A question about practice exam question regardiing permiss..
Rulkiewicz
Member Posts: 29 ■□□□□□□□□□
31. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control
The answer is C, but I thought it would be A, because that is the most rescritive permission...(when you corss NTFS with Share)?
I don't understand?
Thanks!
What are John's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control
The answer is C, but I thought it would be A, because that is the most rescritive permission...(when you corss NTFS with Share)?
I don't understand?
Thanks!
Comments
-
Webmaster Admin Posts: 10,292 AdminFollowing is quote from some of my 70-290 TechNotes but it uses this question as an example:When you combine NTFS permissions and share permissions the most restrictive effective permission counts. For example, if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.
Probably the most common mistake made when combining share permissions and NTFS permissions is to add them all to a single pile and then take the most restrictive. Instead, you need to determine the effective share permissions amd the effective NTFS permission before taking the most restrictive.
So to determine what the permissions are for a user connecting through a shared folder to a local folder protected with NTFS permissions you need to do the following:
1. Determine the ‘effective’ NTFS permissions
2. Determine the ‘effective’ share permissions
3. Take the most restrictive of these two.
Following is a practice questions that raised discussion in our forums several times:
X. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. What are John's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control
The correct answer is c. Change, but many people seem to be inclined to choose answer a. Read instead because Read is the most restrictive permission. However, it is the most restrictive effective permissions that counts.
1. Determine the effective NTFS permissions:
As mentioned earlier in the NTFS permissions section, NTFS permissions are cumulative. This means the least restrictive applies when considering only NTFS permissions. In this case, this means John has Read NTFS permissions for the folder through the Sales group, and Full Control NTFS permission through his own account, hence his effective NTFS permissions is Full Control.
2. Determine the effective share permissions:
The question only mentions that the share permissions are Change to Everyone, so no other share permissions have been explicitly assigned for the Sales group or John and hence the effective share permission is Change.
3. Take the most restrictive of these two:
The most restrictive of the previous two effective permissions is Change. Although John has Full Control NTFS permission for the folder, he is accessing the folder through a shared folder for which he only has Change permissions.
www.techexams.net/forums/viewtopic.php?t=13318
www.techexams.net/forums/viewtopic.php?t=11804
www.techexams.net/forums/viewtopic.php?t=10839
www.techexams.net/forums/viewtopic.php?t=4104
www.techexams.net/forums/search.php -
Mishra Member Posts: 2,468 ■■■■□□□□□□Start at NTFS permissions and understand what John has access to. Which is full control and read. He then takes the less restrictive permission (which is full control) and will go through the share permissions to see what he has access to after the share permission. He notices that he only has Change share permissions so his full control permissions is filtered back to modify (or change... however it makes sense to you).
-
Rulkiewicz Member Posts: 29 ■□□□□□□□□□Mishra wrote:Start at NTFS permissions and understand what John has access to. Which is full control and read. He then takes the less restrictive permission (which is full control) and will go through the share permissions to see what he has access to after the share permission. He notices that he only has Change share permissions so his full control permissions is filtered back to modify (or change... however it makes sense to you).
Ah!
So, because John has been assigned both NTFS Full, and NTFS Read, he has the highest permission (least restrictive), which is Full, but because he also have the Share permission "Change", and between NTFS and Share, he takes the LEAST permission...
Gotcha, thanks! So I have to burn it to my memory that you must start at NTFS and pick the least restrictive, then out of that, choose the most restrictive it "share" also comes into play. And "Deny" always overrides everything.
Thanks! -
Mishra Member Posts: 2,468 ■■■■□□□□□□Rulkiewicz wrote:Mishra wrote:Start at NTFS permissions and understand what John has access to. Which is full control and read. He then takes the less restrictive permission (which is full control) and will go through the share permissions to see what he has access to after the share permission. He notices that he only has Change share permissions so his full control permissions is filtered back to modify (or change... however it makes sense to you).
Ah!
So, because John has been assigned both NTFS Full, and NTFS Read, he has the highest permission (least restrictive), which is Full, but because he also have the Share permission "Change", and between NTFS and Share, he takes the LEAST permission...
Gotcha, thanks! So I have to burn it to my memory that you must start at NTFS and pick the least restrictive, then out of that, choose the most restrictive it "share" also comes into play. And "Deny" always overrides everything.
Thanks!
It is always least restrictive even with share permissions.
If John had modify and write permissions on NTFS and had full control and read permissions on the shares (this is assuming his second permissions comes from a group) then he would have modify to the folder. You would take modify from NTFS and filter it through the least restrictive on the share side which would be full control which would leave him with modify permissions to the folder. -
APA Member Posts: 959Think of it this way.......
NTFS Permissions are cumulative
Share permissions are cumulative
But when used in tandem it's the most restrictive of the two that takes effect.........
Also
Deny permissions do override everything........ But if you assign an allow permission explicitly.....over an inherited deny permission then the explicitly assign allow will override it.
Explicitly assigned permissions override inherited permissions!!!
Hope this helps
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
Rulkiewicz Member Posts: 29 ■□□□□□□□□□Adrian_Arumugam wrote:Think of it this way.......
NTFS Permissions are cumulative
Share permissions are cumulative
But when used in tandem it's the most restrictive of the two that takes effect.........
Also
Deny permissions do override everything........ But if you assign an allow permission explicitly.....over an inherited deny permission then the explicitly assign allow will override it.
Explicitly assigned permissions override inherited permissions!!!
Hope this helps
What's an explict permission?