Friday, August 24, 2012 7:33 PM
I have an NTFS share for which Share Permissions are set to Everyone - Full Control. Under Security settings, if I grant Group-A Modify rights and Group-B Read and Execute rights, what rights does a user get if he is a member of both groups?
Is it a cumulative, most restrictive or least restrictive thing?
Thank you in advance for your help!
Friday, August 24, 2012 7:37 PMEffective permission = Most restrictive permission
Santhosh Sivarajan | Houston, TX
This posting is provided AS IS with no warranties,and confers no rights.
Friday, August 24, 2012 8:18 PM
Agree with Santosh, the effective permission is the most restrictive (least permissive) permission.
Additionally, see the description in below article:
EFFECTIVE PERMISSIONS : http://www.thenetworkencyclopedia.com/d2.asp?ref=691
View effective permissions on files and folders
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
Friday, August 24, 2012 9:24 PM
Hmm, I don't think so. The user would have modify permissions. NTFS permissions are cumulative, share permissions are most restrictive.
- Marked As Answer by mgrammas Monday, August 27, 2012 6:34 PM
Sunday, August 26, 2012 11:37 AM
Here you are speaking about how different types of permissions are combined: multiple NTFS permissions and NTFS permissions with Share permissions.
For NTFS permissions, you granted the following:
- To group A the Modify permission
- To group B the read and execute rights
Since there is no explicit deny for permissions an that means that permissions like Modify is denied implicitly for group B, the permissions you granted for group A and group B and the user will have Modify permission as NTFS permission.
Now, let's talk about combining NTFS and share permissions. Here, the permissions are combined and the user will have the less of possible permissions.
That means that one we combine the NTFS permissions and the Share one, we will have Modify permission when the user will access the folder as a share.
Based on that, the user will have Modify permission when he will access the folder locally or as a share.
Monday, August 27, 2012 12:35 AM
Since there is no deny permission and if the user is member of both (read and modify group),the user will have modify permission.
Hope this helps
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.