• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Is anyone able to clarify how Windows permissions work?

StinkyPinky

StinkyPinky

Diamond Member
Is this summary correct? Say for example a user is given two different permissions (part of two different groups for example...)

NTFS (Security Tab) Permissions

If a conflict it goes for the highest permission

Sharing Tab

If a conflict it goes for the highest

Conflict between Sharing and Security

If there's a conflict between the two, it goes for the lowest??
 
Sharing is built on top of NTFS permissions so it has to pass that first before the sharing permissions are considered. So what you said is effectively correct.
 
StinkyPinky said:
Conflict between Sharing and Security

If there's a conflict between the two, it goes for the lowest??
Click to expand...

Kind of. Share permissions are applied first, and then NTFS. When you're accessing a folder/file through the share, the end result is that the most restrictive of Share and NTFS applies. But, if the Share permissions are more restrictive than NTFS, and the account is logged on locally (not connecting over the share), the Share permissions are not used and NTFS is applied. Share permissions only apply when the share is being accessed over the network.

In the real world people tend to always give Everyone (or Authenticated Users) Full Control on the share, and use NTFS to manage security.
 
seepy83 said:
Kind of. Share permissions are applied first, and then NTFS. When you're accessing a folder/file through the share, the end result is that the most restrictive of Share and NTFS applies. But, if the Share permissions are more restrictive than NTFS, and the account is logged on locally (not connecting over the share), the Share permissions are not used and NTFS is applied. Share permissions only apply when the share is being accessed over the network.

In the real world people tend to always give Everyone (or Authenticated Users) Full Control on the share, and use NTFS to manage security.
Click to expand...

I would hope people are using Authenticated Users or "Domain users" / "Domain Admins." Seems silly to have a layer of security there and just by pass it and leave the door open.

Anyway share security always wins when coming in via a share. From there the Explicit security rights are higher priority than inherited rights. IE if you are in Domain Users and have "read" at the NTFS "d: drive" level and then "Joe User" has full control to e: \pants\*.*, Joe user then has full control of e: \pants\*.*. There is also Deny rights which generally always win. However if Joe User had only Read rights to the "Pants Share" he would always have read no matter if he is "Full Control." Allows are additive so Inheriting read, and then explicitly assigning write will give you read/write. It works like this:

Share Deny
Share Allow
Explicit Deny
Explicit Allow
Inherited Deny
Inherited Allow
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top