|
Home > Archive > 70-210 > October 2002 > Permission conflicts
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Permission conflicts
|
|
| Techie219 2002-10-05, 5:03 am |
| Hey!!
Can anybody help out!? I'm confuse about NTFS and Share conflicts.
In the simplest and understandable method,what are the effective permission for these?
1) Permission conflicts ONLY between NTFS permissions. Please include examples.
2) Permission conflicts between NTFS permissions and Share permissions. Please include examples.
Appreciate your help.
Thanks | |
| CyberDude 2002-10-05, 12:17 pm |
| Remember this for both ntfs and share permissions:
Full control gives you access to everything, and deny blocks you no matter what.
NTFS permission are inheritable, and explicit permissions take precidence.
NTFS permissions are added together to give you the most freedom, whereas share + NTFS permissions give you the most restricted.
For shares, almost always assign full control to the everyone group (unless you only want a certain group to have network access). You then assign NTFS permissions in regards to your different groups and users.  | |
| twister166 2002-10-05, 11:36 pm |
| Slinky had a good explaination on this one.
Basically, deny all is God. If either share or ntfs has deny all = no access.
Otherwise it is most restrictive (assuming network access not local access). So, if share is read and nfts is everyone = read. Or share = everyone and ntfs is read = read. | |
| Slinky 2002-10-06, 10:10 am |
| Remember NTFS permissions only apply when a user is accessing the file/folder locally, and share permissions apply when somebody accesses the file/folder from over the network. Lets say that twister needs access to a shared folder called "MP3s", this folder has a share permission of "Full control", and the NTFS permission of "Read & execute". So twister logs into a client machine and accesses the share over the network, share permissions + NTFS permissions = most restrictive, like Cyberdude already said. So the most restrictive out of "Full control" and "Read & execute" is the latter, and all twister can do is play the MP3s.
Explicit permissions, which mean that they are assigned to the file specifically take precedence over the folder permissions. For example, say there is a file in another folder "Documents" and it contains a file called "blah.txt". Lets say the share permissions are full control, and the NTFS folder permsisions are Read & Execute. The effective permissions are Read & Execute since thats the most restrictive. Lets say that the administrator explicitly assigned twister the write permission to the file. Now twister can write to that file only, but to nothing else in the directory. He can still Read & Execute all day.
The deny permission takes precedence over everything. If you have the full control share permission, but you are denied full control for NTFS permissions, then you not be able to do anything. In other words you have no access.
When groups come into play, NTFS permissions are cumulative. So if you are a member of a group called "accounting" and that group has the write permission to a file, and a member of another group called "HR" which has the Read & Execute permission, by virtue of being a member of both groups you can now Read & Execute and write to the file.
I would recommend reading the help files included with Windows 2000. They are a great source of information regarding what the different permissions are and what they do. |
|
|
|
|