I have an NTFS share for which Share Permissions are set to Everyone - Full Control. Under Security settings, if I grant Group-A Modify rights and Group-B Read and Execute rights, what rights does a user get if he is a member of both groups?
Is it a cumulative, most restrictive or least restrictive thing?
Thank you in advance for your help!
Agree with Santosh, the effective permission is the most restrictive (least permissive) permission.
Additionally, see the description in below article:
EFFECTIVE PERMISSIONS : http://www.thenetworkencyclopedia.com/d2.asp?ref=691
View effective permissions on files and folders
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
Here you are speaking about how different types of permissions are combined: multiple NTFS permissions and NTFS permissions with Share permissions.
For NTFS permissions, you granted the following:
- To group A the Modify permission
- To group B the read and execute rights
Since there is no explicit deny for permissions an that means that permissions like Modify is denied implicitly for group B, the permissions you granted for group A and group B and the user will have Modify permission as NTFS permission.
Now, let's talk about combining NTFS and share permissions. Here, the permissions are combined and the user will have the less of possible permissions.
That means that one we combine the NTFS permissions and the Share one, we will have Modify permission when the user will access the folder as a share.
Based on that, the user will have Modify permission when he will access the folder locally or as a share.
Since there is no deny permission and if the user is member of both (read and modify group),the user will have modify permission.
Hope this helps
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
See, keep it very simple.
If to decide effective permission between share and NTFS- most restrictive takes precedence
If to decide effective permission between NTFS( in your given example)- least restrictive takes precedence
to ntfs will go on to modify then between ntfs's modify and shares's full control- MODIFY will win (most restrictive)