70-410: Share and NTFS Permissions Question

bigmike2238bigmike2238 Member Posts: 9 ■■□□□□□□□□
I am in the middle of doing labs for my MCP, and I have a quick question when it comes to NTFS Share permissions. I set share permissions to 'full control' because I wanted to use NTFS permissions strictly. This was going fine, but I noticed something I didn't understand. When I assign permissions directly to a user in NTFS, it overrides group permissions.

In other words, granting full permissions to a user object will override the more restrictive permission set on a group object (which the user is a part of). This goes against what we have be taught, which is, the object with the most restrictive permissions, wins. Can someone help me understand why this is different when the permissions are assigned directly to a user?

Thanks to all that reply.


  • Fulcrum45Fulcrum45 Member Posts: 613 ■■■■■□□□□□
    I'm working on my 70-410 as well and I believe (someone correct me if I'm wrong) that while NTFS permissions are cumulative- it depends heavily on if the share is being accessed across the network or locally on the machine itself.

    Across a network via NTFS = Most restrictive permission
    Locally via NTFS= Least restrictive permission

    Moreover, Share permissions can only be used across a network but are trumped by NTFS permissions should they be used as well. It took me a bit to grasp that Share Permissions and NTFS were two different things.

    Also, be considerate of explicit permissions. I believe nothing trumps an explicit DENY.

    I hope this helps. And please, someone correct me if I'm wrong. Going off of memory here.
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Depends if the groups permissions was inherited. If so, applying the user's permissions directly to the folder would override it.

    Explicit takes precedent over Inherited
  • AvgITGeekAvgITGeek 70-410, 70-411 Member Posts: 341 ■■■■□□□□□□
    When share and NTFS are combined it is always most restrictive. If the share is accessed locally only NTFS will be applied for obvious reasons. Fulcrum45 is correct, an explicit deny will take precedence over all else. Keep your AGDLP as best practice and use deny only when needed. Yeah, NetworkNewb is right but you need to click a couple of check boxes to turn off inherited permissions. If so, then the explicit will apply. Server 2012 does include the effective permissions tab on all folders.
    Use it!
  • bigmike2238bigmike2238 Member Posts: 9 ■■□□□□□□□□
    Got it. Thank you for the information, went a long way in helping understand why the effective permissions were what they were. :)
Sign In or Register to comment.