NTFS & Shares

winky51winky51 Member Posts: 23 ■□□□□□□□□□
I actually forgot this so Im asking because I cant find an example.

NTFS (user and group) most permissive of all between users and groups except DENY trumps everything.

SHARE is like a funnel that limits the access to the share folder.

NTFS (folder/file on SHARE) ? this is what I forgot. Does it act like the other NTFS permissions or is it its own filter.

EXAMPLE: User "John" is in XYZ group with read/write/execute rights everywhere
SHARE folder has read & execute rights
local file has NTFS has read rights only for Everyone (no denies though)

Does John have read/execute or just read in the local file?

What I dont remember is if NTFS on file/folder mingles with group/user NTFS permissions or is this a double sided funnel where it meets in the share permissions? I know denys trump all.

I assume here he has read & execute. since it hit the top of the tree without denies.

Then I find this article which states at the end...
How IT Works: NTFS Permissions

The DACL lists permissions by the object first, followed by the object’s parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:
  • If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
  • If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
  • If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.
Which means if working backwards if the NTFS permissions hit an allow before a deny, from file up the tree, the deny gets skipped.

Is this an old article? Or is this true still?
Sign In or Register to comment.