Domain Users & Everyone Group

on a win2k3 shared directory, what user group do you put in the shared tab?

i say domain users & domain admin - that's it!

who says ok to put the everyone group in this shared tab?

I do it. Some people will tell you not to, but I do it anyway, and it's a waste of time to do otherwise. The "Share" permissions define the maximum scope of what permissions can be defined. The Security tab will actually define the rights to the folder.

Just grant share everyone full, and NTFS\Security tab is where you lock it down at. This is a must though. If you don't you will leave it wide open.

well if you put the everyone group in the shared tab then any domain users can bring in their own laptop and by pass your domain to get to the domain network resources such as the file server and network printers without needing to join the domain.

so what is the purpose of the domain then?

if you put the domain users group in the shared tab then they can't do that until they join the domain of then they would need network admin permission to join the network because of the administrator password.

If you have NTFS permissions defined on the share they can't get to it if their not in your domain. Shared permissions define the maximum scope of the share, not the actual rights of the users.

crafty is right. If you lock down the NTFS permission, joe user aint getting shit. The more restrictive you are in the share permissions, the more hell it is for you when joe user calls because he can't get his beloved mp3 file

well isn't having everyone group in the shared tab too default?

isn't it better to put domain users with mod and domain admin with full in the shared tab? then adjust accordingly on the security tab which is the NTFS permission

would this lock down a domain user with his personal laptop? i mean he won't be able to access the network drives but not joining the domain and typing "start", "run", and "\server" right?

no it would prompt you for a username and password because the NTFS permissions will tell the user that is trying to access does not have rights. No it will not immediatly kick them out, but they would not be able to view anything in the share until they authenticate.

Like I said earlier, it might be better, but for sanity sake, and as a windows admin I personally don't do it because it's a waste of time. Concentrate on the NTFS.

I use boxes outside my domain to get to shares on my network and if I had the eveyrone group out of the share permissions, I wouldn't be able to access them (I think) I would probably immediatly kick me out.

Still it's a waste of time. Some people will tell you different, but apparently they have more time on their hands than I do.