Permission questions

susuandme · December 2008

Can someone help with the two following Share permission questions with explaination.

In this scenario, the

\Reports folder has been shared as the Reports shared folder. The user Mary is a member of the Sales group as well as Everyone and the Users group

Share permission: Everyone = Change
Ntfs Permissions: User group = list content, read & execute, read

What are Mary's effective permissions.

2. Same scenario as above only :

Share permission = Everyone = Full Control
NTFS Permission: Everyone = list contents, read & execute, read, deny write
Sales = Write, list contents, read & execute, read, write

What are Mary's effective permissions here ? Thankyou.

skrpune · December 2008

The notes I have for Network+ on permissions are that:
Share Permission + Share Permission = LEAST restrictive applies
Share Permission + NTFS Permission = MOST restrictive applies
NTFS Permission + NTFS Permission = LEAST restrictive applies

So in case 1, NTFS Permissions + Share Permissions, the most restrictive permissions apply. In this case, I think Mary would be given the NTFS User Group permissions & would be able to list content, read & execute, and read (as "Change" for share permissions means creating files & adding/deleting folders

In case 2, you've got a case of Share Permissions + (NTFS + NTFS), so I would assume you'd compare the Share Permissions to the least restrictive of the NTFS permissions...but that's mostly based on me using some logic as well as the "order of operations" theory rather than actual first hand knowledge of permissions!

I'd guess that in case 2, NTFS (being more restrictive) would trump Share, and out of the NTFS permissions, the least restrictive one would apply, so Mary would have the NTFS Everyone group permissions.

Please take this with a grain of salt though - this is just my interpretation given a limited knowledge of permissions...if there's someone else out there with more experience/knowledge on the subject matter that thinks to the contrary, please chime in and correct my interpretation & assumptions!

royal · December 2008

skrpune is correct except for one thing that is sort of right but sort of wrong at the same time. Mary wouldn't only get the Everyone group, but would also get the Sales group permissions. Read on for clarification.

skrpune states that Mary would get the NTFS everyone group permissions. What would actually happen is since you accumulate all Share Permissions, then accumulate all NTFS permissions, and then it's the most restrictive. So what would happen is since all the NTFS permissions for her account and all groups she's in are combined, she gets ALL permissions for both the Everyone group and the Sales group but would be denied write.

susuandme · December 2008

thankyou all for explaining this, its starting to become clearer,
I get a little confused when I read some scenarios that are 3 paragraphs long, so knowing the right way to sort things out the way you have described it by first adding up shared and ntfs permissions separately. Then use the most restrictive helps.

I also found out that you can't use "share permissions" just by themselves, or else you will lose all access, you have to use both Share and NTFS permissions when sharing a folder.

However, I think that NTFS permissions are different, I read that you can use them without the share permission. thanks again

royal · December 2008

Well when you access a folder using a UNC path such as \\server\sales, you need share and ntfs permissions. If you're accessing something directly on the file system C:\someting, then you bypass share permissions and NTFS permissions still apply.

skrpune · December 2008

royal wrote:

skrpune is correct except for one thing that is sort of right but sort of wrong at the same time. Mary wouldn't only get the Everyone group, but would also get the Sales group permissions. Read on for clarification.

skrpune states that Mary would get the NTFS everyone group permissions. What would actually happen is since you accumulate all Share Permissions, then accumulate all NTFS permissions, and then it's the most restrictive. So what would happen is since all the NTFS permissions for her account and all groups she's in are combined, she gets ALL permissions for both the Everyone group and the Sales group but would be denied write.

Ah, so in the second example, the NTFS permissions are added together & "denied write" would trump the "write" permission then since it's contradictory and you select the most restrictive. Cool, thanks for the clarification royal.

royal · December 2008

skrpune wrote:

royal wrote:

skrpune is correct except for one thing that is sort of right but sort of wrong at the same time. Mary wouldn't only get the Everyone group, but would also get the Sales group permissions. Read on for clarification.

skrpune states that Mary would get the NTFS everyone group permissions. What would actually happen is since you accumulate all Share Permissions, then accumulate all NTFS permissions, and then it's the most restrictive. So what would happen is since all the NTFS permissions for her account and all groups she's in are combined, she gets ALL permissions for both the Everyone group and the Sales group but would be denied write.

Ah, so in the second example, the NTFS permissions are added together & "denied write" would trump the "write" permission then since it's contradictory and you select the most restrictive. Cool, thanks for the clarification royal.

Exactly.

Permission questions

Comments