I thought I understood all this stuff but I was wrong...! I have two computers on a LAN and I share a few folders on each computer with the other computer. For example, I share a folder on my computer Tom so my other computer Jerry can back stuff up in it. Jerry maps Tom's folder as a drive.

I have created accounts on each computer so the other computer can map the drive using a username and password.

...So, when I look at the properties for my "backup" folder on Tom, if I click the "Security" tab I see Jerry is a user with the appropriate permissions. This part makes sense to me.

What I'm confused about is if I click on the "Sharing" tab, obviously I've shared the folder but there's this "Permissions" button that opens a window displaying a list of users and permissions that is different from the one on the "Security" tab....how does this relate back to the ACL on the "Security" tab? Do I need to add Jerry to both? What's the deal?!? :confused:

there are two kinds of permissions, share and ntfs. you combine the share and ntfs permissions and the resulting permissions are the MOST restrictive of the two. share permissions only work over the network. if jerry logged on locally, share permissions would not take effect. I usually leave share permissions to allow all, then restrict on ntfs (security) permissions. ntfs permissions are enforced over the network and locally.

OK. So, hypothetically, if user "Nibbles" has Full Control over a folder (on computer Jerry) in the NTFS permissions, but Read Only in the Sharing permissions, and I map that folder on computer Tom (as user "Nibbles"), then I'd end up with Read Only access...? But if "Nibbles" logs into Jerry directly, he'd have full control?

In my head, that's what I think you're saying, but then again there's a lot of weird stuff going on in my head. :x :t

yep. that's right.

Share permission = read
ntfs permission = full
most restrictive of both = read

be careful. within a system, share permissions combine to be the LEAST restrictive. same for ntfs. it is only when you combine the two together that you get the MOST restrictive.

Share permissions = least
ntfs permissions = least
share + ntfs = most

let's say that nibbles is in two groups, managers and accountants. managers have full ntfs permission to the "budget" folder. accountants have read only to "budget". nibbles would end up with full permission because it is the least restrictive when combined.

I agree. In my network, I set NTFS permissions to the settings I want to use (Administrator and Domain Admins only have full control).

I leave share permissions at Everyone has read/write/list contents/modify/read & execute. I leave off full control or a user could change permissions for the share.

This makes everyone have the same permissions if the use a share or use the machine locally to access a folder. When you access a shared folder on the network, it will first look at share permissions and then the file security will be checked.

I have a share on my network with everyone able to see the share, but only accounting users can map the share because of file permissions. The same goes for each users private drive. Only domain admins, and a specific user can access a users private drive/share.

Microsoft recommends setting NTFS permissions if you use NTFS and using share permissions if you use a FAT file system. FAT has the drawback of local users being able to access everything by using the system properly or using a boot disk.

Cool. It makes sense now. Thanks for the explanations and advice!