|
Users have rights not only as a result of the NTFS permissions explicitly assigned to specific files or directories for their accounts but also by virtue of the groups to which they belong. Because NTFS shares exist, figuring out permissions can get pretty interesting when you have to combine NTFS and share permissions for a particular file or directory while also taking user settings and group memberships into account. To help you figure out what's what, we give you a recipe for calculation, plus a few rules to use, and then walk you through an example to show you how things work.
To figure out which permissions apply to a share on an NTFS object, you must first determine which permissions apply to the NTFS object by itself. This could include inheritance features from parent to child object. (See Chapter 12 for a refresher on inheritance.) Next , you must determine the permissions that apply to the share. (The rules for this process appear in the following section.) Whichever of the two results is more restrictive wins and defines the actual permissions that apply to the file or directory in question. This process isn't difficult, but it may produce some counter-intuitive results. You must apply these rules exactly as they're stated, or we can't guarantee the results. Here goes:
Determine the permissions on the object.
Determine the permissions on the share.
Compare the permissions between the share and the object. The more restrictive permission is the permission that applies.
Tip | Whenever you or your users can't obtain access to a particular file-system object through a share (or NTFS by itself, for that matter), always check group memberships and their associated permissions. |
The formal explanation may not completely illuminate the process of figuring permissions, so this section provides a couple of examples.
Betty belongs to the Marketing Dept, Domain Users, and Film Critics groups. She wants to delete the file in an NTFS share named Rosebud.doc. Can she do it? Table 16-2 shows her individual and group permissions.
Type | Membership | Name | Permission |
---|---|---|---|
| |||
NTFS | User Account | BettyB | Read |
| |||
Group | Marketing Dept | Read | |
| |||
Group | Domain Users | Change | |
| |||
Group | Film Critics | Change | |
| |||
Share | User Account | BettyB | Read |
| |||
Group | Marketing Dept | Read | |
| |||
Group | Domain Users | Read | |
| |||
Group | Film Critics | Read |
On the NTFS side, Read plus Change equals Change; on the share side, Read is the only game in town. The most restrictive of Read and Change is Read. Read won't allow Betty to delete a file, so Betty's out of luck! Maybe next time.
Now that you know how to figure permissions manually, we'll show you a shortcut. In fact, we already told you about it earlier in this chapter. If you display the Advanced Properties dialog box from an object's Security tab, you can access the Effective Permissions tab. By selecting a specific user or group, this tab will display the effective permissions for that user or group, as shown in Figure 16-3.
|