Permissions question

Seems I am misinterpreting another thing (after the Group Accounts question in my last post)...

I have read and heard (CBT Nuggets) that the most restrictive set of permissions is the one that applies in the end, be it NTFS or Share.

So, I create a folder to play with permissions and call it Docs and I have a user, Dan Holme. I also create a notepad document. I go into the sharing tab on the properties box and configure Dan to have READ access to the folder. Then I go to the security tab and configure Dan to have FULL CONTROL.

Now, when I logon as Dan and according to my understanding (which is taking a hit !), Dan should have READ only access to the folder and not make changes to the folder, such as modify the files inside it, execute files and so on. But he can and was able to make changes to the text file.

WHY??

Find more posts tagged with

Comments

Mishra

Sharing permissions are applied when accessing the share remotely. When logged on locally to the machine, only NTFS permissions are applied.

Dan (on remote machine) --> browses \\file\share --> read permissions is applied from share permissions --> read permission is allowed from NTFS permissions --> access granted

Dan (local on machine) --> Goes to c:\share --> full control is applied/allowed from NTFS permissions --> access granted

Essendon

Sharing permissions are applied when accessing the share remotely. When logged on locally to the machine, only NTFS permissions are applied.

Shouldnt have forgotten that.

Thank you, Mishra.

MikeInMoseley

NTFS permissions on their own are cumulative.
i.e. You are in two groups, one has read access, the other modify. Your
cumulative permission is the LEAST restrictive. So in this case it
would be Modify.

The same goes for the share permissions, on their own as cumulative.
i.e. You are in two groups, one has no access, the other read. Your
cumulative permission is the LEAST restrictive. So in this case Read.

However when a client accesses this folder share via the network you
will be accessing you have to take into account BOTH sets of
permissions.
i.e. as earlier you have modify NTFS permissions and read Share
permissions. When you combine the two, the MOST restrictive applies. So
in this case it would be Read.

Essendon

Thanks Mike, that really cleared things up. Guess I need to master Permissions to have a chance of clearing the exam.

royal

I posted this in another thread, but maybe it'll add to your understanding:

Share Permissions = Accumulate all permissions for a user based on access given to him or groups he is in
NTFS = Accumulate all NTFS Permissions for a user based on access given to him or groups he is in

Now take the most restrictive between Share and NTFS

So, for example:

Joe is a a member of both Marketing and Sakes

We are working on the Share "Files"

The Files folder is shared out and has the following share permissions:
Marketing - No Permissions Configured
Sales - Read

The Files folder has the following NTFS permissions:
Marketing - Read/Write
Sales - Full Control

The Documents folder is shared out and has the following share permissions:
Marketing - Full Control
Sales - Read

The Documents folder has the following NTFS permissions:
Marketing - Full Control
Sales - Full Control

Files folder: Joe will land up with read access. - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.

Documents folder: Joe will land up with full control access - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.

Think of it using this analogy. NTFS is a team and Share is a team. In order to win, you're going to try to accumulate as many members (permissions) as possible to defeat your opponent. In this case, NTFS accumulates as many permissions as possible for the NTFS team. Share is going to accumulate as many members (permissions) as possible for the Share Team. It is now NTFS vs Share (the most restrictive wins).

Essendon

Jesus, Elan! That was very well explained. Doesnt get much clearer than this! I am not going to forget this in a long time now....