These 2 Microsoft statements on permissions appear to contradict

Microsoft writes:

Statement 1 refers only to Shared folder perms

"Permissions are cumulative.  A users effective permissions for a resource are the combination of the shared folder permissions granted to the individual user account and the shared folder permissions granted to the groups to which the user belongs.  ie  If the user has the Read perm for a folder and is a member of a group with the Change permission for the same folder, then the user has both the Read and Change permissions for that folder."

Statement 2 refers to the combining of both NTFS and shared perms

"When you combine NTFS permissions and shared folder permissions, the resulting permission is the most restrictive permission of the combined shared folder permissions or the combined NTFS permissions."

I'm confused.  Could someone please explain this to me.  They seem to contradict.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

When a remote client tries to access a shared resource first it checks against the share ACL then NTFS security.

If you're just talking shares and security permissions, then it's the most restrictive of the two.  It's best to set up your permissions on security as if you open up security and lock down sharing permissions, any one with local access can roam freely.  If you lock down the security, you can open sharing up to full/everyone while still limiting their access once they hit the disk.  So - Sharing with Full permissions and Security with Read only gives you Read only as the effective permission.

When you're talking groups - then the effective permission is the 'least' restrictive.  So, if you are in SALES which has Read access only to a folder and MANAGERS which has full control - your effective permission would be full control.  The caveat to both is Deny.  Deny attribute supercedes all.  It's a one and done.  If you're somewhere restricted through a Deny setting, then that's your effective permission...

Hope that helps.
BrianIT ManagerCommented:
This comes up a lot in the classes that I teach.

When you combine like permissions (share+share or NTFS+NTFS) then the permissions are cumulative.

When you combine unlike permissions (share+NTFS) then the effective permission will be what ever the two types of permissions have in common.  

For example;
Group A has Share permission Read to Data folder and they also have Full Control NTFS permission to the Data folder.  Their effective permission would be Read over the network because that is the common permission between the two.  (read is a subset of full control).  Group A's permission locally would be Full Control since we are not going through the Share permission.

I can't stand that Microsoft uses "Most Restrictive" because that can confuse people.

For example;
Group A has Share permission Read to Data folder and they also have Write NTFS permission to the Data folder.  Their effective permission would be denied over the network because there is no common permission between the two (read and write are completely different and you don't need either for the other to work).  Group A's permission locally would be Write since we are not going through the Share permission.

Please let me know if you need further clarification.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

"Group A has Share permission Read to Data folder and they also have Write NTFS permission to the Data folder.  Their effective permission would be denied over the network "

I'd have to test that one as the way I've learned it, the effective permission would be 'read' to the share as it's the 'most restrictive' between the two...never heard of a deny coming out of two explicitly set access permisssions...
BrianIT ManagerCommented:
Please do test it.  I demonstrate this in every class I teach on permissions and that is what most students are led to believe.  That is why my personal mission in life is to get all my students to get away from the "most restrictive" rule and use my "permissions in common" rule.

Interesting - I'll test it now....brb. :^)
Alistair7Author Commented:
Waiting with baited breath for sirbounty's test result????
Hats off to you mkbean - and my apologies for doubting you.  I've been duped for the past several years apparently.

Obviously, you are correct.  However, this confuses me even more, because if this is the correct application of permissions that Microsoft intended, how is a 'new' admin supposed to be able to determine how to work it?  Especially with the touting of the "most restrictive" phrase everywhere you turn.  Additionally how are these folks supposed to know what 'common' permissions are?  I've yet to find anything that says Read and Write aren't in the same range, so they don't play well together...

I'm also curious if this changed since W2k?  This is the first that I've seen it explained this way.  I'm glad I was part of this thread cause I learned something, but now I'm also frustrated. :$

Thanx mkbean...good info...
Haha...there ya go Alistair7.  Tested on a w2k3 standard server.  Now I'm going to have to test it on a w2k server - just for my own 411...if interested, I'll certainly post those results as well...
BrianIT ManagerCommented:
Glad to have helped.  I along with many others (including yourself) were taught incorrectly...thus my mission to fix that.   By the way, the same goes for Windows 2000 and even NT.

Most permissions are a subset of others, for example Read and Write along with some other special permissions make up Modify.  However Read and Write are two totally different permissions and don't depend on each other for anything.  

I have not found good tool to use to find out what the effective permission is over the network when combining share and NTFS permissions.  The Effective Tab in the Advanced permissions only shows the effective permission for NTFS not both.

I'm truly glad that I helped.

Alistair7Author Commented:
Brian,  or should I say Mr Bean

You're a marvel!  Give yourself a jellybean!

Very clarifying and helpful!  That's one of the best explanations I've read on this board.

Could I venture to ask you to look at the following question along the same lines if you have the time:

thanks to both of you.
BrianIT ManagerCommented:
Replied to that thread.

Thanks for the kind comments.  Please feel free to check out my site where a group of trainers including myself write articles on technology.  I also just started some elearning task based training on it here


Thanx Brian for taking the time to explain this as well.  I appreciate your assistance in re-teaching me... :^)
Best of luck to you both.
Brian - if my share perms are read and my security is write - shouldn't I at least be able to write to the folder?
I have to test this as well, but curious what your stance on that is...
Doesn't now I'm still confused...
I'm not trying to read the share, I'm simply trying to write data to it...using copy con...but I still get an Access denied.
I'm baffling a colleague at the moment as well... looks like this 'common' perms is infectuous! Haha.
BrianIT ManagerCommented:
You will be able to write to the folder locally (because of the write NTFS permission) and be denied over the network.  

Think of that folder as a suggestion box, users can write their suggetions down but not able to read any of them.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.