effective permissions

Can someone explain this to me please, also, what if the example below was just all combining "share permissions" what would happen, and also what if the example below combined just the "NTFS" PERMISSIONS. WHAT THEN HAPPENS.
thankyou: iN OTHER words what are the rules when you also do not COMBINE share and NTFS, BUT JUST "SHARE" and "NTFS" SEPARATELY on a question.
wHAT HAPPENS. THANKYOU

18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control


Answer(s): c. Change




Explanation:
The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to. (except for explicit deny permissions which overrides any other conflicting permissions assigned.) When you combine NTFS and Share permissions the most restrictive applies.

Comments

  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    It is the least restrictive from each share or ntfs and then the most restrictive when combined.

    Deny always takes precedence over Allow and negates any permission with which it conflicts.

    If you remember those two lines, you can't mess it up.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • susuandmesusuandme Member Posts: 136
    thanks, I sent you a personal message, but it is a bit confusing,

    you say when just added up all the ntfs permissions it is the most permissive that will count, would that mean. if Jack has

    modify, change, read, write, then just add them all up, or do I just
    take out the most permissive strongest one, or is his effective
    permissions : All of these


    With combining Ntfs and share: I would just add them up and pick out the single most restrictive permission. I know this seems like it should be easy, but iI'm not catching on. thanks
  • gravyjoegravyjoe Member Posts: 260
    Hi susuandme. I like to think of it as three battles. The first battle is with the NTFS permissions. The King of permissions always wins this battle, for example:Full control or modify. Whatever the highest rank in this battle is wins. So if you had read, write, modify, and full control in this battle, full control would win. So the other three permission are dead, they don't exist anymore.

    The second battle is with the share permissions. Same principal applies here. If you had the permissions read & execute and change, change would win this battle because it is the highest rank in this battle. Read & execute is now dead, wiped out of existence. If full control was in this battle, it would've won, but only read & execute and change were in this battle, so change prevails.

    Now the next part of this story has a movie like ending. The third and final battle, the NTFS permission Full Control against the Share permission Change. This part is like David and Goliath. Goliath is a giant and David is a boy. Goliath=Full Control, David=change. David ended up beating Goliath. Same thing will happen with the permissions. Full control vs. change, the SMALLER rank change wins, the underdog.

    In a different scenario, if you're not combining NTFS and Share permissions together, nobody gets killed. For example, if there's only NTFS permissions, if you have read, read and execute, write, and modify, you have ALL of those permissions, not just one. There is no battle. The NTFS neighborhood without Share permissions is a peaceful one. All permissions work together. So generally speaking, to the human eye, it would seem that your permission is Modify, because with modify by itself, you can already read & execute, write, and more. But according to the computer, you still have all of those permissions. I hope all of this makes sense.
    The biggest risk in life is not taking one.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Here's the analogy I have used several times in the past. Pretty similar to gravyjoe but maybe seeing his analogy and mine will help it sink in.
    You have Share Permissions
    You have NTFS Permissions

    All your Share Permissions are cumulative
    All your NTFS Permissions are cumulative

    It then takes the most restrictive and assigns those as effective permissions. Think of it as a competition of Share vs NTFS. Share will gather as many teammates as possible (cumulating permissions). NTFS will also gather as many teammates as possible (cumulating permissions). Share and NTFS will then duke it out. The toughest (most restrictive permissions wins).

    So lets say you have a user named John. John has ntfs Read. John is a part of the Sales Group. The sales group has Write. Because John has Read and is a part of the Sales group, he effectively has Read AND write. This means if John accesses the file system via console and goes to My Computer > C > bleh bleh and accesses that folder/file, he will be able to read AND write.

    Now lets keep those ntfs permissions on that folder, but now lets share it out. By default, the Everyone group has read access to that share and that is all. Now lets say John instead goes to \\server\folder. He will be ONLY be granted Read access and will not be able to write. Why? Even though his ntfs permissions are Read/Write, he is restricted due to the Share permissions being more restrictive. Remember, it is Share vs NTFS. Share has more restrictive permissions (Everyone Read only, there is no Write there).

    In real world, generally speaking, you'll just assign Share permissions to Everyone/Full Control. You will then restrict people's access via NTFS permissions.

    Hope this helps.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I'm not exactly sure what you're asking. You will need to assign both share and NTFS permissions in order to give someone access to a share. You understand NTFS permissions, right? Well just look at share permissions as a sort of filter that's used when accessing a share over a network. Share permissions define the maximum access allowed over the network.

    For example, if someone has full NTFS and read share, he will only be able to read files over the network. On the other hand, if he has full share permissions and read NTFS permissions, he will still have read because the share permissions will not override the NTFS permissions. The share permissions are saying, "Give this user up to full control over this share," while the NTFS permissions are saying, "This user only has read access."

    Hopefully that makes sense. Like Pash said, it's easiest to just remember the most restrictive permission is what is used. I just wanted to elaborate a bit for you.

    Edit: I apparently should have refreshed this thread before typing all of that...
  • susuandmesusuandme Member Posts: 136
    thankyou all, it makes a lot more sense to me now,

    can I contact one or all of you as my day of the test and demise
    begins to come closer. If you can spare me some of your expertise
    to fill in some gaps I may have an outside chance. I would like
    to contact you by PM if possible, Before I do if I have your
    permissions that would be great, excuse the pun. Thankyou

    ric
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Just post a topic. You'll really get a lot of more responses and faster than sending a single PM. There's a lot of smart people on these forums to answer and almost every person always gets an answer.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You should just post in the forum. Other people might have similar questions, and there's a lot of helpful people besides us out there. We'll probably see it, but if we miss it and you specifically want one of us to respond to it, just shoot us a PM with the link to the thread.

    Edit: Twice in the same thread!?
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    dynamik wrote:
    Edit: Twice in the same thread!?

    Dynamik, did you forget to turn @echo off? icon_lol.gif
    “For success, attitude is equally as important as ability.” - Harry F. Banks
Sign In or Register to comment.