effective ntfs permissions

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi
In the Microsoft Training kit book it states that the effective ntfs permission is the highest one when combined with lower ones. However I have just watched a CBT Nuggets video and it seems to say that the reverse applies!!. Which one is true, or is my brain just fried and confused. Never had to deal with this stuff before and I am trying to learn this entire chapter out of the book

TIA

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

If you combine NTFS permissions the outcome is the logical sum of the individual permissions.
If you combine NTFS with Shares, the most restrictive is the result.

Does this help?

 

Are you sure you're not seeing something on combining NTFS and share permissions? That's different than just combining NTFS permissions.

Your effective NTFS permission level is the highest NTFS permissions you have been granted, either through your username OR through the groups to which you belong. Example: if you've got Read permissions on a file, and a group to which you belong has Full Control permissions, then you would have Full Control permissions.

The only exception to this is if you or any groups to which you belong are assigned the DENY permission; a DENY will override any ALLOW. Example: if you've got Read permissions on a file, and a group to which you belong has DENY ALL permissions, then you will have no permissions.

When combining NTFS and share permissions, the MOST restrictive permission applies. Example: if you have Full Control share permissions on a share, and Read NTFS permissions on the shared folder, then you'd only have Read permissions.

Keep in mind that share permissions DO NOT APPLY when working directly on the computer; only NTFS permissions would apply. When accessing a file or folder over the network, both NTFS and share permissions apply.

Most administrators set up their permissions so that the Everyone group has Full Control on the share, and explicit permissions are configured at the NTFS level. It's done this way instead of in reverse (meaning, Full Control on NTFS, and explicit share permissions) because of what I said in the previous paragraph: NTFS permissions apply whether accessing a computer over a network or interactively at the keyboard... share permissions only apply over a network, not when working directly on the computer.

 

Thanks Tinus and Micheal for the speedy and informitive responses.
As youb have guessed I was confusing share permissions with ntfs.
I understand it now, I think.
I'm finding this section so hard. Just trying to read and understand as well as just going over and over and over it. Think I've done too much for the day.

Thanks again

 

Great reply Michael - even I understood it

David - yep, that paragraph is a toughie and soooo damn boring. Gota admit I skipped it because I knew what it was going to be like and kept reading the other stuff. I plan to devote a lot of time to the ntfs permissions/shares when I've got the rest of the book down, as fully understanding the permissions part seems quite critical to the exam. Gota admit though that I've found the MCDST tough going to date as the Microsft Training Kit book is just so damn, well, bland!!

 

It's my job to write things so people can understand them. ;)

 

Repeated for truth.

Nice post BM.

 

Everything you said was good except for this. A DENY will NOT override any allow. An explicit ALLOW with override an inherited DENY. Here is the order of highest power to lowest:

Explicit Deny
Explicit Allow
Inherited Deny
Inherited Allow

 

You misunderstand what I am saying. I'm not even talking about an OBJECT'S inheritance from parent objects, here. I'm talking about a USER'S permissions based on group membership. Although you are correct in what you are saying, you're adding another layer to the calculation.

What I'm saying is, AFTER you've figured out the explicit and inherited permissions for an object, HERE is how you figure up what a user's effective permissions are based on user permissions and group membership.

One step at a time... you don't throw Organic Chemistry at a General Chemistry student, and you don't throw Physical Chemistry at an O-Chem student.

 

I think Starke makes a valid point.

Understanding Windows NTFS Permissions

 

He does... but you guys aren't listening... if he's having trouble just figuring out NTFS alone, much less NTFS vs. Shared, then you're likely to further confuse him by adding another wrench UNTIL you figure out if he's got what we've said so far. You're putting the cart before the horse if you do.

 

Whether you are going for your A+, Network+ or MCDST I think you should fully understand NTFS. He asked about effective permissions and what I mentioned is a part of that.

 

Working with rights in what ever combination is considered one off the most complex things in windows. My students have basically two fields of problems: users and groups, and permissions.

 

It seems I'm not the only one who was getting confused with Permissions, NTFS and Shared folders.

I've been sitting bashing my head off the proverbial wall for the last couple of days as well about this.

Cheers BosonMichael, You've explained it better than the two books I have, I'm gonna put that post in my revision stuff!

 

I am glad it has been useful to several of you.

Once you completely understand the concepts in my post, add in the layer that Starke described regarding parent folder inheritance, and you'll have the essentials that you need to know regarding permissions.

 

Great Post guys - rep left.

 

Nice one,thanks for the concise info,I just printed that one off too!!