Permissions question
-
Friday, August 24, 2012 7:33 PM
I have an NTFS share for which Share Permissions are set to Everyone - Full Control. Under Security settings, if I grant Group-A Modify rights and Group-B Read and Execute rights, what rights does a user get if he is a member of both groups?
Is it a cumulative, most restrictive or least restrictive thing?
Thank you in advance for your help!
Mike Grammas
All Replies
-
Friday, August 24, 2012 7:37 PMEffective permission = Most restrictive permission
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/
This posting is provided AS IS with no warranties,and confers no rights. -
Friday, August 24, 2012 8:18 PM
Hi,
Agree with Santosh, the effective permission is the most restrictive (least permissive) permission.
Additionally, see the description in below article:
EFFECTIVE PERMISSIONS : http://www.thenetworkencyclopedia.com/d2.asp?ref=691View effective permissions on files and folders
http://technet.microsoft.com/en-us/library/cc758822(v=ws.10).aspx
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.- Edited by Abhijit WaikarMicrosoft Community Contributor Friday, August 24, 2012 8:19 PM
- Proposed As Answer by VenkatSP Saturday, August 25, 2012 10:48 AM
-
Friday, August 24, 2012 9:24 PM
Hmm, I don't think so. The user would have modify permissions. NTFS permissions are cumulative, share permissions are most restrictive.
- Marked As Answer by mgrammas Monday, August 27, 2012 6:34 PM
-
Sunday, August 26, 2012 11:37 AM
Hello,
Here you are speaking about how different types of permissions are combined: multiple NTFS permissions and NTFS permissions with Share permissions.
For NTFS permissions, you granted the following:
- To group A the Modify permission
- To group B the read and execute rights
Since there is no explicit deny for permissions an that means that permissions like Modify is denied implicitly for group B, the permissions you granted for group A and group B and the user will have Modify permission as NTFS permission.
Now, let's talk about combining NTFS and share permissions. Here, the permissions are combined and the user will have the less of possible permissions.
That means that one we combine the NTFS permissions and the Share one, we will have Modify permission when the user will access the folder as a share.
Based on that, the user will have Modify permission when he will access the folder locally or as a share.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Monday, August 27, 2012 12:35 AM
Since there is no deny permission and if the user is member of both (read and modify group),the user will have modify permission.
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
.png)
