Share and NTFS Question

Hi,

If Brian who is a member of Sales has Full Control to the pc.doc file
and Brian is also member of marketing and has Deny Read to the file.

What is Brians' effective Share permission ? can you explain .

Is Share permissions cumulative, do you actually add them together ?
Or do you only pick one, like the least restrictive one, or most power one.

I am going to get destroyed on Permissions, this is just a simple example
and I know I am going to get much more complicated questions on my
exam. Does anyone have a "link" they can send here that will let me
practice on nothing but Share and NTFS permissions ? Thankyou all.

Ric

Find more posts tagged with

Comments

amp2030

For 70-270, deny always overrides allow. Permissions are cumulative, in the sense that you add up all the allows and then subtract all the denies.

susuandme

So what would the actual permissions be that he has,

would it be write and change

Daniel333

If you are denied read, you can't write or change.

royal

amp2030 wrote:

For 70-270, deny always overrides allow.

Not always. An explicit allow will grant access over an inherited deny. An explicit deny triumphs all though.

amp2030

royal wrote:

amp2030 wrote:

For 70-270, deny always overrides allow.

Not always. An explicit allow will grant access over an inherited deny. An explicit deny triumphs all though.

I know, but I mentioned "for 70-270" because I was trying to keep it simple, and I don't think this particular case would show up on this exam. Of course, you are right.

For OP: here explicit and inherited refer to permissions on files or folders that inherit permissions from parent folders, which they do by default unless you explicitly ask for permissions not to be inherited from parent. An explicit permission would be you checking 'allow' for a permission that is denied to parent (deny is checked in, and gray - for inherited). In this particular case, an explicit allow on the child would override it.

So if you look for a precedence order list:
1) explicit deny overrides
2) explicit allow, which overrides
3) inherited deny, which overrides
4) inherited allow

I still stand behind my initial statement that for 70-270 you don't need to worry about this, but of course it is an important exception to be aware of.

Mmartin_47

amp2030 wrote:

For 70-270, deny always overrides allow. Permissions are cumulative, in the sense that you add up all the allows and then subtract all the denies.

Yes deny always overrides allow. More about this is also mentioned in 271 and 272.

Mmartin_47

You can't set permissions on a particular file right? Just a folder?

amp2030

Mmartin_47 wrote:

You can't set permissions on a particular file right? Just a folder?

Actually, you can, and directly assigned file permissions override permissions inherited from parent folder.

EDIT: I just realized you were probably talking about SHARE permissions. Indeed, those work only on folders. What I said above applies only to NTFS permissions.

dynamik

Daniel333 wrote:

If you are denied read, you can't write or change.

Before you posted this, I actually tried this out because I was curious. I thought this would work, but I wasn't completely sure. I gave myself allow write and deny read permissions to a file, then did a c:\>ping localhost >> c:\test.txt, and I was able to write it. I'm not sure how practical a situation like that would ever be, but I thought it was interesting.

amp2030

dynamik wrote:

Daniel333 wrote:

If you are denied read, you can't write or change.

Before you posted this, I actually tried this out because I was curious. I thought this would work, but I wasn't completely sure. I gave myself allow write and deny read permissions to a file, then did a c:\>ping localhost >> c:\test.txt, and I was able to write it. I'm not sure how practical a situation like that would ever be, but I thought it was interesting.

MS implementation of Write-Only Memory

susuandme

Thankyou but I still don't know what the correct answser is:

is it full control ? what is it please ? explain please

dynamik

susuandme wrote:

Thankyou but I still don't know what the correct answser is:

To your original post?

You mention that you're assigning permissions to a file and then you ask about share permissions. Files can only be assigned NTFS permissions, but folders can be assigned both NTFS and share permissions.

To be completely honest, the easiest way to learn about permissions is to practice with them. Just create a few users, groups, files, and folders, and screw around with them. Try out whatever scenario you can think of.

royal

Mmartin_47 wrote:

amp2030 wrote:

For 70-270, deny always overrides allow. Permissions are cumulative, in the sense that you add up all the allows and then subtract all the denies.

Yes deny always overrides allow. More about this is also mentioned in 271 and 272.

No, it does not "always" override allow. Read my above post.

sprkymrk

dynamik wrote:

Daniel333 wrote:

If you are denied read, you can't write or change.

Before you posted this, I actually tried this out because I was curious. I thought this would work, but I wasn't completely sure. I gave myself allow write and deny read permissions to a file, then did a c:\>ping localhost >> c:\test.txt, and I was able to write it. I'm not sure how practical a situation like that would ever be, but I thought it was interesting.

I use a login script that records a users name and IP addresss and login time to a file on a share with exactly those permissions. That way a log file is created that I can see who logged into what and when, but the user himself cannot read the file (nor is he even aware of it's existence).

sprkymrk

royal wrote:

Mmartin_47 wrote:

amp2030 wrote:

For 70-270, deny always overrides allow. Permissions are cumulative, in the sense that you add up all the allows and then subtract all the denies.

Yes deny always overrides allow. More about this is also mentioned in 271 and 272.

No, it does not "always" override allow. Read my above post.

I am borrowing from a post I made in April of last year to clarify what royal is talking about:

The thing to remember is that there is something referred to as the "Canonical Order of ACEs" which states that:

1. All explicit ACEs are placed in a group before any inherited ACEs.
2. Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3. Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the child object's parent come first, then ACEs inherited from the grandparent, and so on up the tree of objects.
4. For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.

So if an explicit allow is applied, it will over ride an inherited deny. this seldom happens in the real world, and is probably not worth worrying about on the 270 exam, but it is something to keep in mind.