Server 2003 permissions question

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by robyale, Nov 27, 2007.

  1. robyale

    robyale New Member

    7
    0
    1
    Hi folks,

    This is my first post, and hopefully I've done so in the right area!

    Here is my question:

    There is a shared folder called "Data" and a user named "Fred". Fred is not a member of any groups yet. There are 3 groups; Sales, Marketing and Executive.

    Permissions are as follows:

    .........................NTFS Permissions....................Share Permissions
    --------------------------------------------------------------------------
    Everyone.................Read...............................Read
    Sales....................Read & Execute......................Change
    Marketing................Read/Write..........................Full Control
    Executive................Read & Execute......................Read


    We want Fred to be able to make changes to files in the Data folder. What to do?

    Apparently, the answer to the question is: Add Fred to the Sales group, and assign Allow Write NTFS permission to the sales group.

    My confusion, is with the presence of the Everyone group with the default Read permission. My understanding is that the resulting permission between Share and NTFS would be the most restrictive. So it seems to me, that even if Fred is in the sales group, and you add Allow Write, the Everyone Read permission would rule. Not only that, but the sales group has a share permission of Read and Execute, so wouldn't that also nullify the NTFS Allow Write?

    Help will be much appreciated!

    Thanks,

    Rob Yale :confused3:
     
  2. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    Welcome to CF. I found the formatting on your table of permissions a bit confusing and so I won't comment on the actual answer but on some points in your analysis of it. You are right about the most restrictive permission applying between share and NTFS permissions yes, but only if the share is being accessed across the network. Only NTFS permissions would apply if the user was actually on the PC/Server in question.

    Remember the rule about the most restrictive permissions only apply's when combining share & NTFS, not when analyising say just the NTFS permissions for a person.

    So if Everyone read was applied for NTFS, and then Sales was given write, then sales would be able to write. They wouldn't be restricted by the Everyone read.

    Of course, as soon as you start to use Deny permissions they do override all other permissions.

    So if you set the everyone group to deny read. Then even if sales was added with full control on the same set of permissions, then the members of that group would still be affected by the deny that applies to ... everyone.
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  3. dales

    dales Terabyte Poster

    2,005
    51
    142
    perhaps the original question gave a hint as to how the users would logon, as it seems as per the above post they should have mentioned somewhere about users logging on locally.
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  4. robyale

    robyale New Member

    7
    0
    1
    I'll re-do the question so that it's exactly like in the book (ExamCram 70-290, page 159)

    On a Windows Server 2003 computer, you have a shared folder called APP1. At this time, Joe does not belong to the Sales, Marketing, or Executive group. You set the NTFS and APP1 as shown in the following table:


    .........................NTFS Permissions....................Share Permissions
    --------------------------------------------------------------------------
    Everyone.................Read...............................Read
    Sales....................Read & Execute......................Change
    Marketing................Read/Write..........................Full Control
    Executive................Read & Execute......................Read


    You want Joe to be able to make changes to the files in the APP1 folder. What should you do?

    A. Assign Joe to the Sales group and assign Allow Write NTFS permission to the Sales group.

    b. Assign Joe to the Executive group and assign the Allow Write NTFS permission to the Executive group.

    C. Assign Joe to the Executive group and assign the Change share permission to the Executive group.

    D. Assign the Full Control share permission to Everyone.


    And the answer according to the book:

    11. Answer A is correct. To be able to make changes to the files, Joe will need the Read and Write (or Full Control) NTFS permission and the Change (or Full Control) Share permission. One way would be to add Joe to the Marketing group, but this is not one of the options. Of the options shown, you would assign Joe to the Sales group. This gives the Change Share permission, but not the NTFS permission, Therefore, you would also have to add the Write NTFS permission for the Sales group.

    Thanks again. All your help is appreciated.

    Rob
     
  5. dales

    dales Terabyte Poster

    2,005
    51
    142
    ah I kinda see where they are going with this, the answer is also in the list of options (if you view them as a whole) but I'm still not quite getting it. I've posted previously about typos in books and aparently they produce lists of known typos, might be worth checking out the exam cram site to see if you have found one.
    EDIT
    "ah now the pictures loaded yes that does make sense now as write perms allow you to write into already created docs and create new docs/it doesnt allow you to modify things like filenames of existing docs which is similar for the change share perm "
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  6. robyale

    robyale New Member

    7
    0
    1
    I actually just checked the publisher's site, entered the book's ISBN, but found no errata listed.

    Rob
     
  7. robyale

    robyale New Member

    7
    0
    1
    Ok, I think it's starting to sink in. Are Share and NTFS permissions INDEPENDENTLY cumulative? So, if a person is a member of Everyone, and a member of Sales, and that person is granted Allow Read share perm through Everyone, and granted Full Control through Sales, is the resultant SHARE permission now Full Control?

    If so, does that mean the resultant Share permission, plus the resultant NTFS permission yield the more restrictive of the two?

    Rob
     
  8. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Also worth noting how you are accessing the data.

    Let’s say you access a share located on a server. You have read only permission in the ‘share’ and full control for NTFS. You would have read only permission to the data.

    If you logged onto the server itself (at the actual machine) you then don’t have to consider share permissions therefore you would have full control as part of the NTFS permissions.

    Also on ‘real’ networks many administrators give the everyone group full control in the share permissions and then control access with NTFS permissions. 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  9. robyale

    robyale New Member

    7
    0
    1

    Ok, I did a bunch of experiments on my virtual servers, and bit by bit, it's starting to get clearer. But the one thing that's muddying the waters, right now, is the permissions on the test user I created.

    When I look at the effective perms on JBlow, even when I uncheck all the allow boxes, and removed the user from all groups (except for Domain Users), it still seems to have 6 permissions that I can't source: Traverse/Execute, List/Read, Read Attrib, Read Ext, Create files/Write Data, Create Folders/Append Data.
    I only see those perms in Effective Permissions.

    Where might they come from? They have been messing up my experiment - just when it was going so swimmingly! :biggrin:

    Rob
     
  10. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    Well, everyone has at least read rights and you can not remove a user from everyone.
    If you remove the everyone group from the rights list, only the specific rights you gave will be there.
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  11. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    In a word, yes. :)

    edit: To expand on that a little. When it comes to working out effective permissions for either Share or NTFS make sure you Evaluate all group permissions for a user, then the effective permission is the least restrictive. Then consider any Deny permissions as they will override anything else.

    Once you have done that on both the NTFS and Share permissions, the combined permission is the most restrictive of the two. Obviously, that only applies if the user is accessing the resource in question across the network.
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  12. robyale

    robyale New Member

    7
    0
    1
    Hmm. Ok, that explains the Read portion of the permissions I'm seeing. Where the Write perms come from is still a mystery to me.

    I'm going to delete this user, and create a new one. Before I make and changes to permissions, I'm going to examine the user to see what it gets by default.

    Rob
     
  13. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    Keep in mind users are automagicly member of a number of special groups. They could get the rights from those groups. If someone is logged in, he is member of everyone, but also of authenticated users.
    If someone creates a file, he is member of creator/user for that file. Permissions can be very tricky, but if you get the point, it is very logic.
    Good luck!
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.