Keywords: Humor, Extreme Frustration
Within an Active Directory domain, NTFS has a very flexible and extensive system for authorization of user access to files. When coupled with a network share, there is one additional layer of security to pass. So in order to for a user to have permission to access an NTFS file through a network share, there are four conditions that must be met. The following assumes that the user has been authenticated within a domain.
(1) The user must have access to the network share. This is controlled through the Permissions tab in the dialog box obtained by right-clicking and selecting properties on the share in the “Computer Management” (MMC) console window . Alternatively, it can be found by right clicking on the shared folder itself and choosing “Sharing and Security”, going to the Sharing tab and clicking on the Permissions button.
(2) The user must have access to the folder (*). This can be found by right clicking on the shared folder itself and choosing “Sharing and Security” and going to the Security tab. Alternately you can right click on the folder Properties.
(3) The user must have access to the file. This can be found by right clicking on the file itself and choosing Properties and going to the Security tab. Be aware that there is an option if you press the Advanced button on the Security tab – the file may inherit permissions from the folder it is in. If this is de-selected then the file can have different permissions than the folder.
(4) A trained monkey in a room Redmond must push the “Yes” button on a special two-button keyboard. In cases where the computer is off the network or there is very high network latency, a cached monkey decision or even a local monkey simulation is used. (**)
(*- It may be possible for a user to have direct access to a file without having access to the folder it is in, but I don’t know for sure. With a DOS prompt and the “more” program, I could not access a file if I had access to to the file but not the folder it was in, and I could toggle my access to the file if I toggled access to the folder. This may be because the “more” program tries to access the folder before it goes for the file. )
(**- There is a rumor that this work is being outsourced to the trained dolphins who write for “The Family Guy”.)
Actually, you can access a file within the folder if you use some of the more granular NTFS permissions on the folder itself. You can grant read access to a folder but not grant the “list” access right allowing you to read a file in the folder if you know the name of the file within the folder.