Combining Share and NTFS Permissions

Previous page
Table of content
Next page

When you're accessing the contents of a shared folder on an NTFS volume, the effective permissions for the object that you are trying to access is a combination of the share and the NTFS permissions applied to the object. The effective permission is always the more restrictive of the two.

For a real-world example, think about it in this way: John has just been named Employee of the Month. As part of this award, he gets a party in his department's break room. Sitting around a table in the break room are several employees from John's department. Sitting on the table is a cake and in John's pocket is the bonus check John received with the award. Think of the people sitting around the table as users sitting at the console of a workstation or server. The check in John's pocket has his name on it, so effectively he has Full Control permissions on the check. Because the check was explicitly made out to John, no other users have access to it, even if they are sitting at the console, or in our example, the table in the break room.

On the other hand, the cake is for everybody in the department, so imagine that the Everyone group has Full Control permissions to the cake. This means that anyone sitting at the table has full access to the cake.

Being a good friend of John, you of course wouldn't miss his celebration, even though you work in another department. However, as usual, you're running late. You approach the door of the break room and discover that you need a card key or access code to get in, which you do not have. Even though you are a member of the Everyone group, and you have permissions to access the cake, you can't get to it because you don't have the proper level of access to get through the door.

A shared folder is similar to the door in our example. If you don't have the necessary access rights for a folder, you can't get to its contents, even if you have been granted the necessary rights at the object level.

To carry the example a little further, say that the door to the break room is made of glass. In this case, because you can see through the door, you have permission to look around (Read), but you can't eat any of the cake (Change). Although the cake still has the permission of Everyone Full Control, because you can only see through the door, you have only the rights that were granted through it.

In a nutshell, this is how combined file and share permissions work. If you are sitting at the server or workstation console, only the NTFS file and folder access permissions apply to you. However, if you are trying to access the files across the network via a shared folder, both the file and the share permissions apply. And the most restrictive permission applies.

Let's use our previous example again. Say that Mary, a member of John's department, is also late for the party. She is able to enter the break room because she has full access rights as a member of John's department (that is, she has the necessary card key or access code to get in). However, she still does not have access to John's bonus check because she doesn't have the proper permissions.

As you can see, when you combine file and share permissions, the most restrictive permissions apply.



Previous page
Table of content
Next page
MCSA. MCSE 70-290 Exam Prep. Managing and Maintaining a MicrosoftR Windows ServerT 2003 Environment
MCSA/MCSE 70-290 Exam Prep: Managing and Maintaining a Microsoft Windows Server 2003 Environment (2nd Edition)
ISBN: 0789736489
EAN: 2147483647
Year: 2006
Pages: 219
Authors: Lee Scales
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
The CISSP and CAP Prep Guide: Platinum Edition
Building Web Applications with UML (2nd Edition)
C++ How to Program (5th Edition)
Postfix: The Definitive Guide
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy