Difficult Permission and Share Question

susuandme · December 2008

Hello Members,

I came across a very difficult and confusing NTFS permissions and Share question in my Book recently. What I want most of all about this question is to
have an understandin of the concept of this question. I do want to know the correct answer but even more importantly I want to know why it is correct and what the question is trying to teach me about administering share and NTFS. I really want to be prepared as far as my understanding when a similar question comes up on the test. Here is the question :

Jim is the system administrator for sprockets inc. He manages a Windows 2003 Sales Server that provides file and print services for 20 sales users. He wants to create home folders for all of the sales users on the sales server.

Each user should be able to access a network share where their home folder resides.
Each user should have full access to his or her home folder, but not other user's home folders and Jim wants to minimize the actual number of shares that need to be configured. What should Jim do?

A. Create a folder called C:\home on the Sales server. Share the folder with Read permission for the everyone group. Under C:\home, create a folder for each user. Using NTFS permissions, assign
only the Full Control permission to each respective user.

B. Create a folder called C:\Home on the Sales Server. Share the Home folder with Full Control
permission for the Everyone group and the NTFS permission List Folder Content. Under C:\home create a folder for each user. Using NTFS permissions, assign only the Full Control permission to each respective user.

C. Create a folder called C:\ Home on the Sales Server. Under C:\Home, create a folder for each user. Share the individual home folder for each user, and assign the Full Control share permission to
each user.

D. Create a folder called C:\home on the sales server. Under c:\home, create a folder for each user, share the individual home folder for each user and assign the Full Control NTFS permission to each
user.
Thankyou, I know this is a lengthy question, if it is possible to briefly explain why the other answers are wrong I would greatly appreciate it, if not thankyou all I really appreciate your support.
Thankou all for your help, have a wonderful holiday season and New Year
Ric

dynamik · December 2008

A. If they only have a share permission of read, they will only have read access since it is the more restrictive of the two; giving more permissions with NTFS will have no effect.

B. They have to have a share permission of full control, otherwise they wouldn't be able to be meet the full control requirement, so that part is a given. Allowing everyone to list the folder contents will show everyone's folders but won't give access to any of the contents. Full control NTFS should be self-explanatory. This is the correct answer.

C. Doesn't meet the requirement of minimizing the number of shares. Plus, they would still need NTFS permissions.

D. Doesn't meet the requirement of minimizing the number of shares. Plus, they would still need share permissions (This one is vague since it says they're shared but doesn't go into detail).

susuandme · December 2008

Thankyou, but I hate to say this, but I just don't understand
the question, even though you outlined the wrong and right answers
clearly.

I don't understand the meaning of :

1. try to "minimize the number of shares" don't understand this at all
2. Why is answer B the correct answer, it says in the first sentence it is add full control share permission and then "list folder NTFS" , then is not "list folder"
the more restrictive, doesn't that eliminate the full control share permission.
then it goes on to see it is add back on the full control NTFS permission to each user. So I really don't understand why they are using NTFS and share in the first part of the question, then adding NTFS again for each user.

Can you please explain I'm really totally lost on this question. Thanks

dynamik · December 2008

When they ask you to minimize the number of shares, they're just looking for the least amount. Obviously, if you create one share that all the users can access, that will be less than creating one for each individual user, and therefore, you will have satisfied that requirement.

Like I said, if the goal is to give users full control over the network, the share permission must be full control. When comparing share and NTFS permissions, the most restrictive takes precedence. Setting the share permission to anything else will not allow you to meet the requirements.

The final requirement is that users have full control over their own folders. Obviously, you must assign them the full control NTFS permission to satisfy this requirement.

The list folder contents permission simply allows users to list the folder contents of the share. This will allow them to see all the users folders, but it won't allow them to access or modify their documents. You need to go into the advanced settings in order to see this option. This doesn't directly map to one of the requirements, which might be why it caught you off guard.

I'm not trying to be rude, but you really need to spend some time trying these exercises for yourself. You could have answered this question by simply trying each scenario and experimenting with the results. You're going to have to dig into this stuff if you want to truly master it.

hoomi_mcse · December 2008

well the answer is B and now I help you to undrestand it . first of all you have to know that with NTFS and Share permission both set in a folder the most restricted will be the real permision. so if you set share permission read and ntfs permission full then read permission is the effective one. second is because sahre permission is very limit is better to set share permission full control and then restrict users with ntfs permission. in this question you want each user has his/her own folder and no one else should access their folders. so you can answer it without see the choices. as I said you set share permission full control to everyone and then then set ntfs permissions. then you musy create a folder for each user and give his/her user account full control to his/her folder and don't give anyone else any permission to that folder. so here suppose Sam has a folder inside it. when everyone has full control share and sam has full control for his folder so the effective permission for Sam is full control but everyone has no access to his folder coz there is no ntfs permission set for everyone. so you see? when you set share permission for a user but no ntfs permission then there will be no access. in the answer it has mention that you create a main folder name home and give every one list folder content ntfs . lis folder content is a very limited permission that allow users to only pass through folder but cannot access any file withing it.

so lets see the wrong answers :
A- A is obvious coz with read share permission it's very limit as I mentioned even if you give full control ntfs the efective permission is read so no user can modify any file!

C- again I mentioned it! if there is no NTFS permission and only share permission then there will be no access

D- like D, if the folder is share and there is only NTFS permission and no share permission then there will be no access

so remember , there must be both share and ntfs permission in share folders, the most restrictive one will effect user, it's better to set share full control to everyone and then restrict user with ntfs permission .

hope I can help you

susuandme · December 2008

I did not know that a shared folder must have both Share and NTFS permissionns or no access, I remembered something like this before.

But are you saying in this example, that they are actually applying permissions
ON THE "SHARED FOLDER" and also permissions for 'EACH USER"

there are two things going on here that I was not aware couild happen.

I thought permissions are only set on FILES, FOLDER AND PRINTERS. NOT USERS.

How is a separate permission put on a user, I have tried it but I cannot put a permission on a "user". I was able to put permissions on a "file" "folder"
but I don't see how I can put an actual permission on a person or "user".

Maybe this is why this question is throwing me, can you explain further. thanks again for all your help everyone

dynamik · December 2008

You assign the permission on each folder for each user.

hoomi_mcse · December 2008

you're getting something wrong mate! it's not about setting permission on User!! listen carefully, you set share folder only on main folders not subfolders or files. and you set NTS permission to fodlers , sub folders and files. then you must add users or groups to access control list (ACL) of these objects. I mean you set permissions on folders/files but you set it for users and groups. there is an ACL and ACE. every object like folders,files has ACL you have to add users,groups to ACL and Acess control entry is the permission list than you set for that user and group.
you understand now? you don't set permissions on user or group, you set permissions on files and folder but for user and groups.

royal · December 2008

susuandme wrote:

I did not know that a shared folder must have both Share and NTFS permissionns or no access, I remembered something like this before.

That's funny. Because I swear I told you this before. Oh ya!

From: http://techexams.net/forums/viewtopic.php?t=41329

Well when you access a folder using a UNC path such as \\server\sales, you need share and ntfs permissions. If you're accessing something directly on the file system C:\someting, then you bypass share permissions and NTFS permissions still apply.

wedge1988 · December 2008

A is the wrong answer because the most restricted permissions take precedence (read would override)

B is right because the most restricted permissions take precedence (Full control would be overridden with the NTFS permissions)

C & D are wrong because you should simplify administration and sharing each users home folder would take forever.

Consider this:

what if your accessing the files with windows 98 on a FAT partition???

Which set of permissions take precedence???

You could set the NTFS permissions on the root folder and assign then to each subcontainer within the folder! - this is the best choice... (which is more complex) but would mean you wouldnt have to set each subfolders permissions manually. However, the only way to do this is to allow users write access for creation of folders within the root share, then allow the "Creator Owner" permission with the permissions, which would then in turn create each folder for each user automatically at logon. This is great for hundereds of users.

an inherited deny is overridden with an explicit allow. very useful.

(By the way, most of the above is 70-290 material, but remember it non the less!)

edit:

btw; you could also use CACLS; its a ms-dos tool. create the batch in excel with the concatenate feature and then output it as a batch and run it. make sure you make the folders also (before) with the "cd" command

susuandme · December 2008

I remembered from the book that Windows 98 and ME do not support
the NTFS file type, therefore cannot use security permissions.

Wouldn't this eliminate them from using permissions from a server 2003 in the above example.

But if Win 98 and ME were a standalone system, they could still not use
Share and NTFS permissions since Sharing can only be done over a network.

Would this be true also. Thankyou.

susuandme · December 2008

Members,

In my readings of Share and NTFS permissions, it says that you use
Share permissions to Share a Folder over the network, and then
you use NTFS PERMISSION TO FINE TUNE OR LOCK DOWN the access .

My question is what good is NTFS permissions if the Share Permissions is more restrictive than the NTFS Permission. In that case the Share permission would be the one fine tuning or locking down the access.

So why is NTFS permissions so importat in fine tuning or locking down access if Share permissions can sometimes over ride NTFS permissions thankhyou

dynamik · December 2008

Don't look at it as share permissions overriding NTFS permissions. Look at it as the most restrictive taking effect.

NTFS is the preferred choice for fine tuning because it's a more granular way to manage permissions. Share only gives you read, write, and full-control, while you have much more with NTFS (go into the advanced options). Share permissions are left over from older versions of Windows, and most people don't even bother with them. They simply set share to full-control and control access via NTFS. Also, share permissions only take effect if the share is accessed over the network; they don't offer any control over folders access locally. It's just easier to set what you want with NTFS and not have to worry about the share permissions. The most important thing to remember for this exam is that the most restrictive permission will take effect. They just want to make sure you have a basic understanding of how share permissions work and interact with NTFS permissions.

Also, for your previous post. NTFS permissions are tied to a file system, not operating systems. You can't use NTFS permissions in Windows XP if you're using a FAT file system. You can only utilize NTFS permissions on an NTFS file system. It is technically correct to say that older OSes do not support NTFS permissions, but that is ultimately because they do not support the NTFS file system.

susuandme · December 2008

So in older operating systems, you couldn't even use NTFS permissions,
you would simply control access using the SHARE permissions.

dynamik · December 2008

Like I said, it depends on how your format the disk. If you're not using NTFS, you can't use NTFS permissions; it's really that simple.

Maybe this will help: http://www.ntfs.com/ntfs_vs_fat.htm

hoomi_mcse · December 2008

if you have an earlier OS like 98/me you can only limit the shared folder by share permission but anyone have full access to the folder locally and there is no way to restrict the folder that way.

susuandme · December 2008

Thankyou,

it is a bit more clear now, a lot clearer than a few days ago,

permissions is the only objective that is given me problems,
the rest I can figure out with the book and some good sample
questions and explainations.

thankyou again for your help, you people are amazing here,
I hope one day I can say "I passed" and it would certainly be
with your help. rick

hoomi_mcse · December 2008

Ok now I ask you a question and try to answer it . we have a shared folder name Data and two groups name sales and managers. we want members of sale group be able to access the files and modify them within the folder but not be able to change the permission and we only want manager group be able to read the data . we dont' want to give these two groups further permissions on the folder . so how you configure share and NTFS permission on Data folder?

susuandme · December 2008

I know this is a simple permissions questions but I don't have all the data so I'l try anyway,
Well, you would createa a folder name C:\data
- on the Share permissions tab of the Data folder click "share this folder"
- on the security tab of the folder add the two groups, sales & Manager
- for sales give the the NTFS permission "Modify"
- for the Data group given them only the "read" NTFS permission

I'm not sure if this is correct, Do you also have to add the two groups to
the Shares "Tab" if so, what permissions do you give them on the "Shares" tab.

Sorry, I hope you can explain the problem, step by step, maybe I will
eventually understand. I'm trying to do as many permission problems as possible and also simulate them myself on my computer. Thanks

Ok now I ask you a question and try to answer it . we have a shared folder name Data and two groups name sales and managers. we want members of sale group be able to access the files and modify them within the folder but not be able to change the permission and we only want manager group be able to read the data . we dont' want to give these two groups further permissions on the folder . so how you configure share and NTFS permission on Data folder?

hoomi_mcse · December 2008

everything is correct except share permission! I told you without share permission there will be no access. and you don't need to add sales and manager group to share permission. you can simply give full control share permission to every one and then modify NTFS permission to sale and Read permission to manager as you said . so no one except sales and manager group have access to the folder coz you don't add any other group in NTFS permissions.
so don't forget share permission

by the way I have my exam tomorrow , wish me luck!

susuandme · December 2008

I see, are you saying then, that the default share permission is always
"Full Control - Everyone" ? on a folder ? over the network

So I add, the "Everyone" group to the "Share" Tab, and give them Full
Control. (or maybe its automatically assigned)

Then, I go to the "Security Tab" and the only members I add there are
the two groups, "Sales" and "Managers". I DO NOT ADD EVERYONE THERE.

Effective Permissions: Finally, do you add both the Share Permissions
and the NTFS permissions together, and the most restrictive would be the effective permission, like in this case:

Share - Everyone = Full Control
NTFS - Sales = Modify
Manager= Read

Would the NTFS permission being the most restrictive be the effective permission
so Sales could modify the file, and Managers could "read" the file. Am I gettting this now ? Thanks !!!

ilcram19-2 · December 2008

just put it this way shared permission cannot be extended by NTFS permissions but they can be futher restricted for example you give modify shared permissions but you cannot give full control to the same folder with NTFS permissions you can only restricted to read only with ntfs permissions

hoomi_mcse · December 2008

in XP SP2 default everyone group has read share permission. so if you don't change it in this example then Sales group will not be abel to modify data and effective permission for both group will be read.

susuandme · December 2008

I learned a lot, can I give you one example I saw recently. the example goes as follows, :

You are the desktop administrator for your company. Sally's Windows XP Professional computer is joined to a Windows 2000 domain. Sally has a folder with very sensitive files that she wants to make available over the network, but only to Michelle.

What is the best way for Sally to do this?

Remove the Everyone group from the share’s access control list. Add Michelle with the Full Control share permission.

Share the folder with the Read share permission granted to the Everyone group. Use NTFS permissions to allow access only to Michelle.

Share the folder with the Full Control permission granted to the Everyone group. Use NTFS permissions to allow access to only Michelle.

Remove the Everyone group from the share’s access control list. Add Michelle with the Read share permission.

IN THIS example can you please explain to me why the answer is to "SHARE THE FOLDER WITH THE FULL CONTROL PERMISSION" GRANTED TO EVERYONE ?
why isn't some of the other answer's feasible ?

hoomi_mcse · December 2008

you can answer it yourself easily with all we've discussed here. it's simple mate, with granting everyone group full control and add only Mitchel to NTFS permissions then only Mitchel have access to folder.

A. remove everyone from sahre and and mitchel to share permission will not work as NTFS permission has not been mentioned

B. Read share permissio nto everyone will restrict mitchel to have only read access! if you give her full control ntfs then still read share is restricted so will be the effective one

D. same as A!

hoomi_mcse · December 2008

you can answer it yourself easily with all we've discussed here. it's simple mate, with granting everyone group full control and add only Mitchel to NTFS permissions then only Mitchel have access to folder.

A. remove everyone from sahre and and mitchel to share permission will not work as NTFS permission has not been mentioned

B. Read share permissio nto everyone will restrict mitchel to have only read access! if you give her full control ntfs then still read share is restricted so will be the effective one

D. same as A!

susuandme · December 2008

So when you are sharing a Folder, Both Share and NTFS permissions must both be on the folder. most restrictive will apply

Share permissions will only work with folders not Files.

Is there ever a time when you would use just "Share permission" without NTFS ?
Is there ever a time when you would use just "NTFS" permissions with Share ?

Thanks.

hoomi_mcse · December 2008

Is there ever a time when you would use just "Share permission" without NTFS ?

yes! NTFS permission work only on NTFS file system, as we discussed before if we have earlier OS there is no NTFS permission.

Is there ever a time when you would use just "NTFS" permissions with Share ?
you mean using only NTFS for a share folder? then the answer is no ! all share folders have share permission. but if you're setting permission for local folders/files you only use NTFS and remember if you want to restrict IIS with permission you can just Use ntfs as share permission can not be used for http.

Difficult Permission and Share Question

Comments