effective permissions

susuandme

Can someone explain this to me please, also, what if the example below was just all combining "share permissions" what would happen, and also what if the example below combined just the "NTFS" PERMISSIONS. WHAT THEN HAPPENS.
thankyou: iN OTHER words what are the rules when you also do not COMBINE share and NTFS, BUT JUST "SHARE" and "NTFS" SEPARATELY on a question.
wHAT HAPPENS. THANKYOU

18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control


Answer(s): c. Change




Explanation:
The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to. (except for explicit deny permissions which overrides any other conflicting permissions assigned.) When you combine NTFS and Share permissions the most restrictive applies.

Pash

It is the least restrictive from each share or ntfs and then the most restrictive when combined.

Deny always takes precedence over Allow and negates any permission with which it conflicts.

If you remember those two lines, you can't mess it up.

susuandme

thanks, I sent you a personal message, but it is a bit confusing,

you say when just added up all the ntfs permissions it is the most permissive that will count, would that mean. if Jack has

modify, change, read, write, then just add them all up, or do I just
take out the most permissive strongest one, or is his effective
permissions : All of these


With combining Ntfs and share: I would just add them up and pick out the single most restrictive permission. I know this seems like it should be easy, but iI'm not catching on. thanks

gravyjoe

Hi susuandme. I like to think of it as three battles. The first battle is with the NTFS permissions. The King of permissions always wins this battle, for example:Full control or modify. Whatever the highest rank in this battle is wins. So if you had read, write, modify, and full control in this battle, full control would win. So the other three permission are dead, they don't exist anymore.

The second battle is with the share permissions. Same principal applies here. If you had the permissions read & execute and change, change would win this battle because it is the highest rank in this battle. Read & execute is now dead, wiped out of existence. If full control was in this battle, it would've won, but only read & execute and change were in this battle, so change prevails.

Now the next part of this story has a movie like ending. The third and final battle, the NTFS permission Full Control against the Share permission Change. This part is like David and Goliath. Goliath is a giant and David is a boy. Goliath=Full Control, David=change. David ended up beating Goliath. Same thing will happen with the permissions. Full control vs. change, the SMALLER rank change wins, the underdog.

In a different scenario, if you're not combining NTFS and Share permissions together, nobody gets killed. For example, if there's only NTFS permissions, if you have read, read and execute, write, and modify, you have ALL of those permissions, not just one. There is no battle. The NTFS neighborhood without Share permissions is a peaceful one. All permissions work together. So generally speaking, to the human eye, it would seem that your permission is Modify, because with modify by itself, you can already read & execute, write, and more. But according to the computer, you still have all of those permissions. I hope all of this makes sense.

royal

Here's the analogy I have used several times in the past. Pretty similar to gravyjoe but maybe seeing his analogy and mine will help it sink in.

You have Share Permissions
You have NTFS Permissions

All your Share Permissions are cumulative
All your NTFS Permissions are cumulative

It then takes the most restrictive and assigns those as effective permissions. Think of it as a competition of Share vs NTFS. Share will gather as many teammates as possible (cumulating permissions). NTFS will also gather as many teammates as possible (cumulating permissions). Share and NTFS will then duke it out. The toughest (most restrictive permissions wins).

So lets say you have a user named John. John has ntfs Read. John is a part of the Sales Group. The sales group has Write. Because John has Read and is a part of the Sales group, he effectively has Read AND write. This means if John accesses the file system via console and goes to My Computer > C > bleh bleh and accesses that folder/file, he will be able to read AND write.

Now lets keep those ntfs permissions on that folder, but now lets share it out. By default, the Everyone group has read access to that share and that is all. Now lets say John instead goes to \\server\folder. He will be ONLY be granted Read access and will not be able to write. Why? Even though his ntfs permissions are Read/Write, he is restricted due to the Share permissions being more restrictive. Remember, it is Share vs NTFS. Share has more restrictive permissions (Everyone Read only, there is no Write there).

In real world, generally speaking, you'll just assign Share permissions to Everyone/Full Control. You will then restrict people's access via NTFS permissions.

Hope this helps.

dynamik

I'm not exactly sure what you're asking. You will need to assign both share and NTFS permissions in order to give someone access to a share. You understand NTFS permissions, right? Well just look at share permissions as a sort of filter that's used when accessing a share over a network. Share permissions define the maximum access allowed over the network.

For example, if someone has full NTFS and read share, he will only be able to read files over the network. On the other hand, if he has full share permissions and read NTFS permissions, he will still have read because the share permissions will not override the NTFS permissions. The share permissions are saying, "Give this user up to full control over this share," while the NTFS permissions are saying, "This user only has read access."

Hopefully that makes sense. Like Pash said, it's easiest to just remember the most restrictive permission is what is used. I just wanted to elaborate a bit for you.

Edit: I apparently should have refreshed this thread before typing all of that...

susuandme

thankyou all, it makes a lot more sense to me now,

can I contact one or all of you as my day of the test and demise
begins to come closer. If you can spare me some of your expertise
to fill in some gaps I may have an outside chance. I would like
to contact you by PM if possible, Before I do if I have your
permissions that would be great, excuse the pun. Thankyou

ric

royal

Just post a topic. You'll really get a lot of more responses and faster than sending a single PM. There's a lot of smart people on these forums to answer and almost every person always gets an answer.

dynamik

You should just post in the forum. Other people might have similar questions, and there's a lot of helpful people besides us out there. We'll probably see it, but if we miss it and you specifically want one of us to respond to it, just shoot us a PM with the link to the thread.

Edit: Twice in the same thread!?

royal

dynamik wrote:

Edit: Twice in the same thread!?

Dynamik, did you forget to turn @echo off?