none
Permissions question

    Question

  • I have an NTFS share for which Share Permissions are set to Everyone - Full Control.  Under Security settings, if I grant Group-A Modify rights and Group-B Read and Execute rights, what rights does a user get if he is a member of both groups? 

    Is it a cumulative, most restrictive or least restrictive thing?

    Thank you in advance for your help!

    Mike Grammas

    Friday, August 24, 2012 7:33 PM

Answers

  • Hmm, I don't think so. The user would have modify permissions. NTFS permissions are cumulative, share permissions are most restrictive.

    • Marked as answer by mgrammas Monday, August 27, 2012 6:34 PM
    Friday, August 24, 2012 9:24 PM

All replies

  • Effective permission = Most restrictive permission

    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Friday, August 24, 2012 7:37 PM
  • Hi,

    Agree with Santosh, the effective permission is the most restrictive (least permissive) permission.

    Additionally, see the description in below article:
    EFFECTIVE PERMISSIONS : http://www.thenetworkencyclopedia.com/d2.asp?ref=691

    View effective permissions on files and folders
    http://technet.microsoft.com/en-us/library/cc758822(v=ws.10).aspx


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.


    • Edited by Abhijit Waikar Friday, August 24, 2012 8:19 PM
    • Proposed as answer by VenkatSP Saturday, August 25, 2012 10:48 AM
    Friday, August 24, 2012 8:18 PM
  • Hmm, I don't think so. The user would have modify permissions. NTFS permissions are cumulative, share permissions are most restrictive.

    • Marked as answer by mgrammas Monday, August 27, 2012 6:34 PM
    Friday, August 24, 2012 9:24 PM
  • Hello,

    Here you are speaking about how different types of permissions are combined: multiple NTFS permissions and NTFS permissions with Share permissions.

    For NTFS permissions, you granted the following:

    1. To group A the Modify permission
    2. To group B the read and execute rights

    Since there is no explicit deny for permissions an that means that permissions like Modify is denied implicitly for group B, the permissions you granted for group A and group B and the user will have Modify permission as NTFS permission.

    Now, let's talk about combining NTFS and share permissions. Here, the permissions are combined and the user will have the less of possible permissions.

    That means that one we combine the NTFS permissions and the Share one, we will have Modify permission when the user will access the folder as a share.

    Based on that, the user will have Modify permission when he will access the folder locally or as a share.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, August 26, 2012 11:37 AM
  • Since there is no deny permission and if the user is member of both (read and modify group),the user will have modify permission.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, August 27, 2012 12:35 AM