These 2 Microsoft statements on permissions appear to contradict
Microsoft writes:
Statement 1 refers only to Shared folder perms
"Permissions are cumulative. A users effective permissions for a resource are the combination of the shared folder permissions granted to the individual user account and the shared folder permissions granted to the groups to which the user belongs. ie If the user has the Read perm for a folder and is a member of a group with the Change permission for the same folder, then the user has both the Read and Change permissions for that folder."
Statement 2 refers to the combining of both NTFS and shared perms
"When you combine NTFS permissions and shared folder permissions, the resulting permission is the most restrictive permission of the combined shared folder permissions or the combined NTFS permissions."
I'm confused. Could someone please explain this to me. They seem to contradict.
Statement 1 refers only to Shared folder perms
"Permissions are cumulative. A users effective permissions for a resource are the combination of the shared folder permissions granted to the individual user account and the shared folder permissions granted to the groups to which the user belongs. ie If the user has the Read perm for a folder and is a member of a group with the Change permission for the same folder, then the user has both the Read and Change permissions for that folder."
Statement 2 refers to the combining of both NTFS and shared perms
"When you combine NTFS permissions and shared folder permissions, the resulting permission is the most restrictive permission of the combined shared folder permissions or the combined NTFS permissions."
I'm confused. Could someone please explain this to me. They seem to contradict.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"Group A has Share permission Read to Data folder and they also have Write NTFS permission to the Data folder. Their effective permission would be denied over the network "
I'd have to test that one as the way I've learned it, the effective permission would be 'read' to the share as it's the 'most restrictive' between the two...never heard of a deny coming out of two explicitly set access permisssions...
I'd have to test that one as the way I've learned it, the effective permission would be 'read' to the share as it's the 'most restrictive' between the two...never heard of a deny coming out of two explicitly set access permisssions...
Please do test it. I demonstrate this in every class I teach on permissions and that is what most students are led to believe. That is why my personal mission in life is to get all my students to get away from the "most restrictive" rule and use my "permissions in common" rule.
Brian
Brian
Interesting - I'll test it now....brb. :^)
ASKER
Waiting with baited breath for sirbounty's test result????
Hats off to you mkbean - and my apologies for doubting you. I've been duped for the past several years apparently.
Obviously, you are correct. However, this confuses me even more, because if this is the correct application of permissions that Microsoft intended, how is a 'new' admin supposed to be able to determine how to work it? Especially with the touting of the "most restrictive" phrase everywhere you turn. Additionally how are these folks supposed to know what 'common' permissions are? I've yet to find anything that says Read and Write aren't in the same range, so they don't play well together...
I'm also curious if this changed since W2k? This is the first that I've seen it explained this way. I'm glad I was part of this thread cause I learned something, but now I'm also frustrated. :$
Thanx mkbean...good info...
Obviously, you are correct. However, this confuses me even more, because if this is the correct application of permissions that Microsoft intended, how is a 'new' admin supposed to be able to determine how to work it? Especially with the touting of the "most restrictive" phrase everywhere you turn. Additionally how are these folks supposed to know what 'common' permissions are? I've yet to find anything that says Read and Write aren't in the same range, so they don't play well together...
I'm also curious if this changed since W2k? This is the first that I've seen it explained this way. I'm glad I was part of this thread cause I learned something, but now I'm also frustrated. :$
Thanx mkbean...good info...
Haha...there ya go Alistair7. Tested on a w2k3 standard server. Now I'm going to have to test it on a w2k server - just for my own 411...if interested, I'll certainly post those results as well...
Glad to have helped. I along with many others (including yourself) were taught incorrectly...thus my mission to fix that. By the way, the same goes for Windows 2000 and even NT.
Most permissions are a subset of others, for example Read and Write along with some other special permissions make up Modify. However Read and Write are two totally different permissions and don't depend on each other for anything.
I have not found good tool to use to find out what the effective permission is over the network when combining share and NTFS permissions. The Effective Tab in the Advanced permissions only shows the effective permission for NTFS not both.
I'm truly glad that I helped.
Brian
Most permissions are a subset of others, for example Read and Write along with some other special permissions make up Modify. However Read and Write are two totally different permissions and don't depend on each other for anything.
I have not found good tool to use to find out what the effective permission is over the network when combining share and NTFS permissions. The Effective Tab in the Advanced permissions only shows the effective permission for NTFS not both.
I'm truly glad that I helped.
Brian
ASKER
Brian, or should I say Mr Bean
You're a marvel! Give yourself a jellybean!
Very clarifying and helpful! That's one of the best explanations I've read on this board.
Could I venture to ask you to look at the following question along the same lines if you have the time:
https://www.experts-exchange.com/questions/21483348/Students-have-permissions-to-access-and-read-each-others-home-folders-after-setting-up-mandatory-profiles.html
thanks to both of you.
You're a marvel! Give yourself a jellybean!
Very clarifying and helpful! That's one of the best explanations I've read on this board.
Could I venture to ask you to look at the following question along the same lines if you have the time:
https://www.experts-exchange.com/questions/21483348/Students-have-permissions-to-access-and-read-each-others-home-folders-after-setting-up-mandatory-profiles.html
thanks to both of you.
Replied to that thread.
Thanks for the kind comments. Please feel free to check out my site www.adminprep.com where a group of trainers including myself write articles on technology. I also just started some elearning task based training on it here http://www.adminprep.com/articles/?pageid=rewind
Brian
Thanks for the kind comments. Please feel free to check out my site www.adminprep.com where a group of trainers including myself write articles on technology. I also just started some elearning task based training on it here http://www.adminprep.com/articles/?pageid=rewind
Brian
Thanx Brian for taking the time to explain this as well. I appreciate your assistance in re-teaching me... :^)
Best of luck to you both.
~sirbounty
Best of luck to you both.
~sirbounty
Brian - if my share perms are read and my security is write - shouldn't I at least be able to write to the folder?
I have to test this as well, but curious what your stance on that is...
I have to test this as well, but curious what your stance on that is...
Doesn't work...so now I'm still confused...
I'm not trying to read the share, I'm simply trying to write data to it...using copy con...but I still get an Access denied.
I'm baffling a colleague at the moment as well... looks like this 'common' perms is infectuous! Haha.
I'm not trying to read the share, I'm simply trying to write data to it...using copy con...but I still get an Access denied.
I'm baffling a colleague at the moment as well... looks like this 'common' perms is infectuous! Haha.
You will be able to write to the folder locally (because of the write NTFS permission) and be denied over the network.
Think of that folder as a suggestion box, users can write their suggetions down but not able to read any of them.
Brian
Think of that folder as a suggestion box, users can write their suggetions down but not able to read any of them.
Brian
If you're just talking shares and security permissions, then it's the most restrictive of the two. It's best to set up your permissions on security as if you open up security and lock down sharing permissions, any one with local access can roam freely. If you lock down the security, you can open sharing up to full/everyone while still limiting their access once they hit the disk. So - Sharing with Full permissions and Security with Read only gives you Read only as the effective permission.
When you're talking groups - then the effective permission is the 'least' restrictive. So, if you are in SALES which has Read access only to a folder and MANAGERS which has full control - your effective permission would be full control. The caveat to both is Deny. Deny attribute supercedes all. It's a one and done. If you're somewhere restricted through a Deny setting, then that's your effective permission...
Hope that helps.