nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Understanding Permissions

w^rl0rd

O.K.

There are NTFS and Share level permissions.
If I understand correctly, they are cumulative and the most restrictive is the effective permission.

However, in one of the practice exam questions, the Everyone group had Change permissions for a share, while a user with membership to two groups having Full Control and Read, effectively had Change.

How does he have Change when the least restrictive is Read?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

CCIE2008

Sounds strange. Can you post the actual question?

Thanks

ICreateLoops

The 2 groups you refer to that have Change and Full control, are those the NTFS permissions or are you saying all of them are share permissions?

w^rl0rd

18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?

a. Read
b. Read & Execute
c. Change
d. Full Control

Answer(s): c. Change

Explanation:
The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to. (except for Deny permissions which overrides any other permissions assigned.) When you combine NTFS and Share permissions the most restictive applies.

w^rl0rd

See above.

If most restrictive applies, then wouldn't his effective permissions be Read from the Sales group?

Read is more restrictive than Change right?

Webmaster

As I wrote in the explanation:

When you combine NTFS and Share permissions the most restictive applies.

The permissions 'combined' are the effective NTFS permissions + the effective share permissions.

John's effective NTFS permission is Full Control(user permission) + Read (Sales group permission) which results in the effective NTFS permission Full Control. (as mentioned in the explanation: The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to, as in the least restrictive applies.)

When you combine these NTFS permissions with Share permissions, the most restrictive applies. Hence, NTFS permission Full Control + Share permission Change results in effective permission Change, when connecting to the shared folder.

CCIE2008

When finding your effective permissions when combining Share level access with NTFS, you need to know the LEAST/MOST restriction rule.

First add up your permissions for NTFS and Share level seperately. Then take the least restrictive permission.

NTFS:
John User - Full Control
John Sales Group - Read
=================
Least restrictive: Full

Share:

Everyone Change
========================
Least restricive: Change

Now you compare your share and ntfs permissions to get the most restricive.

NTFS: Full
Share: Cange
==================
Most Restrictive: Change

Change is the user's effective permission. The only exception is when you use an explicit deny. Deny overrides and becomes the effective permission. Hope this helps. Let me know if you need any more info.

w^rl0rd

Thanks everyone, I understand it now.

ScareCrow

CCIE2008 good explanation, this has helped me.... Good post all round, good forum...!!!