1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

effective ntfs permissions

Discussion in 'MCDST' started by david248005, Mar 14, 2008.

  1. david248005

    david248005 Bit Poster

    18
    0
    9
    Hi
    In the Microsoft Training kit book it states that the effective ntfs permission is the highest one when combined with lower ones. However I have just watched a CBT Nuggets video and it seems to say that the reverse applies!!. Which one is true, or is my brain just fried and confused. Never had to deal with this stuff before and I am trying to learn this entire chapter out of the book

    TIA
     
    WIP: MCDST, OU T175 & M150,
  2. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    If you combine NTFS permissions the outcome is the logical sum of the individual permissions.
    If you combine NTFS with Shares, the most restrictive is the result.

    Does this help?
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  3. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Are you sure you're not seeing something on combining NTFS and share permissions? That's different than just combining NTFS permissions.

    Your effective NTFS permission level is the highest NTFS permissions you have been granted, either through your username OR through the groups to which you belong. Example: if you've got Read permissions on a file, and a group to which you belong has Full Control permissions, then you would have Full Control permissions.

    The only exception to this is if you or any groups to which you belong are assigned the DENY permission; a DENY will override any ALLOW. Example: if you've got Read permissions on a file, and a group to which you belong has DENY ALL permissions, then you will have no permissions.

    When combining NTFS and share permissions, the MOST restrictive permission applies. Example: if you have Full Control share permissions on a share, and Read NTFS permissions on the shared folder, then you'd only have Read permissions.

    Keep in mind that share permissions DO NOT APPLY when working directly on the computer; only NTFS permissions would apply. When accessing a file or folder over the network, both NTFS and share permissions apply.

    Most administrators set up their permissions so that the Everyone group has Full Control on the share, and explicit permissions are configured at the NTFS level. It's done this way instead of in reverse (meaning, Full Control on NTFS, and explicit share permissions) because of what I said in the previous paragraph: NTFS permissions apply whether accessing a computer over a network or interactively at the keyboard... share permissions only apply over a network, not when working directly on the computer.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  4. david248005

    david248005 Bit Poster

    18
    0
    9
    Thanks Tinus and Micheal for the speedy and informitive responses.
    As youb have guessed I was confusing share permissions with ntfs.
    I understand it now, I think.
    I'm finding this section so hard. Just trying to read and understand as well as just going over and over and over it. Think I've done too much for the day.

    Thanks again
     
    WIP: MCDST, OU T175 & M150,
  5. TimoftheC

    TimoftheC Kilobyte Poster

    408
    9
    46
    Great reply Michael - even I understood it :D

    David - yep, that paragraph is a toughie and soooo damn boring. Gota admit I skipped it because I knew what it was going to be like and kept reading the other stuff. I plan to devote a lot of time to the ntfs permissions/shares when I've got the rest of the book down, as fully understanding the permissions part seems quite critical to the exam. Gota admit though that I've found the MCDST tough going to date as the Microsft Training Kit book is just so damn, well, bland!!
     
    Certifications: A+; Network+
    WIP: MCDST???
  6. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    It's my job to write things so people can understand them. ;)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  7. Bambino1506

    Bambino1506 Megabyte Poster

    594
    8
    64

    Repeated for truth.

    Nice post BM.
     
    Certifications: MCP,MCDST,MCSA
    WIP: CCA
  8. Starke

    Starke Nibble Poster

    59
    2
    12
    Everything you said was good except for this. A DENY will NOT override any allow. An explicit ALLOW with override an inherited DENY. Here is the order of highest power to lowest:

    Explicit Deny
    Explicit Allow
    Inherited Deny
    Inherited Allow

     
    Certifications: MCSE:Messaging/Security, Net+, Security+
  9. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    You misunderstand what I am saying. I'm not even talking about an OBJECT'S inheritance from parent objects, here. I'm talking about a USER'S permissions based on group membership. Although you are correct in what you are saying, you're adding another layer to the calculation.

    What I'm saying is, AFTER you've figured out the explicit and inherited permissions for an object, HERE is how you figure up what a user's effective permissions are based on user permissions and group membership.

    One step at a time... you don't throw Organic Chemistry at a General Chemistry student, and you don't throw Physical Chemistry at an O-Chem student.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  10. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    I think Starke makes a valid point.

    Understanding Windows NTFS Permissions
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  11. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    He does... but you guys aren't listening... if he's having trouble just figuring out NTFS alone, much less NTFS vs. Shared, then you're likely to further confuse him by adding another wrench UNTIL you figure out if he's got what we've said so far. You're putting the cart before the horse if you do.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  12. Starke

    Starke Nibble Poster

    59
    2
    12
    Whether you are going for your A+, Network+ or MCDST I think you should fully understand NTFS. He asked about effective permissions and what I mentioned is a part of that.

     
    Certifications: MCSE:Messaging/Security, Net+, Security+
  13. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    Working with rights in what ever combination is considered one off the most complex things in windows. My students have basically two fields of problems: users and groups, and permissions.
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  14. Ropenfold

    Ropenfold Kilobyte Poster

    271
    7
    52
    It seems I'm not the only one who was getting confused with Permissions, NTFS and Shared folders.

    I've been sitting bashing my head off the proverbial wall for the last couple of days as well about this.

    Cheers BosonMichael, You've explained it better than the two books I have, I'm gonna put that post in my revision stuff!

    :D
     
    Certifications: BSC (Hons), A+, MCDST, N+, 70-270,
    WIP: ITIL V3
  15. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I am glad it has been useful to several of you. :)

    Once you completely understand the concepts in my post, add in the layer that Starke described regarding parent folder inheritance, and you'll have the essentials that you need to know regarding permissions.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  16. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Great Post guys - rep left. :)
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  17. russ-t-2000

    russ-t-2000 Bit Poster

    18
    0
    16
    Nice one,thanks for the concise info,I just printed that one off too!!
     
    Certifications: MCP MCDST
    WIP: 70-261 MCITP or could be 70-620 !!!

Share This Page

Loading...