File Permissions on win2k

[DeadSeaSquirrels]

I'm still not very good with file permissions in Win2k. I guess I did something, but for a while I couldn't access files on my own computer, and I am an administrator (not The Administrator, just one of them). But I can't see how that can be right. I eventually fixed it, but going into the folder i was sharing and then on the security tab clicking on full control, and then somehow choosing one of the check boxes that says like "propogate security settings" or something. Can somebody explain what the deali is with all those options.

Also what is the difference in the options of the security tab, and the permissions button in the sharing tab, when you share a file...obviously they serve different purposes but what is it. Is one for users on the network, and one for users who login to your computer?

Secondly, lets say I share one folder, which has many subfolders. Why is it that somebody on the network can go into some subfolders and not others. I mean the made just one general share of the super directory, and all the share attributes I assume should propogate down to the subfolders, and that's it. Is there any reason why one subfolder would be accessible and another not, even if I never made any other share rules, other than the one in the super folder? Please please help somebody.

 

[Woodie]

They are seperate permissions:

NTFS (File Permissions): These apply to any user that attempts to access the protected (ACLed) files or directories. They can be applied to files or folders, and propagated down a directory tree, if desired.

Share Permissions: These apply to a SHARE, not to a file/folder. These are applied to any user that attempts to access the files/folders/printer THROUGH THE SHARE.

If a user is logged on to a server, they can access the files/folders in accordance with the NTFS permissions, but a user connected to a share point will be able to access files/folders in accordance with the NTFS permissions AND the share permissions. Most restrictive rules apply.

Example:
Take the following directory structure:
d:\Projects\ <==shared as Proj, ACL: Everyone READ, ProjectManagers FULL CONTROL
d:\Projects\LAN <== shared as LAN, ACL: Everyone READ, LANProjMgrs FULL CONTROL
d:\Projects\WAN <== shared as WAN, ACL: WANProjMgrs FULL CONTROL

(The ACLs contain groups and their permissions).
Results:
Everyone can connect to the Proj share, and have READ ONLY access to every subdirectory and file.
Members of the ProjectManagers group can connect to the Proj share, and have READ/WRITE to every subdirectory and file.
Members of the LANProjMgrs and WANProjMgrs can connect to the Proj share, and have READ ONLY to every subdirectory/file. Note, even though these members appear to have FULL CONTROL, they don't, because they're connecting to the proj share, where they're part of the everyone group.

Everyone can connect to the LAN share, and have READ ONLY access to every subdirectory and file.
Members of the ProjectManagers and WANProjMgrs groups can connect to the LAN share, and have READ ONLY to every subdirectory and file. (they're part of the everyone group now)
Members of the LANProjMgrs group can connect to the LAN share, and have READ/WRITE to every subdirectory and file.

Everyone, ProjectManagers, and LANProjMgrs can connect to the WAN share, and have NO access to any subdirectory and file.
Members of the WANProjMgrs group can connect to the WAN share, and have READ/WRITE to every subdirectory and file.

Note: If I'm everyone, then I can still read the data in the WAN folder, by connecting to the PROJ share, and navigating down the directory tree to d:\Projects\WAN.

Now you can add NTFS permissions to the above mix, to prevent directory navigation stuff. Keep in mind, the least permissions is what the user will end up with.

Now that I've typed all this up, isn't there an FAQ on this?