Understanding Permissions

w^rl0rd · June 2004

O.K.

There are NTFS and Share level permissions.
If I understand correctly, they are cumulative and the most restrictive is the effective permission.

However, in one of the practice exam questions, the Everyone group had Change permissions for a share, while a user with membership to two groups having Full Control and Read, effectively had Change.

How does he have Change when the least restrictive is Read?

CCIE2008 · June 2004

Sounds strange. Can you post the actual question?

Thanks

ICreateLoops · June 2004

The 2 groups you refer to that have Change and Full control, are those the NTFS permissions or are you saying all of them are share permissions?

w^rl0rd · June 2004

18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?

a. Read
b. Read & Execute
c. Change
d. Full Control

Answer(s): c. Change

Explanation:
The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to. (except for Deny permissions which overrides any other permissions assigned.) When you combine NTFS and Share permissions the most restictive applies.

w^rl0rd · June 2004

See above.

If most restrictive applies, then wouldn't his effective permissions be Read from the Sales group?

Read is more restrictive than Change right?

Webmaster · June 2004

As I wrote in the explanation:

When you combine NTFS and Share permissions the most restictive applies.

The permissions 'combined' are the effective NTFS permissions + the effective share permissions.

John's effective NTFS permission is Full Control(user permission) + Read (Sales group permission) which results in the effective NTFS permission Full Control. (as mentioned in the explanation: The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to, as in the least restrictive applies.)

When you combine these NTFS permissions with Share permissions, the most restrictive applies. Hence, NTFS permission Full Control + Share permission Change results in effective permission Change, when connecting to the shared folder.

CCIE2008 · June 2004

When finding your effective permissions when combining Share level access with NTFS, you need to know the LEAST/MOST restriction rule.

First add up your permissions for NTFS and Share level seperately. Then take the least restrictive permission.

NTFS:
John User - Full Control
John Sales Group - Read
=================
Least restrictive: Full

Share:

Everyone Change
========================
Least restricive: Change

Now you compare your share and ntfs permissions to get the most restricive.

NTFS: Full
Share: Cange
==================
Most Restrictive: Change

Change is the user's effective permission. The only exception is when you use an explicit deny. Deny overrides and becomes the effective permission. Hope this helps. Let me know if you need any more info.

w^rl0rd · June 2004

Thanks everyone, I understand it now.

ScareCrow · June 2004

CCIE2008 good explanation, this has helped me.... Good post all round, good forum...!!!

Understanding Permissions

Comments