Everyone group or domain users for shares.. ?

I've forgotten.. which is considered the more proper way to setup a network
share in 2003 server.. (part of domain).. to share it out.. just add the
domain users group... full control in the share settings.. then under
security add the appropriate settings?

Thanks in advance..

Hi Mark,
There is not one right way.
Share permissions govern access to the folder from the network (as an entry
point); NTFS permissions govern use of the files and folders once you are
in. Whichever is the least permissive will apply. What you have said will
work fine in many situations. A few other ideas to consider:
- Change instead of Full on the Share will stop users from changing
permissions and locking other people out.
- Authenticated Users includes domain computers as well as domain users, and
so is required for Group Policy software installation for example.
Some people just allow all at the Share level and then control it at the
NTFS level. My rule of thumb is:
- Make the Share permissions the widest that you want to allow, while
denying those you definitely don't. For example, on Finance data I only want
to allow those who are positively allowed. Everyone else is not allowed. On
the Software library, I only want people in general to Read, never to Write,
so I only allow Read at the Share level.
- Make the NTFS permissions the fine-grained permissions to Read, Change
etc. for specific users and groups.
- Remember that if the user logs on locally or remote desktop, the Share
permissions are null.
Hope that helps,
Anthony, http://www.airdesk.com



"markm75" <(E-Mail Removed)> wrote in message
news:2A1AB2AF-B4D6-4BF9-AEFC-(E-Mail Removed)...
> I've forgotten.. which is considered the more proper way to setup a
> network
> share in 2003 server.. (part of domain).. to share it out.. just add the
> domain users group... full control in the share settings.. then under
> security add the appropriate settings?
>
> Thanks in advance..
>
>

"Anthony" wrote:

> Hi Mark,
> There is not one right way.
> Share permissions govern access to the folder from the network (as an entry
> point); NTFS permissions govern use of the files and folders once you are
> in. Whichever is the least permissive will apply. What you have said will
> work fine in many situations. A few other ideas to consider:
> - Change instead of Full on the Share will stop users from changing
> permissions and locking other people out.
> - Authenticated Users includes domain computers as well as domain users, and
> so is required for Group Policy software installation for example.
> Some people just allow all at the Share level and then control it at the
> NTFS level. My rule of thumb is:
> - Make the Share permissions the widest that you want to allow, while
> denying those you definitely don't. For example, on Finance data I only want
> to allow those who are positively allowed. Everyone else is not allowed. On
> the Software library, I only want people in general to Read, never to Write,
> so I only allow Read at the Share level.
> - Make the NTFS permissions the fine-grained permissions to Read, Change
> etc. for specific users and groups.
> - Remember that if the user logs on locally or remote desktop, the Share
> permissions are null.
> Hope that helps,
> Anthony, http://www.airdesk.com
>
>

Ah ok.. so whether i choose to use the "everyone" group or "domain users",
etc.. doesnt really matter then.. I had thought the everyone group was taboo
... or perhaps i was thinking back to previous windows then.. (i thought at
one point, on a non domain computer.. i had browsed to a domain server
without being prompted for credentials just by doing a \\servername.. i
thought it was the everyone group in the share that allowed it).. but another
test just minutes ago.. resulted in a prompting for creds.. not sure why it
didnt prompt the time before..

"Everyone" used to include Anonymous or Guest, not any more. Still, I think
Authenticated Users is best as the "everybody in my domain" group.
Anthony, http://www.airdesk.com


"markm75" <(E-Mail Removed)> wrote in message
news:E4587D49-88E3-458D-924C-(E-Mail Removed)...
>
>
> "Anthony" wrote:
>
>> Hi Mark,
>> There is not one right way.
>> Share permissions govern access to the folder from the network (as an
>> entry
>> point); NTFS permissions govern use of the files and folders once you are
>> in. Whichever is the least permissive will apply. What you have said will
>> work fine in many situations. A few other ideas to consider:
>> - Change instead of Full on the Share will stop users from changing
>> permissions and locking other people out.
>> - Authenticated Users includes domain computers as well as domain users,
>> and
>> so is required for Group Policy software installation for example.
>> Some people just allow all at the Share level and then control it at the
>> NTFS level. My rule of thumb is:
>> - Make the Share permissions the widest that you want to allow, while
>> denying those you definitely don't. For example, on Finance data I only
>> want
>> to allow those who are positively allowed. Everyone else is not allowed.
>> On
>> the Software library, I only want people in general to Read, never to
>> Write,
>> so I only allow Read at the Share level.
>> - Make the NTFS permissions the fine-grained permissions to Read, Change
>> etc. for specific users and groups.
>> - Remember that if the user logs on locally or remote desktop, the Share
>> permissions are null.
>> Hope that helps,
>> Anthony, http://www.airdesk.com
>>
>>
>
> Ah ok.. so whether i choose to use the "everyone" group or "domain users",
> etc.. doesnt really matter then.. I had thought the everyone group was
> taboo
> .. or perhaps i was thinking back to previous windows then.. (i thought at
> one point, on a non domain computer.. i had browsed to a domain server
> without being prompted for credentials just by doing a \\servername.. i
> thought it was the everyone group in the share that allowed it).. but
> another
> test just minutes ago.. resulted in a prompting for creds.. not sure why
> it
> didnt prompt the time before..
>
>