Another wrong question

[FONT=Verdana, Arial, Helvetica][SIZE=-1][SIZE=-1]13. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?

They say the answer is change.

But don't the most restrictive permissions apply?

The group is assigned read, if you ask me, that should make his affective permissions to read instead of change.

Is the wording wrong on this one too, or am I just assuming the question wants the shared permissions and not the NTFS ?
[/SIZE][/SIZE][/FONT]

Find more posts tagged with

Comments

dynamik

When looking at share and NTFS permissions, the most restrictive applies. i.e. change share and full NTFS will give you change (when accessing the share over the network, it would be full if accessed locally since that doesn't use the share).

When looking at permissions amongst multiple groups, the permissions are cumulative. i.e. read NTFS and full NTFS will result in full. You would need to explicitly deny something in another group to negate any allowed permissions.

Bherminghaus

dynamik wrote: »

When looking at share and NTFS permissions, the most restrictive applies. i.e. change share and full NTFS will give you change (when accessing the share over the network, it would be full if accessed locally since that doesn't use the share).

When looking at permissions amongst multiple groups, the permissions are cumulative. i.e. read NTFS and full NTFS will result in full. You would need to explicitly deny something in another group to negate any allowed permissions.

Thank you for your help on the other post as I agree with you on that and now understand. However, for this question - They say that the GROUP has a read only permission. Now, I understand that he has been granted full control, and everyone has change, but for this shared folder does that not mean that he has the read permission only?

I'm still having trouble understanding how the questions is right, when it says that the group he has is set to the read permission. Isn't the most restrictive set of permissions applied to all categories? Am I right?

Claymoore

NTFS and Shared permissions are separate and need to be resolved separately. Once you have the resulting set of permissions for both Share and NTFS, then you can compare them.

NTFS permissions are cumulative
Group1 has read +
Group2 has modify +
User has full control +
= User has full control

Share permissions are cumulative
Everyone has read +
Group 1 has change
= User has change

Share vs NTFS are NOT cumulative and the most restrictive is used
Share = Change
NTFS = Full Control
= User has Change

If you think that's confusing, wait until you have to troubleshoot nested groups, nested shares and Deny rights. Then you will understand why the new 'Reason for Access' auditing feature in Win7 / 2008 R2 was a feature long overdue.