0

Dear Data Storage Experts,

Background :

  1. For any Windows CIFS NAS share, there are Share/Storage Level Perms and Windows/NTFS Level Perms and most companies/people like to have 'Everyone/Full Control' at Share/Storage level and apply AD groups to NTFS level to lock the share.
  2. We would like to apply same AD groups to Share perms as well. For a new/empty share, we will apply same Share/NTFS perms and then will start copying data. All the files/subfolders are inheriting BOTH Share/NTFS perms, working as expected.
  3. Using 'Subinacl' and 'ICACLS' to apply Share and NTFS Perms respectively.

Note that we do not have any subfolders/files with different Share/NTFS perms than parent.

Question is,

  • Is there a command/utility to view Share permissions of files/folders within a given share? * and *.* is not working via subinacl. I thought there was a option to view share permissions recursively. Just want to confirm if inheritance is working as expected.

    subinacl /share "\\<server>\<share>\*"

    subinacl /share "\\<server>\<share>\*.*"

  • Any other advice/recommendation/best practise for playing with Share/NTFS permissions of NAS share? Really appreciate it.

Makhu
  • 45
  • 1
  • 1
  • 9

1 Answers1

2

Share permissions are set for the share as a whole, regardless of the folders contained in the share. If you are not listed on the share with read permissions, you cannot access any folder on the share over the network.

Only NTFS permissions will be inherited by child folders. SubinACL would only return the overall permissions of the share. You must use /file or /subdirectories to review the NTFS permissions on the folders/files themselves.

The use of share permissions would be to further restrict access to NTFS permissions. If the share permissions are not more restrictive than the NTFS permissions then you may as well set the share permissions to everyone:F Otherwise your configuration becomes needlessly complex.

Here are some examples on how you can use share permissions: https://blog.varonis.com/the-difference-between-share-and-ntfs-permissions/

TS79
  • 76
  • 4
  • Thanks a lot @TS79 for quick response, appreciate it. Totally agreed with you, fan of 'Everyone' at Share level and controlling via NTFS. But had to restrict it due to company policy. As our environment is very clean, managing both might be easier. – Makhu Jul 27 '18 at 11:55