Clarification needed for this Question

win2k8win2k8 Users Awaiting Email Confirmation Posts: 262
10. You are the domain administrator for a small Windows 2003 domain. You created a new shared folder on FileServer01 and assigned the share permission Change to Everyone. Lisa, a user from the Finance department, has been granted Full Control NTFS permission to the folder. Lisa is also a member of the Sales group, which has been assigned Read NTFS permissions.

What are Lisa's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control


Answer(s): c. Change

Your Answer(s): a. Read


Does anybody know why it is change and not read? It says in the explanation when combining share and ntfs permissions the most restrictive applies? So that would be read right? Or is it not read because it doesnt directly state that the Sales group has permission on the shared folder on FileServer01 ?

Thanks in advance for the clarification,

win2k4

Comments

  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Lisa, a user from the Finance department, has been granted Full Control NTFS permission to the folder. Lisa is also a member of the Sales group, which has been assigned Read NTFS permissions.

    Lisa = Full Control
    Sales = Read
    Share = Change

    Results in Lisa = NTFS (Full Control + Read = Full Control) + Share (Change) = Change

    Because specific permissions granted to a user are combined with those granted to all the groups they belong too and the highest wins (remember though deny always "outranks" allow). But when combining share & NTFS permissions the most restrictive wins.
  • win2k8win2k8 Users Awaiting Email Confirmation Posts: 262
    I still don't get it...

    Thanks for trying,

    win2k4
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    Share Permission : Change

    NTFS Permission : Full Control. Why? Because, Full control(from Finance) + Read(from Sales) = Full Control

    Effective Permissions = Most restrictive

    Out of Change and Full Control, most restrictive is Change.

    Hence, answer is Change.

    Hope that explains things.
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Win2k, I think you overlooked the fact that the everyone group has a change share permission.
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    dynamik wrote:
    Win2k, I think you overlooked the fact that the everyone group has a change share permission.

    +1
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
  • rickjr13rickjr13 Member Posts: 30 ■■□□□□□□□□
    So basically, when combining same permission types (ntfs+ntfs or share+share) the highest (least restrictive wins. But when combining different types (ntfs+share) the most restrictive of the two wins. Did I get that right? This always confused me too.
  • win2k8win2k8 Users Awaiting Email Confirmation Posts: 262
    OMG!!! I think i just got it! It went like baaaazing.

    Now i see why:

    On the NTFS side of things we have: Full Control + Read. Remember when dealing with NTFS permissions the cumulative or addition of both are the effective permissions. So if we add Full Control with Read we equal on this side basically Full Control + Read access.

    Now on the Share side we have only Change.

    Now when dealing with BOTH share and NTFS permissions, the most restrictive applies.

    So on NTFS we had: Full Control (+Read)
    And on Share side: Change

    So when both are in use, the most restrictive applies that being Change. And thats the answer!

    Thanks everyone,

    you all helped me get this through my brain!
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    rickj13 wrote:
    So basically, when combining same permission types (ntfs+ntfs or share+share) the highest (least restrictive wins. But when combining different types (ntfs+share) the most restrictive of the two wins. Did I get that right? This always confused me too.

    Yep (unless there are deny permissions, which take precedence over allow). Welcome to the site!

    Also, both of you be sure to remember that share permissions are only taken into account if the resource is accessed over the network. If a user has a full control ntfs permission and a change share permission, he will have full control when accessing the file locally but change over the network. A question might lead you to believe that share permissions are a major part of the question (i.e. tell you he belongs to eight different groups with varying share permissions), only to sneak in the fact that the user is working locally.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    baaaazing
    icon_idea.gificon_idea.gificon_idea.gif

    That's hilarious. Glad it makes sense now (thanks dynamik and MobilOne).

    On another note (and somewhat a best practice of most people who've been around for a while in the Windows world - you'll find lots out there if you Google it) is to set the share permissions on a file server to Authenticated Users = Full Control and do all of the permissions control through NTFS permissions. This allows you to benefit from the granularity of NTFS permissions and as an added bonus, keeps things much easier when troubleshooting. Remember share permissions date back to providing rudimentary support for permissions on FAT drives. If users won't be accessing anything locally from the server (which should be the case on most servers with shares anyway) don't confuse yourself with complex permission hierarchies.

    And the two other things I can offer: This one is probably in your book - steer clear of "deny" permissions. They should only be used in specific cases. If you find yourself using them all the time it's probably time to re-evaluate your folder structure. The other one is download the Access Based Enumeration (ABE) plug-in from Microsoft. This allows you to "hide" folders from users if they don't have at least Read permissions; it makes the folder structure that much easier for the users - they can't see it if they don't need to (and to those who wonder, yes, this is basically the same thing Novell had 15 years ago. :D).
Sign In or Register to comment.