Another Persmissions Question

I'm confused on this portion of permissions.

Sample 1 - Jon is in Group A and group B.
Group A has allow = modify (NTFS)
Group B has allow = read (NTFS)
Is the answer Jon's effective permissions are read only? I think for NTFS permissions you add up and use the most restrictive.

Sample B. Jon is in group A and group B.
Jon has allow = Full Control (NTFS)
Group A has allow = change (Share permission)
Group B has allow = read (share permission)
What would Jon's effective permissions be? I believe ntfs and share permissions are added together but then what? Which takes precedence, or overrules the other?

My guess: John has full control if accessing the folder directly (same computer), and change permission if accessing the folder remotely. I believe share permission accumulate and take the least restrictive.

Find more posts tagged with

Comments

royal

You are correct in all your assumptions.

sprkymrk

In sample 1 Jon has modify. They were both NTFS permissions.

If 1 was NTFS and 1 was share then Jon would only have read.

emmajoyce

When share and NTFS permissions are combined, the following rules apply:

When a user is accessing a share across a network, both NTFS and share permissions apply
The most restrictive permission of the two becomes the effective combined permission.

When a user accesses a file locally, only the NTFS permissions apply.

NTFS permissions locally are Cumulative. The final permision is the sum of all permisions. Meaning the least restrictive. Unless there is a deny permission set, which takes precedence over a allow permission.

proteus71

emmajoyce wrote:

When share and NTFS permissions are combined, the following rules apply:

When a user is accessing a share across a network, both NTFS and share permissions apply
The most restrictive permission of the two becomes the effective combined permission.

So is the answer for Q #2 modify? cumulate the shares (least restrictive)=modify. cumulate ntfs (least restrictive)=full control. share & ntfs combine to get the most restrictive=modify.

royal

That's correct.

Share = Read + Change = Change
NTFS = Full Control

Local File System Access = Full Control
Logging in through the Share = Modify

Share will allow the deleting/modification of files through Change
NTFS will also allow modification of files through Full Control
Since Share does not have full control as well, the Change permission from the Share level wins. Hence the user will be allowed to modify/change/create/etc. files but not have full control over them.

proteus71

Thanks for the help all. Took the exam today and only had one question pertaining to permissions.

. I thought there would be more.

sprkymrk

proteus71 wrote:

Thanks for the help all. Took the exam today and only had one question pertaining to permissions. . I thought there would be more.

So did you pass?

Don't worry, if you have the permissions/security concept nailed down now, you'll have some easy "gimme" questions on future MS exams. They pop up everywhere, especially on the server-level exams.

proteus71

sprkymrk wrote:

proteus71 wrote:

Thanks for the help all. Took the exam today and only had one question pertaining to permissions. . I thought there would be more.

So did you pass?

Don't worry, if you have the permissions/security concept nailed down now, you'll have some easy "gimme" questions on future MS exams. They pop up everywhere, especially on the server-level exams.

Passed with an 810.

But I have to admit by the time I got half way thru the test I thought I would fail for sure. Only 1/3 of the questions I had a good feeling about. The rest were educated guesses after removing obvious wrong answers.
Good to know about future tests since 70-290 is next. Plus my work is sending me to a 5 day course for 2003 server, so that should help.

sprkymrk

Well then, congrats to you!

royal

Congrats and good luck with 70-290!