A question about practice exam question regardiing permiss..

RulkiewiczRulkiewicz Member Posts: 29 ■□□□□□□□□□
31. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control


The answer is C, but I thought it would be A, because that is the most rescritive permission...(when you corss NTFS with Share)?

I don't understand?

Thanks!

Comments

  • WebmasterWebmaster Admin Posts: 10,292 Admin
    Following is quote from some of my 70-290 TechNotes but it uses this question as an example:
    When you combine NTFS permissions and share permissions the most restrictive effective permission counts. For example, if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.

    Probably the most common mistake made when combining share permissions and NTFS permissions is to add them all to a single pile and then take the most restrictive. Instead, you need to determine the effective share permissions amd the effective NTFS permission before taking the most restrictive.

    So to determine what the permissions are for a user connecting through a shared folder to a local folder protected with NTFS permissions you need to do the following:

    1. Determine the ‘effective’ NTFS permissions
    2. Determine the ‘effective’ share permissions
    3. Take the most restrictive of these two.

    Following is a practice questions that raised discussion in our forums several times:

    X. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. What are John's effective permissions when connecting to the shared folder?

    a. Read
    b. Read & Execute
    c. Change
    d. Full Control

    The correct answer is c. Change, but many people seem to be inclined to choose answer a. Read instead because Read is the most restrictive permission. However, it is the most restrictive effective permissions that counts.

    1. Determine the effective NTFS permissions:
    As mentioned earlier in the NTFS permissions section, NTFS permissions are cumulative. This means the least restrictive applies when considering only NTFS permissions. In this case, this means John has Read NTFS permissions for the folder through the Sales group, and Full Control NTFS permission through his own account, hence his effective NTFS permissions is Full Control.

    2. Determine the effective share permissions:
    The question only mentions that the share permissions are Change to Everyone, so no other share permissions have been explicitly assigned for the Sales group or John and hence the effective share permission is Change.

    3. Take the most restrictive of these two:
    The most restrictive of the previous two effective permissions is Change. Although John has Full Control NTFS permission for the folder, he is accessing the folder through a shared folder for which he only has Change permissions.

    icon_arrow.gifwww.techexams.net/forums/viewtopic.php?t=13318

    icon_arrow.gifwww.techexams.net/forums/viewtopic.php?t=11804

    icon_arrow.gifwww.techexams.net/forums/viewtopic.php?t=10839

    icon_arrow.gifwww.techexams.net/forums/viewtopic.php?t=4104

    icon_idea.gifwww.techexams.net/forums/search.php
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Start at NTFS permissions and understand what John has access to. Which is full control and read. He then takes the less restrictive permission (which is full control) and will go through the share permissions to see what he has access to after the share permission. He notices that he only has Change share permissions so his full control permissions is filtered back to modify (or change... however it makes sense to you).
    My blog http://www.calegp.com

    You may learn something!
  • RulkiewiczRulkiewicz Member Posts: 29 ■□□□□□□□□□
    Mishra wrote:
    Start at NTFS permissions and understand what John has access to. Which is full control and read. He then takes the less restrictive permission (which is full control) and will go through the share permissions to see what he has access to after the share permission. He notices that he only has Change share permissions so his full control permissions is filtered back to modify (or change... however it makes sense to you).

    Ah!

    So, because John has been assigned both NTFS Full, and NTFS Read, he has the highest permission (least restrictive), which is Full, but because he also have the Share permission "Change", and between NTFS and Share, he takes the LEAST permission...

    Gotcha, thanks! So I have to burn it to my memory that you must start at NTFS and pick the least restrictive, then out of that, choose the most restrictive it "share" also comes into play. And "Deny" always overrides everything.

    Thanks!
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Rulkiewicz wrote:
    Mishra wrote:
    Start at NTFS permissions and understand what John has access to. Which is full control and read. He then takes the less restrictive permission (which is full control) and will go through the share permissions to see what he has access to after the share permission. He notices that he only has Change share permissions so his full control permissions is filtered back to modify (or change... however it makes sense to you).

    Ah!

    So, because John has been assigned both NTFS Full, and NTFS Read, he has the highest permission (least restrictive), which is Full, but because he also have the Share permission "Change", and between NTFS and Share, he takes the LEAST permission...

    Gotcha, thanks! So I have to burn it to my memory that you must start at NTFS and pick the least restrictive, then out of that, choose the most restrictive it "share" also comes into play. And "Deny" always overrides everything.

    Thanks!

    It is always least restrictive even with share permissions.

    If John had modify and write permissions on NTFS and had full control and read permissions on the shares (this is assuming his second permissions comes from a group) then he would have modify to the folder. You would take modify from NTFS and filter it through the least restrictive on the share side which would be full control which would leave him with modify permissions to the folder.
    My blog http://www.calegp.com

    You may learn something!
  • APAAPA Member Posts: 959
    Think of it this way.......

    NTFS Permissions are cumulative

    Share permissions are cumulative

    But when used in tandem it's the most restrictive of the two that takes effect.........

    Also

    Deny permissions do override everything........ But if you assign an allow permission explicitly.....over an inherited deny permission then the explicitly assign allow will override it.

    Explicitly assigned permissions override inherited permissions!!!

    Hope this helps :D

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • RulkiewiczRulkiewicz Member Posts: 29 ■□□□□□□□□□
    Think of it this way.......

    NTFS Permissions are cumulative

    Share permissions are cumulative

    But when used in tandem it's the most restrictive of the two that takes effect.........

    Also

    Deny permissions do override everything........ But if you assign an allow permission explicitly.....over an inherited deny permission then the explicitly assign allow will override it.

    Explicitly assigned permissions override inherited permissions!!!

    Hope this helps :D

    What's an explict permission?
Sign In or Register to comment.