Access right

I need to configure the following right for user A.

Root shared folder A <- Group 1 of both share and security including user A
has READ only

Folder 1 below folder A
Folder 2 below folder A

User A need to have WRITE right for the files in Folder 2. Your guidance to
accomplish it is greatly appreciated.

Thanks,

Scott

If the permissions/security on any particular folder is different or in some
way conflicts with the permissions/security of the folder above it,...then
the lower one needs to have Inheritance removed so that it does not
automatically receive the permissions/security from above it.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Scott" <NoSpan-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I need to configure the following right for user A.
>
> Root shared folder A <- Group 1 of both share and security including user
A
> has READ only
>
> Folder 1 below folder A
> Folder 2 below folder A
>
> User A need to have WRITE right for the files in Folder 2. Your guidance
to
> accomplish it is greatly appreciated.
>
> Thanks,
>
> Scott
>
>

Phillip,

Thanks for your advice. If a user has read and write rights on one fold,
the resulting right is read only or write.

Scott

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> If the permissions/security on any particular folder is different or in
> some
> way conflicts with the permissions/security of the folder above it,...then
> the lower one needs to have Inheritance removed so that it does not
> automatically receive the permissions/security from above it.
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "Scott" <NoSpan-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I need to configure the following right for user A.
>>
>> Root shared folder A <- Group 1 of both share and security including user
> A
>> has READ only
>>
>> Folder 1 below folder A
>> Folder 2 below folder A
>>
>> User A need to have WRITE right for the files in Folder 2. Your guidance
> to
>> accomplish it is greatly appreciated.
>>
>> Thanks,
>>
>> Scott
>>
>>
>
>

Also, if user A connects to Folder 1 or 2 through Root shared folder A
(\\server\RootShare\Folder 1), he will never have better than Read access.
You could avoid this by sharing Folders 1 and 2 separately and connecting
directly to them; or configure an essentially empty parent share, give
Everyone Change permissions, and then use NTFS/inheritance to further
restrict access as desired.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"Scott" <NoSpan-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I need to configure the following right for user A.
>
> Root shared folder A <- Group 1 of both share and security including user
A
> has READ only
>
> Folder 1 below folder A
> Folder 2 below folder A
>
> User A need to have WRITE right for the files in Folder 2. Your guidance
to
> accomplish it is greatly appreciated.
>
> Thanks,
>
> Scott
>
>

Doug,

Thanks for your further advice. I prefer the second one but I believe it
also does not work. If I use NTFS/inheritance by putting Group 1 in read
right, user A becomes read only and this is not what I need. Probably my
explanation is unclear and my situation is quite common in reality. User A
is the person to own and update the file and the others are the reader only
or the recipients of the documents. Group 1 contains dozen or hundred of
persons to simplify the person entry and separate related persons as one
group within the company. Alternatively did I misinterpret your meaning of
NTFS/inheritance?

Scott

"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Also, if user A connects to Folder 1 or 2 through Root shared folder A
> (\\server\RootShare\Folder 1), he will never have better than Read access.
> You could avoid this by sharing Folders 1 and 2 separately and connecting
> directly to them; or configure an essentially empty parent share, give
> Everyone Change permissions, and then use NTFS/inheritance to further
> restrict access as desired.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> "Scott" <NoSpan-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I need to configure the following right for user A.
>>
>> Root shared folder A <- Group 1 of both share and security including user
> A
>> has READ only
>>
>> Folder 1 below folder A
>> Folder 2 below folder A
>>
>> User A need to have WRITE right for the files in Folder 2. Your guidance
> to
>> accomplish it is greatly appreciated.
>>
>> Thanks,
>>
>> Scott
>>
>>
>
>

OK -

When you connect to a shared folder the user's access rights are determined
by combing his Share permissions and comparing them to his combined NTFS
permissions in a manner that is best described by example:

If John has Read Share persmissions and is a member of a group which has
Change Share permissions, then John's effective Share permissions are
Change - ie. he gets the best combination.

If John also has Read NTFS permissions to the folder, and he is a member of
a group which has Full Control NTFS permissions, then his effective NTFS
permissions are Full control - ie. he again gets the best combination.

However, if John accesses the folder through the share, he will only have
Change permissions - ie. he gets the most restrictive combination of Share
vs. NTFS.

If either the best Share permission or the best NTFS permission that John
has is Read, then John's access through the share cannot be better than
Read. Remember that just because John is a member of a group which has only
Read permission that does not prevent you from assigning some greater
permission to John's user account or to some other group of which he is a
member. However, you must give John's user account or some group of which
he is a member BOTH higher Share and higher NTFS permissions.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"Scott" <NoSpam-(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Doug,
>
> Thanks for your further advice. I prefer the second one but I believe it
> also does not work. If I use NTFS/inheritance by putting Group 1 in read
> right, user A becomes read only and this is not what I need. Probably my
> explanation is unclear and my situation is quite common in reality. User
A
> is the person to own and update the file and the others are the reader
only
> or the recipients of the documents. Group 1 contains dozen or hundred of
> persons to simplify the person entry and separate related persons as one
> group within the company. Alternatively did I misinterpret your meaning
of
> NTFS/inheritance?
>
> Scott
>
> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in
message
> news:(E-Mail Removed)...
> > Also, if user A connects to Folder 1 or 2 through Root shared folder A
> > (\\server\RootShare\Folder 1), he will never have better than Read
access.
> > You could avoid this by sharing Folders 1 and 2 separately and
connecting
> > directly to them; or configure an essentially empty parent share, give
> > Everyone Change permissions, and then use NTFS/inheritance to further
> > restrict access as desired.
> >
> > Doug Sherman
> > MCSE, MCSA, MCP+I, MVP
> >
> > "Scott" <NoSpan-(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> I need to configure the following right for user A.
> >>
> >> Root shared folder A <- Group 1 of both share and security including
user
> > A
> >> has READ only
> >>
> >> Folder 1 below folder A
> >> Folder 2 below folder A
> >>
> >> User A need to have WRITE right for the files in Folder 2. Your
guidance
> > to
> >> accomplish it is greatly appreciated.
> >>
> >> Thanks,
> >>
> >> Scott
> >>
> >>
> >
> >
>
>

Doug,

Many thanks for your detail explanation that clears my mind. Does NTFS
permission mean Security? I have learnt that in NTFS, the file itself on
top of folder has another set of share and security permissions. Do they
follow the same rule?

Scott

"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> OK -
>
> When you connect to a shared folder the user's access rights are
> determined
> by combing his Share permissions and comparing them to his combined NTFS
> permissions in a manner that is best described by example:
>
> If John has Read Share persmissions and is a member of a group which has
> Change Share permissions, then John's effective Share permissions are
> Change - ie. he gets the best combination.
>
> If John also has Read NTFS permissions to the folder, and he is a member
> of
> a group which has Full Control NTFS permissions, then his effective NTFS
> permissions are Full control - ie. he again gets the best combination.
>
> However, if John accesses the folder through the share, he will only have
> Change permissions - ie. he gets the most restrictive combination of Share
> vs. NTFS.
>
> If either the best Share permission or the best NTFS permission that John
> has is Read, then John's access through the share cannot be better than
> Read. Remember that just because John is a member of a group which has
> only
> Read permission that does not prevent you from assigning some greater
> permission to John's user account or to some other group of which he is a
> member. However, you must give John's user account or some group of which
> he is a member BOTH higher Share and higher NTFS permissions.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> "Scott" <NoSpam-(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
>> Doug,
>>
>> Thanks for your further advice. I prefer the second one but I believe it
>> also does not work. If I use NTFS/inheritance by putting Group 1 in read
>> right, user A becomes read only and this is not what I need. Probably my
>> explanation is unclear and my situation is quite common in reality. User
> A
>> is the person to own and update the file and the others are the reader
> only
>> or the recipients of the documents. Group 1 contains dozen or hundred of
>> persons to simplify the person entry and separate related persons as one
>> group within the company. Alternatively did I misinterpret your meaning
> of
>> NTFS/inheritance?
>>
>> Scott
>>
>> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in
> message
>> news:(E-Mail Removed)...
>> > Also, if user A connects to Folder 1 or 2 through Root shared folder A
>> > (\\server\RootShare\Folder 1), he will never have better than Read
> access.
>> > You could avoid this by sharing Folders 1 and 2 separately and
> connecting
>> > directly to them; or configure an essentially empty parent share, give
>> > Everyone Change permissions, and then use NTFS/inheritance to further
>> > restrict access as desired.
>> >
>> > Doug Sherman
>> > MCSE, MCSA, MCP+I, MVP
>> >
>> > "Scott" <NoSpan-(E-Mail Removed)> wrote in message
>> > news:(E-Mail Removed)...
>> >> I need to configure the following right for user A.
>> >>
>> >> Root shared folder A <- Group 1 of both share and security including
> user
>> > A
>> >> has READ only
>> >>
>> >> Folder 1 below folder A
>> >> Folder 2 below folder A
>> >>
>> >> User A need to have WRITE right for the files in Folder 2. Your
> guidance
>> > to
>> >> accomplish it is greatly appreciated.
>> >>
>> >> Thanks,
>> >>
>> >> Scott
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Yes, the 'Security' tab is NTFS permissions. And Yes, if the the folder you
are concerned about has a parent folder, then you may have to deal with
inheritance re your NTFS permissions. If you access the folder in question
through a parent Share, then you will also be subject to those Share
permissions as well. All of this is kind of the price you pay for having
the ability to fine tune access in an extermely granular way.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"Scott" <NoSpan-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Doug,
>
> Many thanks for your detail explanation that clears my mind. Does NTFS
> permission mean Security? I have learnt that in NTFS, the file itself on
> top of folder has another set of share and security permissions. Do they
> follow the same rule?
>
> Scott
>
> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in
message
> news:(E-Mail Removed)...
> > OK -
> >
> > When you connect to a shared folder the user's access rights are
> > determined
> > by combing his Share permissions and comparing them to his combined NTFS
> > permissions in a manner that is best described by example:
> >
> > If John has Read Share persmissions and is a member of a group which has
> > Change Share permissions, then John's effective Share permissions are
> > Change - ie. he gets the best combination.
> >
> > If John also has Read NTFS permissions to the folder, and he is a member
> > of
> > a group which has Full Control NTFS permissions, then his effective NTFS
> > permissions are Full control - ie. he again gets the best combination.
> >
> > However, if John accesses the folder through the share, he will only
have
> > Change permissions - ie. he gets the most restrictive combination of
Share
> > vs. NTFS.
> >
> > If either the best Share permission or the best NTFS permission that
John
> > has is Read, then John's access through the share cannot be better than
> > Read. Remember that just because John is a member of a group which has
> > only
> > Read permission that does not prevent you from assigning some greater
> > permission to John's user account or to some other group of which he is
a
> > member. However, you must give John's user account or some group of
which
> > he is a member BOTH higher Share and higher NTFS permissions.
> >
> > Doug Sherman
> > MCSE, MCSA, MCP+I, MVP
> >
> > "Scott" <NoSpam-(E-Mail Removed)> wrote in message
> > news:#(E-Mail Removed)...
> >> Doug,
> >>
> >> Thanks for your further advice. I prefer the second one but I believe
it
> >> also does not work. If I use NTFS/inheritance by putting Group 1 in
read
> >> right, user A becomes read only and this is not what I need. Probably
my
> >> explanation is unclear and my situation is quite common in reality.
User
> > A
> >> is the person to own and update the file and the others are the reader
> > only
> >> or the recipients of the documents. Group 1 contains dozen or hundred
of
> >> persons to simplify the person entry and separate related persons as
one
> >> group within the company. Alternatively did I misinterpret your
meaning
> > of
> >> NTFS/inheritance?
> >>
> >> Scott
> >>
> >> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in
> > message
> >> news:(E-Mail Removed)...
> >> > Also, if user A connects to Folder 1 or 2 through Root shared folder
A
> >> > (\\server\RootShare\Folder 1), he will never have better than Read
> > access.
> >> > You could avoid this by sharing Folders 1 and 2 separately and
> > connecting
> >> > directly to them; or configure an essentially empty parent share,
give
> >> > Everyone Change permissions, and then use NTFS/inheritance to further
> >> > restrict access as desired.
> >> >
> >> > Doug Sherman
> >> > MCSE, MCSA, MCP+I, MVP
> >> >
> >> > "Scott" <NoSpan-(E-Mail Removed)> wrote in message
> >> > news:(E-Mail Removed)...
> >> >> I need to configure the following right for user A.
> >> >>
> >> >> Root shared folder A <- Group 1 of both share and security including
> > user
> >> > A
> >> >> has READ only
> >> >>
> >> >> Folder 1 below folder A
> >> >> Folder 2 below folder A
> >> >>
> >> >> User A need to have WRITE right for the files in Folder 2. Your
> > guidance
> >> > to
> >> >> accomplish it is greatly appreciated.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Scott
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>