47135: Acronis Access Connect: Best Practices for Permissions on NTFS

Also read in:

Translate to:

Best practices for permissions on NTFS

This article applies to:

  • Acronis Access Connect (formerly ExtremeZ-IP)

Description

Best practices for permissions on NTFS

The default rights we expect to see inheriting from the drive letter are:

  • Administrators, Full Control, Applies to this folder, subfolders, and files
  • SYSTEM, Full Control, Applies to this folder, subfolders, and files
  • CREATOR OWNER, Full Control, Applies to subfolders and files only

A note regarding CREATOR OWNER: since it applies to subfolders and files only, Full Control will display as "Special" on 2008 and above.

For typical workfiows, the Mac users will need all the granular NTFS permissions except Full control, Change permissions, and Take ownership.

Listed out, this is:

 

  • Traverse folder/execute file
  • List folder/read data
  • Read attributes
  • Read extended attributes
  • Create files/write data
  • Create folders/append data
  • Write attributes
  • Write axtended attributes
  • Delete subfolders and files
  • Delete
  • Read permissions

A basic share would appear as follows:

If you need restricted permissions at the root of a  share, the best advice we have been able to give is to apply an explicit ACE with limited permissions, such as read only, for a staff group to a parent folder, typically the directory that is being shared and change the "Apply to" setting to "This folder only" so the clients can mount the share. That way the staff group ACE will not inherit down but the SYSTEM ACE will.

Then on the child folders, apply an explicit ACE granting permissions to each particular group. Don't forget that the .TemporaryItems at the root of all shares would need an explicit ACE granting pretty much full control to everyone. This will support the safe save operation documented in the Apple KB article at 

http://support.apple.com/kb/TS3752

You can see on the screenshot below that the child folder "test" did not inherit the read only ACE from the parent folder "Share" pictured in the screenshot above. Then we applied an explicit ACE on "test" granting full control the group "Users".

More information

See also Acronis Access Connect: Troubleshooting Windows Server Access from Mac Clients.

 

Tags: 

You are reporting a typo in the following text:
Simply click the "Send typo report" button to complete the report. You can also include a comment.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
6 + 6 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.