NTFS permissions

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi all

With NTFS permissions and groups - is it the case that the most restrictive permission applies?

e.g.

1 Share - with two groups - Read/Modify. User is in both groups - is their overall permission the most restrictive, i.e. read?

Also - the effective permissions tab - should this show read if you put the user in there?

Many thanks for any help!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

no, in this case they woul have modify rights. however, a deny overrules all other permissions.

 

Yep the second example i think is what i am asking - there is one share with two groups on. Two groups are there, one with read rights, and one with modify rights. The user is a member of both groups - so they have read rights?

 

they will have which rights is mist restrictive... in this case, it would be read (i think)

 

That shouldnt be the case, no. I have situations at work where we have Directory which gives the basic project users group read access to everything, with write access being granted by specific groups. In order to grant the write access, we simply add them to the specific group the structure is like below:


Directory1
(users RO)
SubDirectory1
(users RO, SD1 Write)
SubDirectory2
(users RO, SD2 Write)

Adding them to users give them read only access to all three areas. adding them to SD1 or SD2 gives them write access to the specific SubDirectories, but they still need to be a member of users in order to get access to the area at all (since if they arent a member of users they cannot open Directory1).

So if you are in two groups that give access to a directory, and one gives read whilst another gives write, then you have write access to the directory. Unless, that is, the read group specifically states a deny on write (remember that there are essentially three states on an ACL permission: 'Allow', 'Deny', and 'Not Specified' - Not Specified is where neither the allow or deny option is ticked, it will function like a deny, unless another ACL provides an allow).

Do you follow what i mean?