1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

NTFS permissions

Discussion in 'Software' started by steveh2001, Mar 15, 2007.

  1. steveh2001

    steveh2001 Byte Poster

    204
    3
    22
    Hi all

    With NTFS permissions and groups - is it the case that the most restrictive permission applies?

    e.g.

    1 Share - with two groups - Read/Modify. User is in both groups - is their overall permission the most restrictive, i.e. read?

    Also - the effective permissions tab - should this show read if you put the user in there?

    Many thanks for any help!
     
    Certifications: A+,N+,CommVault,MCSA/MCSE 2003,VCP 4.1.
    WIP: ?
  2. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    no, in this case they woul have modify rights. however, a deny overrules all other permissions.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  3. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    Fergal is right if the user is in groups that have read/modify rights on that folder. Read is actually part of the modify permission anyway.

    Now if the user was in one group that had modify rights on a file/folder and in a different group that had read only rights on the same file/folder, then their effective permissions would be read only. And as Fergal said Deny overules any other permission.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  4. steveh2001

    steveh2001 Byte Poster

    204
    3
    22

    Yep the second example i think is what i am asking - there is one share with two groups on. Two groups are there, one with read rights, and one with modify rights. The user is a member of both groups - so they have read rights?
     
    Certifications: A+,N+,CommVault,MCSA/MCSE 2003,VCP 4.1.
    WIP: ?
  5. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,369
    85
    190
    they will have which rights is mist restrictive... in this case, it would be read (i think)
     
  6. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    That shouldnt be the case, no. I have situations at work where we have Directory which gives the basic project users group read access to everything, with write access being granted by specific groups. In order to grant the write access, we simply add them to the specific group the structure is like below:


    Directory1
    (users RO)
    SubDirectory1
    (users RO, SD1 Write)
    SubDirectory2
    (users RO, SD2 Write)

    Adding them to users give them read only access to all three areas. adding them to SD1 or SD2 gives them write access to the specific SubDirectories, but they still need to be a member of users in order to get access to the area at all (since if they arent a member of users they cannot open Directory1).

    So if you are in two groups that give access to a directory, and one gives read whilst another gives write, then you have write access to the directory. Unless, that is, the read group specifically states a deny on write (remember that there are essentially three states on an ACL permission: 'Allow', 'Deny', and 'Not Specified' - Not Specified is where neither the allow or deny option is ticked, it will function like a deny, unless another ACL provides an allow).

    Do you follow what i mean?
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present

Share This Page

Loading...