Understanding Windows share deny permissionsBest practice ACLs to prepare for auditors?Domain-wide deny ACL not applied?Server 2012 R2 - hidden Share$ not accessibleHow to control access to folders to a Windows VPN client session?DFS-R replication: NTFS permissions don't work on some subfolders on membersAccess denied on single file with explicit permissions setSamba4 ignoring Windows Group PermissionsWindows Share Permissions VS NTFS Permissions IssueLet users see a folder in a Windows File Share, but not enter itAccess denied connecting to a share using Windows 10
Will google still index a page if I use a $_SESSION variable?
Is the Joker left-handed?
Anagram holiday
Forgetting the musical notes while performing in concert
Is it inappropriate for a student to attend their mentor's dissertation defense?
Can I ask the recruiters in my resume to put the reason why I am rejected?
How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?
Took a trip to a parallel universe, need help deciphering
Combinations of multiple lists
In Romance of the Three Kingdoms why do people still use bamboo sticks when paper had already been invented?
Arrow those variables!
A reference to a well-known characterization of scattered compact spaces
How to model explosives?
Intersection of two sorted vectors in C++
I'm flying to France today and my passport expires in less than 2 months
What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions?
What does it mean to describe someone as a butt steak?
When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?
How can I make my BBEG immortal short of making them a Lich or Vampire?
Why doesn't H₄O²⁺ exist?
Is "remove commented out code" correct English?
What exploit are these user agents trying to use?
What to put in ESTA if staying in US for a few days before going on to Canada
What mechanic is there to disable a threat instead of killing it?
Understanding Windows share deny permissions
Best practice ACLs to prepare for auditors?Domain-wide deny ACL not applied?Server 2012 R2 - hidden Share$ not accessibleHow to control access to folders to a Windows VPN client session?DFS-R replication: NTFS permissions don't work on some subfolders on membersAccess denied on single file with explicit permissions setSamba4 ignoring Windows Group PermissionsWindows Share Permissions VS NTFS Permissions IssueLet users see a folder in a Windows File Share, but not enter itAccess denied connecting to a share using Windows 10
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am developing some reporting for a series of Windows shares and I am not clear on the implementation details regarding permissions with deny types. While trying to calculate the resulting effective mask a user is subjected to after compensating for all share and ntfs permissions, it is not clear to me how to accomodate a deny type if present at the share level.
According to Permissions on a Shared Folder, the more restrictive permission takes precedence between the share and ntfs permissions and a deny type at the share level supersedes any permission at the ntfs level.
Consider the case where user-a has an explicit grant for Full Control at both the share and ntfs level.
If a group which user-a is a member of is added to the shares acl, any combination of a deny, Read, Change or Full Control manifests as no access at all for user-a. In addition, with the group set to Read on the share permission, user-a cannot delete a file if the path is known programmatically.
Effectively, if the context accessing a share acquires a deny of any mask, all access is denied based on my tests.
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access entirely? I am aware that you can set finer grained permissions programmatically, however why expose even 3 from the UI when they all behave the same?
windows-server-2012-r2 access-control-list
asked 2 days ago
Ritmo2kRitmo2k
1111
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 4 more comments
I am developing some reporting for a series of Windows shares and I am not clear on the implementation details regarding permissions with deny types. While trying to calculate the resulting effective mask a user is subjected to after compensating for all share and ntfs permissions, it is not clear to me how to accomodate a deny type if present at the share level.
According to Permissions on a Shared Folder, the more restrictive permission takes precedence between the share and ntfs permissions and a deny type at the share level supersedes any permission at the ntfs level.
Consider the case where user-a has an explicit grant for Full Control at both the share and ntfs level.
If a group which user-a is a member of is added to the shares acl, any combination of a deny, Read, Change or Full Control manifests as no access at all for user-a. In addition, with the group set to Read on the share permission, user-a cannot delete a file if the path is known programmatically.
Effectively, if the context accessing a share acquires a deny of any mask, all access is denied based on my tests.
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access entirely? I am aware that you can set finer grained permissions programmatically, however why expose even 3 from the UI when they all behave the same?
windows-server-2012-r2 access-control-list
asked 2 days ago
Ritmo2kRitmo2k
1111
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.
– Greg Askew
2 days ago
There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
– Ritmo2k
2 days ago
Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
– Stese
2 days ago
@Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
– Harry Johnston
2 days ago
The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
– Harry Johnston
2 days ago
|
show 4 more comments
I am developing some reporting for a series of Windows shares and I am not clear on the implementation details regarding permissions with deny types. While trying to calculate the resulting effective mask a user is subjected to after compensating for all share and ntfs permissions, it is not clear to me how to accomodate a deny type if present at the share level.
According to Permissions on a Shared Folder, the more restrictive permission takes precedence between the share and ntfs permissions and a deny type at the share level supersedes any permission at the ntfs level.
Consider the case where user-a has an explicit grant for Full Control at both the share and ntfs level.
If a group which user-a is a member of is added to the shares acl, any combination of a deny, Read, Change or Full Control manifests as no access at all for user-a. In addition, with the group set to Read on the share permission, user-a cannot delete a file if the path is known programmatically.
Effectively, if the context accessing a share acquires a deny of any mask, all access is denied based on my tests.
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access entirely? I am aware that you can set finer grained permissions programmatically, however why expose even 3 from the UI when they all behave the same?
windows-server-2012-r2 access-control-list
asked 2 days ago
Ritmo2kRitmo2k
1111
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I am developing some reporting for a series of Windows shares and I am not clear on the implementation details regarding permissions with deny types. While trying to calculate the resulting effective mask a user is subjected to after compensating for all share and ntfs permissions, it is not clear to me how to accomodate a deny type if present at the share level.
According to Permissions on a Shared Folder, the more restrictive permission takes precedence between the share and ntfs permissions and a deny type at the share level supersedes any permission at the ntfs level.
Consider the case where user-a has an explicit grant for Full Control at both the share and ntfs level.
If a group which user-a is a member of is added to the shares acl, any combination of a deny, Read, Change or Full Control manifests as no access at all for user-a. In addition, with the group set to Read on the share permission, user-a cannot delete a file if the path is known programmatically.
Effectively, if the context accessing a share acquires a deny of any mask, all access is denied based on my tests.
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access entirely? I am aware that you can set finer grained permissions programmatically, however why expose even 3 from the UI when they all behave the same?
windows-server-2012-r2 access-control-list
windows-server-2012-r2 access-control-list
asked 2 days ago
Ritmo2kRitmo2k
1111
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Ritmo2kRitmo2k
1111
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Ritmo2kRitmo2k
1111
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Ritmo2kRitmo2k
1111
asked 2 days ago
Ritmo2kRitmo2k
1111
1111
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.
– Greg Askew
2 days ago
There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
– Ritmo2k
2 days ago
Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
– Stese
2 days ago
@Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
– Harry Johnston
2 days ago
The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
– Harry Johnston
2 days ago
|
show 4 more comments
1
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.
– Greg Askew
2 days ago
There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
– Ritmo2k
2 days ago
Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
– Stese
2 days ago
@Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
– Harry Johnston
2 days ago
The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
– Harry Johnston
2 days ago
1
1
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.– Greg Askew
2 days ago
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.– Greg Askew
2 days ago
There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
– Ritmo2k
2 days ago
There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
– Ritmo2k
2 days ago
Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
– Stese
2 days ago
Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
– Stese
2 days ago
@Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
– Harry Johnston
2 days ago
@Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
– Harry Johnston
2 days ago
The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
– Harry Johnston
2 days ago
The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
– Harry Johnston
2 days ago
|
show 4 more comments
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Ritmo2k is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961099%2funderstanding-windows-share-deny-permissions%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Ritmo2k is a new contributor. Be nice, and check out our Code of Conduct.
Ritmo2k is a new contributor. Be nice, and check out our Code of Conduct.
Ritmo2k is a new contributor. Be nice, and check out our Code of Conduct.
Ritmo2k is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961099%2funderstanding-windows-share-deny-permissions%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.– Greg Askew
2 days ago
There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
– Ritmo2k
2 days ago
Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
– Stese
2 days ago
@Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
– Harry Johnston
2 days ago
The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
– Harry Johnston
2 days ago