andre_st
asked on
Question about NTFS permission
I am trying to figure several different scenarios of permission settings, and how to know which permission takes precedence over another. Now I have been testing this alot, but sometimes it seems like I am not getting any logic into this. For example I have often read that if a user is a member of two groups, the group with the more restrictive permission takes precedence. Then there is the thing about inherited permission vs explicit permission - where explicit should take precedence over the other...
What happens in the following scenarios (On a computer client, joined to a domain)?
NTFS permission of a folder:
Administrator group : Inherited, Full Control
Users (builtin group) : Inherited, Read and Execute
Users (builtin group) : Explicit, Read.
In the above case, if a user is both a member of the Administrator Group and the Users group - what happens with the NTFS permissions of the administrators group? If Explicit permissions always takes precedence over the Inherited, do the users in the administrators group suddenly loose some of their permissions?
Another similar scenario is when the group "users (builtin)" has inherited read and execute permission on a folder, and I need to prevent this. Then I have the possibility of going into the advanced option and clear the box where it says "include permission from the parent object". But if I do that, ALL users and groups are removed - even the "SYSTEM" user account. Now why would anyone want to exclude the system account to begin with? Risking that the folder gets unusable, and cannot be deleted? Then again, I could specifically deny the "User group" permission to the folder - but how will that effect other specific users or groups which I want to allow access to this folder? Since every user in the domain automatically becomes a part of the "User Group (builtin)", through the "Domain Members group" - this explicit deny permission would take precence over all other group permissions?
What happens in the following scenarios (On a computer client, joined to a domain)?
NTFS permission of a folder:
Administrator group : Inherited, Full Control
Users (builtin group) : Inherited, Read and Execute
Users (builtin group) : Explicit, Read.
In the above case, if a user is both a member of the Administrator Group and the Users group - what happens with the NTFS permissions of the administrators group? If Explicit permissions always takes precedence over the Inherited, do the users in the administrators group suddenly loose some of their permissions?
Another similar scenario is when the group "users (builtin)" has inherited read and execute permission on a folder, and I need to prevent this. Then I have the possibility of going into the advanced option and clear the box where it says "include permission from the parent object". But if I do that, ALL users and groups are removed - even the "SYSTEM" user account. Now why would anyone want to exclude the system account to begin with? Risking that the folder gets unusable, and cannot be deleted? Then again, I could specifically deny the "User group" permission to the folder - but how will that effect other specific users or groups which I want to allow access to this folder? Since every user in the domain automatically becomes a part of the "User Group (builtin)", through the "Domain Members group" - this explicit deny permission would take precence over all other group permissions?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have been reading alot about this subject on the Internet, and in books. But I mostly found the explanations a bit confusing. But reading your answer - it suddenly made sence ;-)
I havent had the time to test this in action, but I am assuming that you are right about this. Therefore I will close the question, and award you well deserved points.
Cheers!