Post by TW7 pro sp1 x64
I thought understood this, but ...
Okay, I have a series of subdirectories, the root of
which is shared. I only want specific users to be able
to access their named subdirectory.
authenticated users
specific user name
If I set authenticated to denied and the specific user to
allow all, no one can get into the directory including
Administrator. Can't delete it either (Linux Live can though)
What exactly is an "authenticated user"? And does that
include any users logged in using a shared drive?
My fear is that by allowing Authenticated Users, I
will let all network loggers into the subdirectory.
And, what is the best way to do what I want?
Many thanks,
-T
Security *groups* can overlap on their permissions while some have a
subset of permissions from another. Your specific user (Windows
account) has to be assigned to a security group. Run:
control.exe userpasswords2
Alas, I'm on a Home Premium edition of Windows 7 and that kills off much
of the other security admin functions. When I try to get to some
security apps, I'm greeted a some message telling me it is not
available. As a consequence, I cannot see the overlap in permissions
between the different security groups.
My guess is your specific user (Windows account) is in a security group
which is a subset (child) of the Authenticated Users security group. A
Windows account can be assigned to multiple security groups. Security
groups can be a subset of another.
There are only 2 real hives in the registry. The others that you are
are pseudo-hives: they are a compilation of settings from the 2 real
hives. Similarly, Authenticated Users is not a true security group.
http://windowsitpro.com/systems-management/understanding-authenticated-users-group
https://blog.varonis.com/the-difference-between-everyone-and-authenticated-users/
Saying that you added a Windows account to have permissions on a folder
doesn't say what permissions that account was given on that object nor
does it say you recursed those permissions to its child objects (files
and subfolders).
Also, for each "named subdirectory", did you assign that folder as being
owned by the associated Windows account for that user? And recurse that
permissions into its children?
For the parent (root) folder, did you add the Everyone pseudo security
group so all those visitors can then navigate to a child folder (by the
name of that visitor)? For the subfolders (by the name of the visitor),
how are you going to add their Windows account to have all permissions
if that Windows account is not defined on the host doing the sharing?
Or, when you add "specific user", are you specifying their hostname when
you add that account from the other host? On the host where you are
changing permissions for a subfolder under your root folder, are you
adding "theirComputerName_sharingFrom\theirAccountName_sharingFrom" to
grant their access here from their host? Or did you create an account
on your root folder host for each of those visitors with the same
Windows account name and permissions as for the Windows account under
which they log onto their host (so you could then just use the local
Windows account to allow their remote connect)?
Deny permissions are not the exact converse of Allow permissions. Also,
depending on how to added permissions to the subfolders, they may be
authenticated users but you chose to deny their access. You overrode
the specific user by denying them since they are also an authenticated
user.
http://www.ntfs.com/ntfs-permissions-allow.htm