effective permissions

max_schofieldmax_schofield Registered Users Posts: 2 ■□□□□□□□□□
in Windows XP Professional
On Q. # 18 -

"You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. What are John's effective permissions when connecting to the shared folder?"

The answer given is "Change" which supposes his Everyone group membership to the share supercedes his user status in Sales Dept., but shouldn't it be "Read" because that is the most restrictive NTFS permissions?

Any insight is appreciated?
· Share on FacebookShare on Twitter

Comments

  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    So you add up NTFS and the Share permissions separately (subtracting denies which take presidence), and then you look at the two sets and give yourself the most restrivive.

    NTFS:
    Sales (includes John): Read
    John - Full Control

    Shared:
    Everyone - Change

    So based on that, John has Full Control NTFS and Change shared permission. So when he his accessing over the share (which the question says that he is) he will get the most restrictive permissions, thus taking away the Full Control and leaving him only with the change.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • max_schofieldmax_schofield Registered Users Posts: 2 ■□□□□□□□□□
    Devilsbane wrote: »
    So you add up NTFS and the Share permissions separately (subtracting denies which take presidence), and then you look at the two sets and give yourself the most restrivive.

    NTFS:
    Sales (includes John): Read
    John - Full Control

    Shared:
    Everyone - Change

    So based on that, John has Full Control NTFS and Change shared permission. So when he his accessing over the share (which the question says that he is) he will get the most restrictive permissions, thus taking away the Full Control and leaving him only with the change.
    OK, Thanks. I guess that means he would only get the "Read" permission if he were logged on locally as then the most restricive NTFS permission would apply???
    · Share on FacebookShare on Twitter
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    max_schofield wrote: »
    OK, Thanks. I guess that means he would only get the "Read" permission if he were logged on locally as then the most restricive NTFS permission would apply???

    If he were logged on locally (or even over Remote Desktop as share permissions don't apply to this even though you think they might) he would have full control permissions to the folder. Read + Full control = Full Control.


    Think of it this way. If you are a member of two groups. You are a member of the "Domain Users" security group (which every user is a member of by default) and also a member of the Domain Admins group (because you are an administrator).

    If the folder grants all users read and Domain Admins Full Control, how would you be able to administer this folder if you only got the read? So since you have both permissions, you are going to "choose" to use the ones that grant you the most power.

    The exception to this is the deny permission. If the folder needs to be read by all users except domain admins, you would grant the read permission to Domain users and the deny permission to domain admins. So even though you are a member of the domain users group and would normally be given access, you have been explicitely excluded.

    When you add in share permissions, think of it like an apartment building or hotel. The share permission gets you in the door of the complex. Everyone with a room should have access to this. Then think of NTFS permissions as your specific room. If you actually want to get into your room, you are going to need both the key to get into the building as well as the key to get into your room. If you are lacking one or both, you will never be able to get where you need to go.

    The last thing I want to leave you with is to read very carefully. These questions are intentionally tricky and it can be very easy to miss somethig. Always be on the lookout for words like "not" which can change the entire meaning. I find it is nice to take notes on the question, similar to what I did in my response above. Write down all of the NTFS permissions and then decided what access he would have through that. Then write down the Share permissions and see what access he would have through that. Then finally compare the two and see if John is going to be able to get up to his room tonight and go to bed.



    The sales group has been given NTFS Write and share read. Marketing has been denied share change and granted read NTFS. Mike has been granted full control NTFS and full control share. He is also a member of the sales and marketing groups. 1. If he is seated locally, what can he do. 2. If he is accessing over the share, what can he do?
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • punkisdead83punkisdead83 Registered Users Posts: 8 ■□□□□□□□□□
    The most restrictive permission is applied.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.