I don't know that I would use "best way," but many people consider it the "easiest way."
When combining share+NTFS (file) permissions, the most restrictive policy always "wins." IOW, if you create a share, and give it READ only rights, anyone accessing files through that share point will have READ only access even if your NTFS permissions allow for WRITE or FULL control. If your share has FULL permissions, but NTFS permissions only allow for READ, then users accessing the file through the share point will have only READ permissions. The recommended concept is based on giving the share point FULL permissions and using actual NTFS file permissions to limit access so that is it just easier to administer. If you have multiple shares that you have different permissions on from a share standpoint, it may be difficult to troubleshoot access issues unless you really have things documented well. Giving the share FULL permissions basically takes share permissions out of the equation when troubleshooting. The "duality" is provided just in case you really want to limit overall access globally from a share - as in if you know that all access is going to be READ only, then it would be more secure to make the share READ only. Share permissions are also used for non-NTFS volumes (not that anyone really does that anymore, but you never know). It's basically there just so you can do it however you want to. HTH t On 12/23/06 2:46 AM, "dubaisans dubai" <[EMAIL PROTECTED]> spoketh to all: > I have read that the best way to allocate permissions for shared > folders is - Share the folder . Give Share-Permissions as " Everyone > Full Control" and give the specific Allow/Deny permissions in the NTFS > tab. > > Is there any insecurity in giving Share-permissions as Full control > and only specifying the NTFS permissions accurately ? > > If no insecurities , why is Windows giving us the facility to give > permissions in 2 places and making it confusing? > >
