Understanding Permissions

O.K.

There are NTFS and Share level permissions.
If I understand correctly, they are cumulative and the most restrictive is the effective permission.

However, in one of the practice exam questions, the Everyone group had Change permissions for a share, while a user with membership to two groups having Full Control and Read, effectively had Change.

How does he have Change when the least restrictive is Read?

Comments

  • CCIE2008CCIE2008 Member Posts: 7 ■□□□□□□□□□
    Sounds strange. Can you post the actual question?

    Thanks
    CCIE2008

    MCSE, MCSA, MCDST, CCNP, CCDA, Security+, Linux+, Network+, A+, MOS
  • ICreateLoopsICreateLoops Member Posts: 17 ■□□□□□□□□□
    The 2 groups you refer to that have Change and Full control, are those the NTFS permissions or are you saying all of them are share permissions?
    MCSA 2003, MCDST, Security+, Network+, A+
  • w^rl0rdw^rl0rd Member Posts: 329
    18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
    What are John's effective permissions when connecting to the shared folder?

    a. Read
    b. Read & Execute
    c. Change
    d. Full Control

    Answer(s): c. Change

    Explanation:
    The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to. (except for Deny permissions which overrides any other permissions assigned.) When you combine NTFS and Share permissions the most restictive applies.
  • w^rl0rdw^rl0rd Member Posts: 329
    See above.

    If most restrictive applies, then wouldn't his effective permissions be Read from the Sales group?

    Read is more restrictive than Change right?
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    As I wrote in the explanation:
    When you combine NTFS and Share permissions the most restictive applies.
    The permissions 'combined' are the effective NTFS permissions + the effective share permissions.

    John's effective NTFS permission is Full Control(user permission) + Read (Sales group permission) which results in the effective NTFS permission Full Control. (as mentioned in the explanation: The effective NTFS permissions are the sum of the permissions assigned to user and to groups the user belongs to, as in the least restrictive applies.)

    When you combine these NTFS permissions with Share permissions, the most restrictive applies. Hence, NTFS permission Full Control + Share permission Change results in effective permission Change, when connecting to the shared folder.
  • CCIE2008CCIE2008 Member Posts: 7 ■□□□□□□□□□
    When finding your effective permissions when combining Share level access with NTFS, you need to know the LEAST/MOST restriction rule.


    First add up your permissions for NTFS and Share level seperately. Then take the least restrictive permission.

    NTFS:
    John User - Full Control
    John Sales Group - Read
    =================
    Least restrictive: Full


    Share:

    Everyone Change
    ========================
    Least restricive: Change

    Now you compare your share and ntfs permissions to get the most restricive.

    NTFS: Full
    Share: Cange
    ==================
    Most Restrictive: Change


    Change is the user's effective permission. The only exception is when you use an explicit deny. Deny overrides and becomes the effective permission. Hope this helps. Let me know if you need any more info.
    CCIE2008

    MCSE, MCSA, MCDST, CCNP, CCDA, Security+, Linux+, Network+, A+, MOS
  • w^rl0rdw^rl0rd Member Posts: 329
    Thanks everyone, I understand it now.
  • ScareCrowScareCrow Member Posts: 25 ■□□□□□□□□□
    CCIE2008 good explanation, this has helped me.... Good post all round, good forum...!!!
Sign In or Register to comment.