Solved

Effective Permissions

Posted on 2006-11-10
14
457 Views
Last Modified: 2012-05-05
Hi

I've got a few question that are failry simple for you guys (i hope)


If a user belongs to a few groups. For example in Sales he has Read, in HR he has Read, and in Engineers he has Write. therefore, his effective permission is Write.

1) So when it says His effective is Write, does that means he has the ability to Write even though he is in the Sales, and HR groups, correct ??

2) If a user who is a member of 2 groups (Engineers, who have NTFS permissions Modify, and Sales who have a permission of Write) and has been Denied Read to a certain folder (not the whole group, just him), then is his effective permission still Write?

3) If someone had been Denied Read to one resource, would this affect their ability to Read other resources i.e. If someone is Denied Read to Folder A. Will they be unable to read somethign in Folder B


Im sorry if these questions are obvious, but im going back to my Microsoft courses after putting them off for ages, and there are few things i've forgot, so I just need to clear few things up.


Thanks in advanced
0
Comment
Question by:LFC1980
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 14

Assisted Solution

by:inbarasan
inbarasan earned 50 total points
Comment Utility
Dear LFC1980,
My answers are below

1) Yes she has ability to write
2)Deny will take effect even if the user has Full control. Deny will supersede all the rights
3)Depends on the permissions on the resource. If other resource has read or write , that will take effect. It doesn't matter if a user id denied somewhere. The effective permission on the folder will take effective.

Cheers!
0
 

Author Comment

by:LFC1980
Comment Utility
To clear up (3)....Say The user has Read perms for Folder A, and Read also for Folder B. And is then Denied Read for A, does that mean even though he has been denied Read on A, he CAN read on Folder B ?????

The reason this is confusing me is because I had a question where a user belongs to 2 groups. Engineers and Sales. And only he was to be denied read to a folder, so no one else is affected.  

The Folder has NTFS permis that allows Administrators Full control, and Engineers have Modify.
The Share permissions allow Everyone Change.

The user kept modifying files in Folder A, so the solution was to Deny him Read. (not the whole group). However, in the explanation of the answer, it also goes on to say as the user is also in Sales, you have to assign "Allow Read" permission for Sales.

Why is that????
How will his abilities as a Sales member be affected??????


PS: This has kind of turned into a new question so ill add extra points

0
 
LVL 3

Expert Comment

by:mahe2000
Comment Utility
denies goes over allow. if he is denied to read in folder A nothing happens to folder B (unless b is a subdir of A and inherit permissions)
permissions for folders are analized this way:
1 - the user is denied in any of the groups he belongs?
    yes-> then he is denied
    no-> then:
2 - the user is allowed in any of the groups he belongs?
    yes-> then he can access
    no-> then he cannot access
0
 

Author Comment

by:LFC1980
Comment Utility
Ok. So why did the explanation ask to Allow Read for the Sales group.

As i mentioned before, i have not touched my books for a while, so sorry if these questions are obvious
0
 
LVL 3

Expert Comment

by:mahe2000
Comment Utility
I didn't understand the last....
0
 

Author Comment

by:LFC1980
Comment Utility
Ok i'll re-write it and hopefully its more clear....if not, just let me know what part you cannot understand


To clear up the 3rd point)....If the user is initially allowed the Read permission for a folder named, Folder A, and also has the Read permission for a folder called Folder B. The user is then Denied the Read permission for Folder A.

Now does that mean even though he has been denied the Read permission on folder A, he is still able to Read on FolderB ?????....Or would he be Denied Read on FolderB as well?????


The reason this is confusing me is because I had a question..........

A user belongs to 2 groups. These two groups are Engineers and Sales..  

This user kept changing the files in a folder called XYZ. So he had to be Denied access to this folder, but you also have to make sure he remians in the groups he is in so he can carry out other tasks

XYZ has NTFS permis that allow Administrators Full control, and Engineers have the Modify permission.
The Share permissions for XYZ allow Everyone the Change permission.

The solution said Deny him Read and Execute. (not the whole group just him).

However, in the explanation of the answer it also goes on to say, as the user is also in Sales, you have to assign "Allow Read" permission for Sales, whcih would be the appropriate setting so as not to affect other users while allowing the user to remain and operate in the groups he is in.

Why is that...what is the reasoning behind allowing Read to the Sales group

How will his abilities as a Sales member be affected if you only Denied him Read for XYZ.


Hope the above is more clear
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
I haven't read through all the post's... NTFS uses the MOST restrictive Access List entry as the "effective" permission.
If your account is in two groups, group1 and group2, in group1 your permission to read is denied, and group2 your given read access, you do not have read access even if explicitly allowed in another group. If that right is inheirited, sometimes, depending on how the ACL's are read, you may get conflicting results... taking ownership of files can prevent some of these overlaps, see these:
http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/?related=y (good links in here too)
http://www.microsoft.com/technet/technetmag/issues/2005/11/HowITWorksNTFS/
-rich

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:LFC1980
Comment Utility
Think it may help if you go over what i've typed


Im confused to why, after the user has been denied Read to a folder in one group (which will result in him being Denied Read even if another group he belongs has Allow Read) are we giving him Allow Read in another group...surely as deny takes priority, he will be denied Read in everything (for that folder).

In theory other folders will no be effected by him being Denied Read in another folder...so why is he being allowed Read for another group, when all we have done is deny Read in another folder
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
In the article above(second link), you can see the same situation, it's the order in which the DACL is read that the right is applied, nice and confusing ;)
excerpt...
The parent object grants the user Modify, and the grandparent denies Write. The first thing evaluated is the child Deny permissions, and since the user is not denied, the evaluation continues to the child Allow permissions. The child object does not have Allow permissions so the evaluation continues to the parent object. The user has been granted Modify at the parent folder so they are able to open the file.
....
The DACL lists permissions by the object first, followed by the object’s parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:
    * If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
    * If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
    * If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.

File perms can get tricky, especially if users span more than one group and those groups have different
This article may also be helpful
http://technet2.microsoft.com/windowsserver/en/library//d043701a-5a2e-4001-b659-0c23c90f76f61033.mspx#w2k3tr_randp_how_xgvr
-rich
0
 

Author Comment

by:LFC1980
Comment Utility
Sorry mate, i have read that and its still not clear.

In the situation i had,

- The user is in 2 different groups (Engineers and sales)
- We have one folder called XYZ
- NTFS Perms for XYZ: Admins = Full control, Engineers = Modify
- Share perms For XYZ: Everyone = Change
- He keeps changing a file inside XYZ
- He needs to be stopped from accessing XYZ
- His group membership should not be changed
- Others in the groups should not be affected

Solution = Deny the USER the ability to Read


Thats where i would end the answer, and from what i've studied so far (MCDST), thats where i would expect the answer to end.


BUT in this example it goes on to say "To accomodate the users needs, since he forms part of both Engineers and Sales, you should configure the NTFS permissions to assign the Allow Read to the Sales which would be the approriate setting so others do not get affected, while allowing the user to remain in Sales"


So, what has Sales got to do with anything????....all we did was deny him Read, it shouldn't affect any other user/groups, should it??

New question the user wasn't even in the ACL so how can we deny him....they must have denied the engineers group Read, yes/no ??????.......if so surely it effects other users



I wish these questions were a bit more clear, it's not like you have access to Experts exchange in an exam


Sorry once again if that link explained everything, but i cant make sense of it.


Help

*is very confused*
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
It's tricky, and also the part where the example goes on to say "to accomodate..." that seems incorrect. Is this a brain-dump? Where folks go to take tests and write the questions down to later answer them... they are often wrong, even certified M$ materials have been wrong...

Look at the bottom for "Permission Precedence"
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html
Summary
Permissions are almost the same from Windows NT’s NTFS 4.0 to Windows 2000/XP/2003’s NTFS 5.0. One of the main differences is the way that permissions inherit down through the structure with inherited and explicit permissions. It used to be that, if there was a Deny permission on the ACL, it was always evaluated first, then the Allow permissions would follow. Now, the permission hierarchy must be evaluated considering not only the Deny vs. Allow, but whether the permission is explicitly set or inherited down from a parent resource.
http://www.samspublishing.com/content/images/0789728494/webresources/A010804.html
-rich
0
 

Author Comment

by:LFC1980
Comment Utility
Yes mate, they are.

Do you think this question is wrong.....if so, would you just do as i thought it would be i.e. Just deny the Read to the user. if so (yes, if so again....sorry) shouldn't the user have been in the ACL too
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 150 total points
Comment Utility
Yes, deny the user, don't trust braindumps ;)
-rich
0
 

Author Comment

by:LFC1980
Comment Utility
Should the user himself have been in the ACL to deny only him read though?
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now