Permissions question
Essendon
Member Posts: 4,546 ■■■■■■■■■■
Seems I am misinterpreting another thing (after the Group Accounts question in my last post)...
I have read and heard (CBT Nuggets) that the most restrictive set of permissions is the one that applies in the end, be it NTFS or Share.
So, I create a folder to play with permissions and call it Docs and I have a user, Dan Holme. I also create a notepad document. I go into the sharing tab on the properties box and configure Dan to have READ access to the folder. Then I go to the security tab and configure Dan to have FULL CONTROL.
Now, when I logon as Dan and according to my understanding (which is taking a hit !), Dan should have READ only access to the folder and not make changes to the folder, such as modify the files inside it, execute files and so on. But he can and was able to make changes to the text file.
WHY??
I have read and heard (CBT Nuggets) that the most restrictive set of permissions is the one that applies in the end, be it NTFS or Share.
So, I create a folder to play with permissions and call it Docs and I have a user, Dan Holme. I also create a notepad document. I go into the sharing tab on the properties box and configure Dan to have READ access to the folder. Then I go to the security tab and configure Dan to have FULL CONTROL.
Now, when I logon as Dan and according to my understanding (which is taking a hit !), Dan should have READ only access to the folder and not make changes to the folder, such as modify the files inside it, execute files and so on. But he can and was able to make changes to the text file.
WHY??
Comments
-
Mishra
Member Posts: 2,468 ■■■■□□□□□□
Sharing permissions are applied when accessing the share remotely. When logged on locally to the machine, only NTFS permissions are applied.
Dan (on remote machine) --> browses \\file\share --> read permissions is applied from share permissions --> read permission is allowed from NTFS permissions --> access granted
Dan (local on machine) --> Goes to c:\share --> full control is applied/allowed from NTFS permissions --> access granted -
Essendon
Member Posts: 4,546 ■■■■■■■■■■
Sharing permissions are applied when accessing the share remotely. When logged on locally to the machine, only NTFS permissions are applied.
Shouldnt have forgotten that.
Thank you, Mishra. -
MikeInMoseley
Member Posts: 48 ■■□□□□□□□□
NTFS permissions on their own are cumulative.
i.e. You are in two groups, one has read access, the other modify. Your
cumulative permission is the LEAST restrictive. So in this case it
would be Modify.
The same goes for the share permissions, on their own as cumulative.
i.e. You are in two groups, one has no access, the other read. Your
cumulative permission is the LEAST restrictive. So in this case Read.
However when a client accesses this folder share via the network you
will be accessing you have to take into account BOTH sets of
permissions.
i.e. as earlier you have modify NTFS permissions and read Share
permissions. When you combine the two, the MOST restrictive applies. So
in this case it would be Read. -
Essendon
Member Posts: 4,546 ■■■■■■■■■■
Thanks Mike, that really cleared things up. Guess I need to master Permissions to have a chance of clearing the exam.
-
royal
Member Posts: 3,352 ■■■■□□□□□□
I posted this in another thread, but maybe it'll add to your understanding:
Share Permissions = Accumulate all permissions for a user based on access given to him or groups he is in
NTFS = Accumulate all NTFS Permissions for a user based on access given to him or groups he is in
Now take the most restrictive between Share and NTFS
So, for example:
Joe is a a member of both Marketing and Sakes
We are working on the Share "Files"
The Files folder is shared out and has the following share permissions:
Marketing - No Permissions Configured
Sales - Read
The Files folder has the following NTFS permissions:
Marketing - Read/Write
Sales - Full Control
The Documents folder is shared out and has the following share permissions:
Marketing - Full Control
Sales - Read
The Documents folder has the following NTFS permissions:
Marketing - Full Control
Sales - Full Control
Files folder: Joe will land up with read access. - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.
Documents folder: Joe will land up with full control access - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.
Think of it using this analogy. NTFS is a team and Share is a team. In order to win, you're going to try to accumulate as many members (permissions) as possible to defeat your opponent. In this case, NTFS accumulates as many permissions as possible for the NTFS team. Share is going to accumulate as many members (permissions) as possible for the Share Team. It is now NTFS vs Share (the most restrictive wins).“For success, attitude is equally as important as ability.” - Harry F. Banks -
Essendon
Member Posts: 4,546 ■■■■■■■■■■
Jesus, Elan! That was very well explained. Doesnt get much clearer than this! I am not going to forget this in a long time now....
