Practice question 18 on this site (Share and NTFS perm.)

randy72

18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?

The **** answer states Change. However I believe it should be Read. Because the most restrictive permissions should apply. Read is more restrictive than Change. With John being a member of Sales (read) that should override his Full Control permissions on the user level.
What I am I missing?

eurotrash

permissions are cumulative. John's effective NTFS permission is full control.

when calculating share permissions you must compare the cumulative share permissions against the cumulative ntfs permissions, and the most restrictive of the two "wins".

in this case, John is granted full control directly, and Read through group membership (sales). the cumulative permission is Full Control.
Everyone is granted the change share permission.

Change (the culmination of of the share permissions) is more restrictive than Full Control (the culmination of the NTFS permissions), so Change wins.

Sie

randy72 wrote:

you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder.
What are John's effective permissions when connecting to the shared folder?

Imagine the question was worded like that....

randy72

Why does the Read permission set to the Sales group have no impact?

swagger77

randy72 wrote:

Why does the Read permission set to the Sales group have no impact?

first u have SHARE permission Change - Everyone
second u have NTFS permissions Full Control - John, Read - Sales group.

compare the two NTFS permissions and take the least restrictive: Full Control - John

Compare the SHARE permission with The NTFS permission and get the most restrictive: CHANGE

Answer is CHANGE

eurotrash

randy72 wrote:

Why does the Read permission set to the Sales group have no impact?

it has no impact because Full Control already includes Read.

Webmaster

Although explained already in the previous replies, and some older topics about the same question, here's some more info:
www.techexams.net/forums/viewtopic.php?t=11804

The keyword is 'effective permissions'. Before combining the share and ntfs permissions to determine the most restrictive of the two different type of permissions, first determine what the effective NTFS permissions and the effective share permissions are. Instead of throwing them all on one pile and take the least restrictive.

randy72

So when comparing NTFS permissions the LEAST restrictive takes effect.
When comparing Share to NTFS permissions the MOST restrictive takes effect. Am I right?

I'm confused because I thought the most restrictive permission took effect. Read is more restrictive than Full Control. So I would think Read would be the effective permission. NTFS Read is more restrictive than the Share- Change. So I would think that John would have Read permissions because he's a member of Sales.
Unless John being granted NTFS Full Control on his user account trumps what his Group permissions are....then I could see Change being the effective permission.

Webmaster

Exactly. Sounds like you are no longer confused

And, the situation is very realistic too. Ie. you assign a group read permissions, and make an exception for a particular user by assigning full control for example.

randy72

I've just never encountered this situation before. We maintain all of our files on files servers. And grant permissions through groups and rarely through individual domain accounts.
We never give users Full Control to anything. Just Change + Modify.

Nobody here would ever give a user Full Control to a share. It's unheard of. I guess that's why I was confused.

strauchr

Actually, quite commonly Full control on the Share is used and control of the NTFS folder or file permission is used to lock it down. In fact, this was once a recommended MS policy, however I am not sure if its still in place but it is certainly commonly used.

And again, quite commonly you will see legacy or even wrongly administered networks where a user has been added to a group but has also been assigned a right directly to their user account.

The more experience you get the more you will see these kinds of things happening. (And roll your eyes )

eurotrash

yep, i believe it is still MS's recommended best policy.

randy72

Why would you give Full Control on the share instead of Change?
What advantage does Full Control have over Change on the share level?

eurotrash

you give Full Control share permission so that you can configure everything at the more granular NTFS level.
plus it's easier to configure and troubleshoot, if you know that the permissions are configured at NTFS level.

remember that the most restrictive wins, so full control at share level doesn't do any harm as long as you configure the NTFS permissions properly.

randy72

I suppose.
I still think it's a good idea to set the share permission to Change as a kind of backup to the NTFS permissions. Maybe I'm crazy.

strauchr

There are instances where you would want some people to have full control over NTFS so as long as it is set at shared level there'll be no issues with the person getting the rights they need. For example the finance manager wants to control who sees the staffs salary, he then is given full control rights to add or remove accounts who access it, taking control away from anyone else (even though admins can still take ownership and change permissions)

To ease administration one group is given full control access to the share (usually Everyone group). then you create your individual groups to have access to the NTFS share, some in different levels of the folder structure, some full control, some just read etc.

Having to ALSO give these groups access to Share permissions is just doubling up work and if you have a huge company that is trying to create naming standards and very defined group management then you'd have to create seperate groups for Share and NTFS meaning even more overhead administration.

Webmaster

randy72 wrote:

Nobody here would ever give a user Full Control to a share. It's unheard of. I guess that's why I was confused.

In the question Change permissions are assigned to the shared folder.

My comment about the situation being realistic was regarding John having been assigned individual permissions as an exception on the group. This is realistic, common, and 'the' way to do it. You should assign permissions through groups as much as possible because it allows efficient management of those permissions. Creating an additional group to make an exception for a single user is obviously not efficient. Creating a copy of the group especially for John, who likely needs to remain a member of the group, or at least the same permissions, because there is not a 1-on-1 relationship between resources and groups. Anyway, for this particular folder he needs different permissions. That's a given in the question, imagine he is delegated control for assigning permissions on a folder on a file server in his department, whatever the reason may be, and whatever the permissions may be. (edit: see accounting manager example strauchr posted while I was typing much slower then he was)

The point of the question is that John has additional NTFS permissions compared to the other members of the Sales group, but cannot use those NTFS permissions because he's accessing the folder through a share with share permissions more restrictive than his additional NTFS permissions.

Webmaster

randy72 wrote:

I suppose.I still think it's a good idea to set the share permission to Change as a kind of backup to the NTFS permissions. Maybe I'm crazy.

Well, as long as it doesn't affect users, it's certainly not wrong to have more strict permissions. But as long as your NTFS permissions are strict enough, it's technically unnecessary. The difference between Change and Full Control share permissions is that full control allows the user to change permissions. However, the permissions of the actual share itself, can only be changed locally, when NTFS permissions apply. So users won't gain more NTFS permissions through the full control share permissions.

randy72

I understand exactly what you two are saying. I never thought of a user controlling access to folders.
Where I work the department heads and managers tell us who can get what and we set it up. And we have sensitive data. Tax info, criminal records and such.
I guess in my short sightedness I never thought of a user controlling access.
Do you guys ever worry about a user screwing the permissions up.
I know these monkeys here couldn't do it.

Webmaster

It does take a person with responsibility, and is certainly not ideal and should be avoided if possible. I've seen and configured it in dozens of small and large Microsoft networks though. There's always the exception. Managers, researchers, developers, branch/department-admins (who you don't want to make an administrator), etc.etc. This topic is heading towards an issue that's more related to Security+: access control models. It's only 2 pages, give it a quick read and you'll see where it touches this topic. You basically have a kinda MAC (mandatory access control) thing going on at work, while Windows is partly DAC (Discretionary access control) where users can determine permissions for the files they own. So the mananger's permissions allow him to 'control' permissions (not necessarily with the purpose of assigning additional). Also, the entire scenario does not apply only to full control. E.g. a group and a share can have read, while someone else needs modify. And then there's also the deny permissions exceptions where someone needs to be a member of a group to access certain resources, but needs to be denied access to a folder to which the rest of the group must have access.

strauchr

Isn't permissioning fun

I just think its important to get across to people that most MS exams do cover real world scenarios and to defeat that reputation it has for being unrealistic. You may not use it where you are now, but it most certainly might be used elsewhere and you may work for one of those companies one day and you'll need to know.

MS covers every base you can think off in there exams.

randy72

Cool. Thanks for all the replys.

woodworm

I 'think' I understand how permissions work but I don't really understand why Microsoft still push Share permissions as a viable way to control access.

In all honesty I thought everyone gave the Everyone group Full Control on the share and then restricted access with NTFS permissions.

I thought that the only reason to use Share permissions is when the partition was FAT rather than NTFS

strauchr

^^ You've got it right. Thats exactly what we were banging on about.

MS does not push Shares they push NTFS as the way for security.