Forum Discussion
Best practices: sharing folders, NTFS+share permissions and the Everyone permissiion
You should follow AGDLP.
AGDLP means „Account -> Global Group -> Domain Local Group <- Permission“
I give you an example how to implement this:
You have a user „User1“. You want to use AGDLP to give Read/Write Permissions to a folder on a network share.
First create a global group in Active Directory where you collect all users that need the same permissions. In our example I call this group „Department1“ and add „User1“ to it.
Now create a folder on your file server and set NTFS permissions like this:
Owner: Builtin Administrators
Disable Inheritance
Full Access: Builtin Administrators, SYSTEM
Read Access (No Propagate): Authenticated Users
The above would look in SDDL like this:
O:BAG:DUD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;;FXFR;;;AU)
Now share the folder and leave it’s share permissions on „Everyone/Full Control“.
Next you create your subfolder, in our example „Folder1“. You also need to create a domain local group in Active Directory for this specific folder permission. I’ll name this group „Folder1.RW“.
Now add the group „Folder1.RW“ to the NTFS permissions of Folder1 (keep inheritance) and set it’s permissions to „modify“ (you can set custom permissions, deselect „delete“ and select „delete subfolders and files“ instead, if you want to keep User1 from deleting the whole Folder1.
In SDDL this would look like this on Folder1:
O:BAG:DUD:AI(A;OICI;DTFXFWFR;;;S-1-5-21-3673288924-3378700394-847182531-3628)
(S-1-5-21-3673288924-3378700394-847182531-3628 is the SID of your example group „Folder1.RW“)
The last thing to do now is to make „Department1“ a member of „Folder1.RW“ and tell User1 to log off and on again. Now he should be able to access the file share and Read/Write inside of Folder1.
If you want to use share permissions in addition to NTFS permissions (not necessary), I would set them like this:
Everyone - Read
Authenticated Users - Modify
Builtin Administrators - Full Access
I hope this gives you a starting point.
I also recommend learning and unterstanding AGDLP, RBAC and SDDL. Especially if you need to implement more complex Scenarios in the future.
You should follow AGDLP.
AGDLP means „Account -> Global Group -> Domain Local Group <- Permission“
I give you an example how to implement this:
You have a user „User1“. You want to use AGDLP to give Read/Write Permissions to a folder on a network share.
First create a global group in Active Directory where you collect all users that need the same permissions. In our example I call this group „Department1“ and add „User1“ to it.
Now create a folder on your file server and set NTFS permissions like this:
Owner: Builtin Administrators
Disable Inheritance
Full Access: Builtin Administrators, SYSTEM
Read Access (No Propagate): Authenticated Users
The above would look in SDDL like this:
O:BAG:DUD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;;FXFR;;;AU)
Now share the folder and leave it’s share permissions on „Everyone/Full Control“.
Next you create your subfolder, in our example „Folder1“. You also need to create a domain local group in Active Directory for this specific folder permission. I’ll name this group „Folder1.RW“.
Now add the group „Folder1.RW“ to the NTFS permissions of Folder1 (keep inheritance) and set it’s permissions to „modify“ (you can set custom permissions, deselect „delete“ and select „delete subfolders and files“ instead, if you want to keep User1 from deleting the whole Folder1.
In SDDL this would look like this on Folder1:
O:BAG:DUD:AI(A;OICI;DTFXFWFR;;;S-1-5-21-3673288924-3378700394-847182531-3628)
(S-1-5-21-3673288924-3378700394-847182531-3628 is the SID of your example group „Folder1.RW“)
The last thing to do now is to make „Department1“ a member of „Folder1.RW“ and tell User1 to log off and on again. Now he should be able to access the file share and Read/Write inside of Folder1.
If you want to use share permissions in addition to NTFS permissions (not necessary), I would set them like this:
Everyone - Read
Authenticated Users - Modify
Builtin Administrators - Full Access
I hope this gives you a starting point.
I also recommend learning and unterstanding AGDLP, RBAC and SDDL. Especially if you need to implement more complex Scenarios in the future.
dretzer THANKYOU THANKYOU THANKYOU THANKYOU!
Those steps were the same steps I've performed, almost...
I've followed your lead and nailed the problem. The permission group was a GLOBAL group, not a LOCAL one!
I've corrected that and everything works fine.
But I have a question. It's not a problem, it's only something I don't understand.
Suppose you have a group (Global Group), say SALES, that needs RW access to the Folder1 you created. I've SALES inside „Folder1.RW“.
If I ask for the "Effective access" for the group SALES, I have all denied (again, "Access limited by" says "Share, File permissions". BUT if I ask for a user inside SALES group, permissions are correctly displayed, so the SALES users can RW the content.
Why is that? Shouldn't the SALES group have the same Effective access as it's contained users?
Regards,
FSO
Djago When you evaluate users with the "effective access" tab in windows explorer, it actually evaluates the user-token. The token includes all group memberships, and as such you see the effective access for this user including all it's groups.
For groups there is no security token, so the same process only evaluates the group-access itself. You only see effective access for the group directly, not including the nested groups.
Since Win2012 you can add additional groups to the dialog and the help-text tells you as such.
You should take a look a the sysinternals tool "accessenum.exe" which you can download here: https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum
- Thanks again!
