Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by Cartman, Oct 30, 2003.

  1. Cartman

    Cartman Byte Poster

    I'm afraid it's me again with yet another question....somebody ask me something I know!!

    Access Permissions - I thought I had this straight until I re-read the book, so if anyone out there is a permissions whiz - this one's for you!

    Hope I explain it OK.

    What I know: Access to an object locally NTFS permissions apply - and are cumulative depending on what groups you belong to (assuming none are 'Deny')

    Access to an object over a share (or remotely) - Share permissions apply (and again cumulatively depending on what groups.

    Now I also know that determining permissions the most restrictive of permissions between Share and NTFS apply.

    My course book says Share permissions override NTFS permissions when the object is accessed over a share.

    Now the bit I don't know: How on earth does what my course book says tie in with the 'most restrictive' procedure between Share and NTFS?? If you are comparing Share and NTFS you MUST be accessing the object remotely - so why is the book effectively saying that when accessing remotely NTFS doesn't apply - surely it does?

    Confused? Just a little... :helpread
  2. Phil
    Honorary Member

    Phil Gigabyte Poster

    Think of the share as the doorway to the ntfs file and folder structure on the HDD, if you only have read permissions at the share yet full control in the ntfs permissions then you are only ever going to be able to read the files in the folder structure because the share / doorway has restricted you at your point of entry.

    If the situation was reversed where you had full control on the share and only read on the ntfs then as far as the share is concerned you can do anything but the ntfs will only let you read. The beauty of ntfs though is that it is more granular, a share will give you full access to all the files or access to none of the files, with ntfs you can define different access to different files within the same share. Give the Domain users group full control to the share then restrict access to the HR folders to a HR group in ntfs. However if you then set the Share perms for Domain Users to read by accident, Only HR would still be able to acces the HR folder, but they will only be able to read the files within not modify because the share permissions will restrict them.

    I've gone all round the houses with that explanation but hope it helps.
    Certifications: MCSE:M & S MCSA:M CCNA CNA
    WIP: 2003 Upgrade, CCNA Upgrade
  3. Cartman

    Cartman Byte Poster

    Thanks Phil, yes it does. I had the view of it all straight in my head and you articulated that perfectly.

    I thought the book was talking outta it's a**e as access to an object remotely is still reliant on what NTFS permissions there are on that object. So access through share doesn't mean the share permissions override the NTFS permissions.

    Thanks a lot. I can sleep now! :-)
  4. flex22

    flex22 Gigabyte Poster

    Comes into effect.That is, when you are sat at your computer locally, only NTFS permissions apply.

    Taking Phil's example, if a member of the HR group was accessing the HR folder locally, then he would get Full Control, no matter what the share said, because share permissions only come into effect when you are accessing an object remotely.

    So even changing the Domain Users share to read will have no effect on a member of the HR group when accessing the HR folder when sat at the machine on which the HR folder resides.

    But, like in Phil's example if the HR user is accessing the folder remotely then indeed the share permission has an effect.

    Balls I go on don't I :D

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.