Clarification needed for this Question

win2k8

10. You are the domain administrator for a small Windows 2003 domain. You created a new shared folder on FileServer01 and assigned the share permission Change to Everyone. Lisa, a user from the Finance department, has been granted Full Control NTFS permission to the folder. Lisa is also a member of the Sales group, which has been assigned Read NTFS permissions.

What are Lisa's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control


Answer(s): c. Change

Your Answer(s): a. Read


Does anybody know why it is change and not read? It says in the explanation when combining share and ntfs permissions the most restrictive applies? So that would be read right? Or is it not read because it doesnt directly state that the Sales group has permission on the shared folder on FileServer01 ?

Thanks in advance for the clarification,

win2k4

astorrs

Lisa, a user from the Finance department, has been granted Full Control NTFS permission to the folder. Lisa is also a member of the Sales group, which has been assigned Read NTFS permissions.

Lisa = Full Control
Sales = Read
Share = Change

Results in Lisa = NTFS (Full Control + Read = Full Control) + Share (Change) = Change

Because specific permissions granted to a user are combined with those granted to all the groups they belong too and the highest wins (remember though deny always "outranks" allow). But when combining share & NTFS permissions the most restrictive wins.

win2k8

I still don't get it...

Thanks for trying,

win2k4

Essendon

Share Permission : Change

NTFS Permission : Full Control. Why? Because, Full control(from Finance) + Read(from Sales) = Full Control

Effective Permissions = Most restrictive

Out of Change and Full Control, most restrictive is Change.

Hence, answer is Change.

Hope that explains things.

dynamik

Win2k, I think you overlooked the fact that the everyone group has a change share permission.

Essendon

dynamik wrote:

Win2k, I think you overlooked the fact that the everyone group has a change share permission.

+1

rickjr13

So basically, when combining same permission types (ntfs+ntfs or share+share) the highest (least restrictive wins. But when combining different types (ntfs+share) the most restrictive of the two wins. Did I get that right? This always confused me too.

win2k8

OMG!!! I think i just got it! It went like baaaazing.

Now i see why:

On the NTFS side of things we have: Full Control + Read. Remember when dealing with NTFS permissions the cumulative or addition of both are the effective permissions. So if we add Full Control with Read we equal on this side basically Full Control + Read access.

Now on the Share side we have only Change.

Now when dealing with BOTH share and NTFS permissions, the most restrictive applies.

So on NTFS we had: Full Control (+Read)
And on Share side: Change

So when both are in use, the most restrictive applies that being Change. And thats the answer!

Thanks everyone,

you all helped me get this through my brain!

dynamik

rickj13 wrote:

So basically, when combining same permission types (ntfs+ntfs or share+share) the highest (least restrictive wins. But when combining different types (ntfs+share) the most restrictive of the two wins. Did I get that right? This always confused me too.

Yep (unless there are deny permissions, which take precedence over allow). Welcome to the site!

Also, both of you be sure to remember that share permissions are only taken into account if the resource is accessed over the network. If a user has a full control ntfs permission and a change share permission, he will have full control when accessing the file locally but change over the network. A question might lead you to believe that share permissions are a major part of the question (i.e. tell you he belongs to eight different groups with varying share permissions), only to sneak in the fact that the user is working locally.

astorrs

baaaazing

That's hilarious. Glad it makes sense now (thanks dynamik and MobilOne).

On another note (and somewhat a best practice of most people who've been around for a while in the Windows world - you'll find lots out there if you Google it) is to set the share permissions on a file server to Authenticated Users = Full Control and do all of the permissions control through NTFS permissions. This allows you to benefit from the granularity of NTFS permissions and as an added bonus, keeps things much easier when troubleshooting. Remember share permissions date back to providing rudimentary support for permissions on FAT drives. If users won't be accessing anything locally from the server (which should be the case on most servers with shares anyway) don't confuse yourself with complex permission hierarchies.

And the two other things I can offer: This one is probably in your book - steer clear of "deny" permissions. They should only be used in specific cases. If you find yourself using them all the time it's probably time to re-evaluate your folder structure. The other one is download the Access Based Enumeration (ABE) plug-in from Microsoft. This allows you to "hide" folders from users if they don't have at least Read permissions; it makes the folder structure that much easier for the users - they can't see it if they don't need to (and to those who wonder, yes, this is basically the same thing Novell had 15 years ago. ).