PERMISSION question

susuandme · November 2008

Share Permissions Domain Users = Allow-Read - How do you add these up?
Sales = Allow-Change

NTFS Permissions Domain Users = Allow-Read - How do you add these up ?
Sales = Allow-Modify

What is the effective permision and why please ?

thankyou all

meadIT · November 2008

susuandme wrote:

Share Permissions Domain Users = Allow-Read - How do you add these up?
Sales = Allow-Change

NTFS Permissions Domain Users = Allow-Read - How do you add these up ?
Sales = Allow-Modify

What is the effective permision and why please ?

thankyou all

You accumulate (except for deny, deny > *) the effective Share permissions and then accumulate the effective NTFS permissions, then the MOST restrictive takes precedence.

royal · November 2008

http://techexams.net/forums/viewtopic.php?t=39898
http://techexams.net/forums/viewtopic.php?t=40281

Like I repsonsed in those two threads which you created:

An explicit allow will grant access over an inherited deny. An explicit deny triumphs all though.

And

You have Share Permissions
You have NTFS Permissions

All your Share Permissions are cumulative
All your NTFS Permissions are cumulative

It then takes the most restrictive and assigns those as effective permissions. Think of it as a competition of Share vs NTFS. Share will gather as many teammates as possible (cumulating permissions). NTFS will also gather as many teammates as possible (cumulating permissions). Share and NTFS will then duke it out. The toughest (most restrictive permissions wins).

So lets say you have a user named John. John has ntfs Read. John is a part of the Sales Group. The sales group has Write. Because John has Read and is a part of the Sales group, he effectively has Read AND write. This means if John accesses the file system via console and goes to My Computer > C > bleh bleh and accesses that folder/file, he will be able to read AND write.

Now lets keep those ntfs permissions on that folder, but now lets share it out. By default, the Everyone group has read access to that share and that is all. Now lets say John instead goes to \\server\folder. He will be ONLY be granted Read access and will not be able to write. Why? Even though his ntfs permissions are Read/Write, he is restricted due to the Share permissions being more restrictive. Remember, it is Share vs NTFS. Share has more restrictive permissions (Everyone Read only, there is no Write there).

In real world, generally speaking, you'll just assign Share permissions to Everyone/Full Control. You will then restrict people's access via NTFS permissions.

Not sure what's confusing you. You add up share permissions. You then add up ntfs permissions independently from the share permissions. You then choose the more restrictive and that becomes the effective permissions.

susuandme · November 2008

Hello,

Permissions is one area that I don't understand because I have
never had any hands on experience or work experience using it,
so even the term "share it out" is complicated, in the extire
context of Share, NTFS, and permissions as a whole.

I do not understand the fundamental CONCEPT of permissions, so I am
destroyed on the sample questions. I am this way, some objectives
I do well on, others are extremely difficult for me, though simple
for others.

Royal, and members, thankyou for your help, I hope I can post again
on this subject, it is not the way that you are explaining this to me
that is the problem, it is definately ME. Royal can you check your
PM box, I have tried to explain this more fully there. Thankyou all

rick

PERMISSION question

Comments