1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Another NTFS permissions question

Discussion in 'General Microsoft Certifications' started by spoovy, Mar 1, 2011.

  1. spoovy

    spoovy Bit Poster

    41
    0
    16
    On my XP SP3 box. As a way of learning file permissions better i've been messing around with them a bit, and i've come to a situation which I don't understand.

    I set permissions for my C drive so that only two groups have any kind of access at all - System and Administrators. These both have Full Control, and I set it so permissions propagated all the way down from C:\.

    Then when I logged on as my regular user, who is in group "Administrators", my desktop was messed up. No panel, no network access etc). But surely as member of Admin group, which has Full Control, there should be no files anywhere in the system inaccessible, right?

    As a test I added the group "Users" back in at root directory level, gave it read & execute, list contents, and read permissions, logged back in and everything appears to work fine again.

    What am I missing here?

    Thanks in advance
     
    Certifications: MCDST
    WIP: CCNA
  2. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    don't you need to log off and log back on again when you have assigned group permissions to make them active?
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  3. spoovy

    spoovy Bit Poster

    41
    0
    16
    Yes, I did so. I rebooted.
     
    Certifications: MCDST
    WIP: CCNA
  4. Big Brotha

    Big Brotha Bit Poster

    43
    0
    7
    Did you assign the "DENY" permission to the "Users" group?
    and
    Is the 'regular user' account in the "Users" group?
     
  5. spoovy

    spoovy Bit Poster

    41
    0
    16
    Well no, obviously, as the desktop worked again after I added "Users" group permissions. But thats irrelevant anyway isn't it? The confusing part is why it didn't work in the first place, before I had to add the "Users" group into the Access Control List.

    As I understand it the "Users" group contains everyone in the Domain User and Local User groups, so yes. Also note that the "regular user" is an Administrator (as in, a member of group "Administrators").

    It's clear that the additional permissions gained by adding "Users" group permissions fixed the problem. The question is why didn't it work before, when the administrative user should have already had full control over every file as a result of what I explained in my original post.
     
    Last edited: Mar 2, 2011
    Certifications: MCDST
    WIP: CCNA
  6. Apexes

    Apexes Gigabyte Poster

    1,051
    78
    141
    Are you running this in an actual live domain enviornment?

    Perhaps post some screenshots of the security structure on the C: drive, and a breakdown of users and what groups their in.
     
    Certifications: 70-243 MCTS: ConfigMgr 2012 | MCSE: Private Cloud
  7. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    This. It may be that you have missed something like the fact that the lowerst permission set is the one that main permission so thats why its not working right.

    Post some shots of the NTFS permissions and the group permissions.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  8. spoovy

    spoovy Bit Poster

    41
    0
    16
    It's not in a domain, not even a workgroup. I tried to keep things as simple as possible to limit varables.

    First pic shows effective permissions for user spoovy, who is a member of group "Administrators", 2nd shows group "Users". Both sets of permissions were cascaded down to all child objects from C:\.

    [​IMG]

    [​IMG]


    See what I mean! How can the second set of permissions have added anything?? User spoovy already had full control of everything.

    I'm guessing that there must be some conditions where child objects do not inherit their parent's permissions even when specifically set to do so.
     
    Last edited: Mar 2, 2011
    Certifications: MCDST
    WIP: CCNA
  9. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    Your admin has full control but the same users highest permission in the users group is read and execute therfore he can only read and execute if I am seeing everything correctly.
     
    Last edited: Mar 2, 2011
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  10. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224

    I think you'd better read up on permissions GBL. Generally ntfs permissions are cumulative, allowing the greatest access possible from the sets of permissions. This means that if the user group only had read access and the same user was in the admin group with full control then he should have full control as that is the highest permission allowed by combining all the permissions. The exception to this is of course the deny permission, which when you set this explicitly overrides everything.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  11. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    ooops yep sorry but if he has the other permissions blank then doesn't that set it as deny?
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  12. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Nope. Deny is not the same as not marking Allow. You have to explicitly choose Deny if you want to Deny (thereby overriding an Allow).
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  13. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    ahh ok, I get it now. Thanks
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  14. spoovy

    spoovy Bit Poster

    41
    0
    16
    So, anyone know the answer?
     
    Certifications: MCDST
    WIP: CCNA
  15. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Yep. Click Advanced Permissions and see what's there.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  16. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    he did Mike, it's in the first screen dump and everything is ticked.

    Maybe you'll just have to put this down to Windoze, not behaving logically :scratch
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  17. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I mean that he should look at the Permissions tab, which he did not show. That'll indicate whether permissions are being inherited or not. If the box isn't checked, it's not passing parent permissions to child objects.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  18. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Check post number 8.. scroll over to the right and you will see he did post a screen dump of the advanced security settings and as i said, they are all ticked.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  19. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    You're missing my point... I'm not talking about the Effective Permissions tab... I'm talking about the Permissions tab. He wants to know why some folders inherit and some don't. So he needs to look to see what's checked on the Permissions tab.

    EDIT:
    [​IMG]
     
    Last edited: Mar 3, 2011
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  20. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256


    Gotcha now Mike, sorry it was early and i was half asleep :oops:
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)

Share This Page

Loading...