override rule in permission.

When two NTFS permission are in conflict, the least restrictive is in effect?
When a NTFS and Sharing permission are in conflict, the most restrictive is in effect?
When access a shared document via terminal service, the sharing permission is not in effect?
But I have some question, how to identify the least or most effective permission, for example full control and change or full control and modify or read & execute?
In group or user name, what happen if not defined (or in deny full control for example) to SYSTEM, USER [***\User] and Creator Owner?
Any other contribution, thanks in advanced!

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

undomiel

NTFS permissions can't be in conflict, they're additive. Add up all the allow permissions and then subtract any denies. Remember that deny overrides any allows. If no permission is assigned then no access is granted. You compare permissions when you compare NTFS and Share permissions and pick the most restrictive. If you accessing a document on a server through terminal services then you're accessing the document as if it is local and only NTFS permissions would apply. So always make sure how you are accessing your data, if it be local or through the share, then add up the permissions and pick the most restrictive as necessary. Be careful when reading questions to always make sure how the data is being accessed so that you won't be confused by inapplicable data.

royal

undomiel wrote: »

Remember that deny overrides any allows.

Does anybody know what I'm about to say?

dynamik

Explicit vs. inherited?

royal

dynamik wrote: »

Explicit vs. inherited?

Bingo. Deny doesn't override "any" Allow. If the Deny is inherited and the Allow is explicit, the Allow triumphs.

undomiel

Whoops, well pie on my face then.

skrpune

royal wrote: »

Bingo. Deny doesn't override "any" Allow. If the Deny is inherited and the Allow is explicit, the Allow triumphs.

Good to know...I haven't gotten this far in my studies yet, but in looking it up the MS Press book does talk about explicit vs inherited. And it makes sense too - you can inherit certain permission from a "parent" but the "child" can be assigned different, elevated permissions without having to worry about security holes with the rest of the "kids" getting those same permissions.

Thanks for the info!

Dagged

royal wrote: »

Bingo. Deny doesn't override "any" Allow. If the Deny is inherited and the Allow is explicit, the Allow triumphs.

Hi,

I am using Sybex books and it says that Deny override Alloy. Thay don't say anything about inherited vs. explicit, same was on xp exam (70-270). All problems with permissions was due to Deny.

But thanks it is good to know

astorrs

Dagged wrote: »

I am using Sybex books and it says that Deny override Alloy. Thay don't say anything about inherited vs. explicit, same was on xp exam (70-270). All problems with permissions was due to Deny.

They probably say elsewhere that explicit always trumps inherited, right after they finish telling you that Deny "always" beats Allow - easy to get confused.