override rule in permission.

puertorico123puertorico123 Member Posts: 95 ■■□□□□□□□□
When two NTFS permission are in conflict, the least restrictive is in effect?
When a NTFS and Sharing permission are in conflict, the most restrictive is in effect?
When access a shared document via terminal service, the sharing permission is not in effect?
But I have some question, how to identify the least or most effective permission, for example full control and change or full control and modify or read & execute?
In group or user name, what happen if not defined (or in deny full control for example) to SYSTEM, USER [***\User] and Creator Owner?
Any other contribution, thanks in advanced!
HOLD:
Comptia A+
Comptia Network+

2009 Plan:
MCSA...75%
CCENT....0%
70-648..0%

2010 Plan:
MCITP
ORACLE

Comments

  • undomielundomiel Member Posts: 2,818
    NTFS permissions can't be in conflict, they're additive. Add up all the allow permissions and then subtract any denies. Remember that deny overrides any allows. If no permission is assigned then no access is granted. You compare permissions when you compare NTFS and Share permissions and pick the most restrictive. If you accessing a document on a server through terminal services then you're accessing the document as if it is local and only NTFS permissions would apply. So always make sure how you are accessing your data, if it be local or through the share, then add up the permissions and pick the most restrictive as necessary. Be careful when reading questions to always make sure how the data is being accessed so that you won't be confused by inapplicable data.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    undomiel wrote: »
    Remember that deny overrides any allows.

    Does anybody know what I'm about to say?
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Explicit vs. inherited?
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    dynamik wrote: »
    Explicit vs. inherited?

    Bingo. Deny doesn't override "any" Allow. If the Deny is inherited and the Allow is explicit, the Allow triumphs.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • undomielundomiel Member Posts: 2,818
    Whoops, well pie on my face then. :)
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • skrpuneskrpune Member Posts: 1,409
    royal wrote: »
    Bingo. Deny doesn't override "any" Allow. If the Deny is inherited and the Allow is explicit, the Allow triumphs.
    Good to know...I haven't gotten this far in my studies yet, but in looking it up the MS Press book does talk about explicit vs inherited. And it makes sense too - you can inherit certain permission from a "parent" but the "child" can be assigned different, elevated permissions without having to worry about security holes with the rest of the "kids" getting those same permissions.

    Thanks for the info! icon_thumright.gif
    Currently Studying For: Nothing (cert-wise, anyway)
    Next Up: Security+, 291?

    Enrolled in Masters program: CS 2011 expected completion
  • DaggedDagged Member Posts: 54 ■■□□□□□□□□
    royal wrote: »
    Bingo. Deny doesn't override "any" Allow. If the Deny is inherited and the Allow is explicit, the Allow triumphs.

    Hi,

    I am using Sybex books and it says that Deny override Alloy. Thay don't say anything about inherited vs. explicit, same was on xp exam (70-270). All problems with permissions was due to Deny.

    But thanks it is good to know :)
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Dagged wrote: »
    I am using Sybex books and it says that Deny override Alloy. Thay don't say anything about inherited vs. explicit, same was on xp exam (70-270). All problems with permissions was due to Deny.
    They probably say elsewhere that explicit always trumps inherited, right after they finish telling you that Deny "always" beats Allow - easy to get confused. :)
Sign In or Register to comment.