Setting "Everyone" in File Sharing to Work with Specific Users

Page 1 of 3 123 LastLast

  1. Posts : 15
    Win 10
       #1

    Setting "Everyone" in File Sharing to Work with Specific Users


    Hi All,
    I have been attempting to understand file sharing where you specify permissions for specific users, but I get conflicting advice from the Win 10 forums and very recent 2016 and 2017 articles. I searched your forums and tutorials and have not found an answer either. The methods suggested by the articles are similar except for one BIG difference—they handle what to do with the “Everyone” Group differently. My comments below are in bold and in brackets and I have written below what I found so far and what I intend to do. If you want to skip reading that and just tell me what you do, I would appreciate that too.

    1. I want to share folders/files in this way: Users A, B, C and D will have read/write access to a group of folders/files. User E will not have access to those folders/files. User D and E have separate user accounts on the same PC. Users A, B and C have separate PC’s. If D and E sharing the PC is a problem with file sharing permissions, I will get separate PC’s for everyone.

    2. I want to share folder/files using File Explorer method.

    3. The folder/files will be secured behind the Windows login information on the sharing PC so I can allow access to just specific users.

    On one Reddit forum (sorry I lost the url), this was the method suggested: Right click on the folder you want to share=>advance=>mark : share this folder=>add . . .[the User Name]-->advanced=>make sure everything is marked under “object types . .=> find now=>select who to share with under the “names” column=>select shared user from the list and permissions you grant them from the check boxes (for read and write or “777” permission [not sure that that is] permission tick all 3 boxes in the allow column=>click ok=>done. [No mention of “Everyone” but I think it is under Properties=>Sharing=>Advanced Sharing=>Permissions by default].

    On http://www.geeksquad.co.uk/articles/...-on-windows-10, the article keeps the “Everyone” group under Advanced Sharing=>Permissions and tells you to ADD the specific User Names you want to allow access, making sure you tick the boxes which grant “Change” permission. [this is similar to the instruction from Reddit above, but adds Users Names in by going to Permission in a different way—you must type them out instead of selecting them].

    On PUREInfoTech, http://pureinfotech.com/setup-networ...ng-windows-10/, they tell you the same method as above from Reddit and Geeksquad, except when you get to Permissions (where the Everyone group is the default) they instruct you to REMOVE the Everyone group and ADD the specific User Names you want to share. Of course, you tick the boxes for Change and Read or for Full Control.

    This is what happened to me when I followed each set of instructions---PERMISSION DENIED for the all the specific users. The only way I could give Users A, B, C permission to share the files/folders was to go into Properties=>Sharing and just add the Everyone group. So, I did not go into Advanced Sharing, but the problem is, while I solved the file sharing issue—I cannot exclude D—he gets access too. So, I am back to square one, not understanding how this file sharing works. I thought Properties=>Sharing was for local files and Properties=>Sharing=>Advanced Sharing is for network shares.

    Thanks in advance.
      My Computer


  2. Posts : 8,057
    windows 10
       #2

    Welcome to the forum. They key thing is everyone includes even admin so if you rent admin can't get in. There are two sides to this one is the share permission but the key is the NTFS permissions. Share lets them connect. But NTFS has a lot more settings to then control what they can do
      My Computer


  3. Posts : 15
    Win 10
    Thread Starter
       #3

    Thanks Samuria for the quick reply and welcome. I am sorry but there must be some typos in your reply because I do not understand what you are describing.

    How would YOU configure Permissions to allow Users A, B, C and D on the same network to share the same file, but not allow User E. That is all I am trying to discover. I've read that "Share" is just file permissions and "Advance Share" is NTFS, and that Share is for local files, and Advance Share is for network, but I can't figure out how to make it work. Every setting I use with Everyone or with specific users named ends up with PERMISSION DENIED. So far, the only way that works is if I put Everyone in Share and not change anything else. But while that grants permission for A, B, C and D--I cannot stop E from accessing the file. Any help would be appreciated.
      My Computer


  4. Posts : 93
    Windows 10
       #4

    Toppinglift, generally, it is always recommended that you handle access using NTFS permissions exclusively, if available. This means leaving the share permissions to the default of “Everyone, Full”. The only time you should be configuring share permissions is when the share destination’s disk doesn’t support a permission system itself.

    I’m assuming this answers the OP.

    toppinglift said:
    How would YOU configure Permissions to allow Users A, B, C and D on the same network to share the same file, but not allow User E. That is all I am trying to discover.
    This is the only question I could find throughout both your posts, yet it’s difficult to tell what sort of answer you are expecting here.

    In any restricted site, there are two principal strategies for controlling access: you can either take a whitelist approach and permit access to only those who you trust, or you you can take a black list approach and describe those who should not have access. The former is more secure and is very suitable in this case where you are saying that you want users A, B, C, and D to have access. Saying this alone by default excludes any user E, F, or G, etc.

    To be able to manage access on a user-by-user basis in the first place you must be using an Active Directory Domain, or possibly a Workgroup. To be honest, I’ve never used a Workgroup before.

    I know in a HomeGroup, you cannot have this level of specificity as all network users who can access your shares have equal rights to them, i.e., you cannot make a distinction between users authenticating remotely.
      My Computer


  5. Posts : 15
    Win 10
    Thread Starter
       #5

    Pyprohly
    Toppinglift, generally, it is always recommended that you handle access using NTFS permissions exclusively, if available. This means leaving the share permissions to the default of “Everyone, Full”. The only time you should be configuring share permissions is when the share destination’s disk doesn’t support a permission system itself.. . .it’s difficult to tell what sort of answer you are expecting here
    Thank you for your reply, Pyprohly. Yes, I know the question is a bit buried and dense, but that is why I quoted the articles above--even the experienced users have different views of where to put "Everyone" and it is very confusing for those who are not network savy, like me.

    it is always recommended that you handle access using NTFS permissions exclusively, if available. This means leaving the share permissions to the default of “Everyone, Full”. The only time you should be configuring share permissions is when the share destination’s disk doesn’t support a permission system itself
    So, by NTFS permissions, you mean go to Properties-->Sharing Tab--->Advance Sharing--->tick "Share this folder"--->OK--->OK--->DONE? You don't touch permissions?

    To be able to manage access on a user-by-user basis in the first place you must be using an Active Directory Domain, or possibly a Workgroup. To be honest, I’ve never used a Workgroup before.
    Users A, B, C, D and E are all on the same network and in the same Workgroup.

    The [Whitelist] is more secure and is very suitable in this case where you are saying that you want users A, B, C, and D to have access. Saying this alone by default excludes any user E, F, or G, etc.
    I want to have a Whitelist, naming Users A, B, C and D as ONLY the users which have permission to share the files/folders. How do I express that in a way that Windows 10 will understand that?
      My Computer


  6. Posts : 15
    Win 10
    Thread Starter
       #6

    I just wanted to repeat that I am not using Homegroup. I am sharing files using the File Explorer method. Thanks.
      My Computer


  7. Posts : 93
    Windows 10
       #7

    toppinglift said:
    even the experienced users have different views of where to put "Everyone" and it is very confusing for those who are not network savy, like me.
    Always use the file system’s permissions if it supports it, and leave the share permissions as “Everyone, Full”. Trust me, there’s no benefit in managing permissions for a single item in multiple places and I am certain if you took a poll of the most perceptive system administrators, they’d agree. Those who think otherwise could only suggest that dealing with NTFS permissions adds complexity. Not true. You see, if you start changing permissions on a share you are forced to maintain two sets of permissions because you cannot, or really, really, should not ever give Everyone Full Control on NTFS and leave access control to the share protocol.

    Microsoft’s documentation doesn’t explicitly recommend it, but this approach is heavily alluded to efficaciously. Read more here.
    SMB–based access control for a shared resource is determined through two sets of permissions: NTFS permissions and share permissions. Share permissions are often only used for access control on computers that do not use the NTFS file system.

    toppinglift said:
    So, by NTFS permissions, you mean go to Properties-->Sharing Tab--->Advance Sharing--->tick "Share this folder"--->OK--->OK--->DONE? You don't touch permissions?
    Uh. No. As soon as you hit that “Sharing” tab you’re dealing with the share’s settings. NTFS permissions are located in the Security tab of the Properties pane.

    And it’s not like, “don’t touch”. It’s like set, and don’t go back there again there to manage permissions.

    toppinglift said:
    I want to have a Whitelist, naming Users A, B, C and D as ONLY the users which have permission to share the files/folders. How do I express that in a way that Windows 10 will understand that?
    Properties -> Security. NTFS permissions, Toppinglift; Toppinglift, NTFS permissions.

    If you say the context is a Workgroup, automatically you are suggesting that users A, B, C, and D are to be users on this machine, and not necessarily users that exist on the machines these users are to authenticate remotely with. On the NTFS permission list you specify users A, B, C, and D as if they were local accounts. When that’s done, person A wanting to authenticate remotely with user A on that machine must create an identical user A on their own machine, i.e., same username, same password.

    This is how it works based on what I have read about Workgroups and I have not tried any of this in practise.

    If you want a more confident answer you can wait until the end of the week to allow myself time to test things, otherwise know that I’m only giving advice based on my educated guess as to how I think a Workgroup behaves. Again, I have not used a Workgroup before.


    toppinglift said:
    I just wanted to repeat that I am not using Homegroup.
    Yes, it is important the we’ve established that.

    toppinglift said:
    I am sharing files using the File Explorer method.
    “File Explorer” method. Mm. Yeah, that terminology has to go.

    What you’re doing here is changing the NTFS permissions.
      My Computer


  8. Posts : 15
    Win 10
    Thread Starter
       #8

    You know, Pyprohly, that everything you just wrote runs counter to what the articles I listed in my Original Post (from geeksquad and pureinfotech.com) instruct. It blows my mind that there can be so much misinformation provided by these sites. And BTW, I used the terminology "file explorer" method from one of those articles because that is what they called it. No wonder file sharing is so difficult to understand.

    Ok, I would like it very much if you could test it out. I'm going to test what you say too to see if it works with Workgroups and report back to the forum. Just so we are on the same page, this is what I intend to do:

    1. Make Users A, B, C, and D share files
    2. Properties-->Security-->[Ok, I don't see "Everyone" as a default--do I click "Edit" and then "Add" Everyone in???]
    3. Add Users A, B, C and D
    4. Click "OK"
    5. DONE


    I am totally avoiding the Sharing tab because that has to do with file sharing and not NTFS. I want only NTFS, so I go directly to "Security" tab. Nevertheless, you write that "Everyone" is a default under Security, but I did not see it there--I had to add "Everyone" in.

    Finally, I currently have "Everyone" under the Sharing tab (because it was the only way I could get the files shared--but that setting allowed EVERYONE to share, including user E (which should not share that file). Should I now go in and remove it after I had set the NTFS permissions? Thanks.
      My Computer


  9. Posts : 93
    Windows 10
       #9

    toppinglift said:
    You know, Pyprohly, that everything you just wrote runs counter to what the articles I listed in my Original Post (from geeksquad and pureinfotech.com) instruct. It blows my mind that there can be so much misinformation provided by these sites.
    It’s not misinformation, it’s just that there are different approaches on how to configure these sorts of things. You did ask us, at least Samuria, how we would configure things.

    If you are interested in setting up share permissions exactly according to how those articles outline, that is your prerogative. I personally think it is not ideal to be handling access at two locations. Reiterating Microsoft’s comment:
    SMB–based access control for a shared resource is determined through two sets of permissions: NTFS permissions and share permissions. Share permissions are often only used for access control on computers that do not use the NTFS file system.

    toppinglift said:
    And BTW, I used the terminology "file explorer" method from one of those articles because that is what they called it.
    Sorry, I didn’t realise we were not talking about permissions here. What is described as the “File Explorer” method in those articles is demonstrating how to set up a share through Explorer as opposed to the public ones generated by HomeGroup, or shares created through the command prompt or PowerShell for that matter.

    If we’re talking about share permissions it doesn’t make sense to distinguish a “File Explorer” way.

    toppinglift said:
    1. Make Users A, B, C, and D share files
    2. Properties-->Security-->[Ok, I don't see "Everyone" as a default--do I click "Edit" and then "Add" Everyone in???]
    3. Add Users A, B, C and D
    4. Click "OK"
    5. DONE
    No, this is not right. The following is what needs to be done.

    1. Make local users A, B, C, and D, and assign a password to each (they must have passwords for you to authenticate remotely with).
    2. Create a share through Explorer. Because the share permissions are by default set up how we want it to be, i.e. it includes “Everyone, Full”, they can be ignored as we won’t be controlling access this way. Go to Properties -> Security.
    3. The Properties -> Security pane represents the NTFS permissions. Here, you control access by including or denying users or group appropriately. In this case, you’ll be specifying the local users you’ve setup in step 1.
    4. Click “Apply” or “OK”.
    5. Test share access.

    toppinglift said:
    Nevertheless, you write that "Everyone" is a default under Security, but I did not see it there--I had to add "Everyone" in.
    No, no, I never wrote that. It’s the other way around. “Everyone, Full” for the share permissions; access controlled throughout NTFS permissions.

    As a rule of thumb you never ever should be specifying the Everyone group in NTFS permissions. NTFS permissions represent the final set of rules that govern access to a file. If you screw up an “Everyone” rule, you mightn’t notice initially and it’ll create an annoyance later on.

    toppinglift said:
    Finally, I currently have "Everyone" under the Sharing tab (because it was the only way I could get the files shared--but that setting allowed EVERYONE to share, including user E (which should not share that file). Should I now go in and remove it after I had set the NTFS permissions?
    No, you should leave access on shares as “Everyone, Full”.

    I’ll need to see the NTFS permissions for that folder that’s being shared to determine what needs to change.
      My Computer


  10. Posts : 15
    Win 10
    Thread Starter
       #10

    It’s not misinformation, it’s just that there are different approaches on how to configure these sorts of things. You did ask us, at least Samuria, how we would configure things.

    If you are interested in setting up share permissions exactly according to how those articles outline, that is your prerogative. I personally think it is not ideal to be handling access at two locations. Reiterating Microsoft’s comment:

    SMB–based access control for a shared resource is determined through two sets of permissions: NTFS permissions and share permissions. Share permissions are often only used for access control on computers that do not use the NTFS file system.

    First, thanks for your patience explaining this--I really appreciate it. Second, ok, maybe it is not "misinformation," but the way you and Samuria set your network up makes a lot more sense to me and I want to do it that way. And BTW, I tried the ways explained in those articles, and it just did not work for me. And I just read some of the comments underneath the articles, and it did not work for some of the readers too. When I re-read the articles, I see that the critical difference between your approach and their approach is that they made all changes through Share Permissions and no changes through NTFS permissions. And those approaches never specified that they were doing so because the network had FAT-32 files, they just said that this is the way to do it. Anyway, it did not work. That's why I landed here.


    1. Make local users A, B, C, and D, and assign a password to each (they must have passwords for you to authenticate remotely with).
    2. Create a share through Explorer. Because the share permissions are by default set up how we want it to be, i.e. it includes “Everyone, Full”, they can be ignored as we won’t be controlling access this way. Go to Properties -> Security.
    3. The Properties -> Security pane represents the NTFS permissions. Here, you control access by including or denying users or group appropriately. In this case, you’ll be specifying the local users you’ve setup in step 1.
    4. Click “Apply” or “OK”.
    5. Test share access.
    This was the step by step I was looking for all these months--Thanks!! Can't wait to try it when the network is not active. If it works, I'll mark this thread as SOLVED and give you max award points--(do you do that here-I haven't checked). It it doesn't, I will give you my NTFS permissions screen shot for further help. Thanks again.
    Last edited by toppinglift; 06 Apr 2017 at 15:32.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:01.
Find Us




Windows 10 Forums