Server Access Authorisation

Authorisation for network access, to shared data on any Windows server, requires you to make appropriate permissioning entries in two distinctly separate Access Control Lists. Both lists are accessed, as indicated, from Folder Properties.

  • Share Permissions (“Sharing – Permissions”).
  • NTFS Permissions (“Security”).


Note that the term Windows server can refer to a computer running any actual server Operating System, such as:

  • Windows NT Server
  • Windows 2000 Server
  • Windows Server 2003

or it can refer to a computer running any desktop operating system, and working as a server. Any Windows desktop operating system will run as a server, unless otherwise configured.

  • Windows NT Workstation
  • Windows 2000 Professional
  • Windows XP Home
  • Windows XP Professional

Also note that, while XP Home uses ACLs, you cannot generally view or edit them without special procedures.

Share Permissions are explicitly for network access, and NTFS permissions are for local access. Network access requires the sum of the two. You need either Everyone, a relevant Local Group, or the specific account, setup with sufficient rights in BOTH lists.

A simple procedure is to grant Full rights to Everyone, on the share permissions, then grant restrictive rights to the individual accounts or groups, on the NTFS permissions. A more complex procedure is to set both share permissions, and NTFS permissions, precisely as required (and no higher than required) for each specific account or group.

The resulting network rights are the more restrictive of the two lists, if different.

  • If Everyone has Full Control for Share Permissions, and an individual account has Read for NTFS Permissions, network access, for the individual account, will be Read. The owner of that account will have read-only access, whether accessing network shares, or when using the server from its desktop.
  • If Everyone has Read Access for Share Permissions, and an individual account has Full Control for NTFS Permissions, network access, for the individual account, will still be Read. The owner of the account will have write access when using the server from its desktop, but like everybody else, will have read access when accessing network shares.

In cases where some files or folders are accessible, but not others, the NTFS permissions may be corrupt. You have various possible remedies here.

  • Correct the problem from the Security tab.
  • Correct the problem using the CACLS utility. CACLS is a simple solution, when you need all files and folders permissioned identically.
    • Open a command window.
    • Position yourself (“cd …”) in the folder corresponding to the share in question (maybe C:, for instance).
    • Identify the account or group to which you wish permissions be granted (In this example, the group Everyone), and the type of permission to be granted (in this example, Full permission).
    • Enter:

      cacls *.* /t /g Everyone:F

      Note carefully the words (sequence of non-blank characters), separated by spaces, in the example above. The spaces in the example are essential. There are 5 words in this example: “cacls”, “*.*”, “/t”, “/g”, and “Everyone:F”. Don’t omit the spaces between the words!

    This is a simple example; the CACLS command has many options. Read the article linked above, or enter “cacls /?” in the command window for details.

  • Correct the problem using alternate techniques.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: