (All of the other Allow check boxes will automatically become checked.)
6. On the Advanced Sharing page, click OK. Now click the Security tab. (This allows you to set the NTFS security settings.)
7. Click the Edit button. That takes you to the Permissions page. Now click Add. When the Select User page appears, choose a group from Active Directory. (I used the Everyone group.) Once you find your group, click OK.
8. The Permissions dialog box appears. With your group highlighted, click the Allow check box next to Modify, and click OK. (All of the check boxes below Modify will automatically become checked.)
9. Click Close.