+ Reply to Thread
Results 1 to 5 of 5
  1. Junior Member
    Join Date
    Jun 2016
    Location
    New England
    Posts
    8

    Certifications
    MTA: Server Fundamentals
    #1

    Default 70-410: Share and NTFS Permissions Question

    I am in the middle of doing labs for my MCP, and I have a quick question when it comes to NTFS Share permissions. I set share permissions to 'full control' because I wanted to use NTFS permissions strictly. This was going fine, but I noticed something I didn't understand. When I assign permissions directly to a user in NTFS, it overrides group permissions.

    In other words, granting full permissions to a user object will override the more restrictive permission set on a group object (which the user is a part of). This goes against what we have be taught, which is, the object with the most restrictive permissions, wins. Can someone help me understand why this is different when the permissions are assigned directly to a user?

    Thanks to all that reply.
    Reply With Quote Quote  

  2. SS -->
  3. What The?! Fulcrum45's Avatar
    Join Date
    Oct 2013
    Location
    United States
    Posts
    475

    Certifications
    CCNA: R&S, Security+, Network+, FCNSA, MTA 98-365
    #2
    I'm working on my 70-410 as well and I believe (someone correct me if I'm wrong) that while NTFS permissions are cumulative- it depends heavily on if the share is being accessed across the network or locally on the machine itself.

    Across a network via NTFS = Most restrictive permission
    Locally via NTFS= Least restrictive permission

    Moreover, Share permissions can only be used across a network but are trumped by NTFS permissions should they be used as well. It took me a bit to grasp that Share Permissions and NTFS were two different things.

    Also, be considerate of explicit permissions. I believe nothing trumps an explicit DENY.

    I hope this helps. And please, someone correct me if I'm wrong. Going off of memory here.
    Reply With Quote Quote  

  4. They are watching you NetworkNewb's Avatar
    Join Date
    Feb 2015
    Location
    Off the grid
    Posts
    2,562

    Certifications
    A+/Net+/Sec+, CCENT, CCNA:Sec, CCSK, GCIH
    #3
    Depends if the groups permissions was inherited. If so, applying the user's permissions directly to the folder would override it.

    Explicit takes precedent over Inherited
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jul 2016
    Location
    USA
    Posts
    169

    Certifications
    A+, MCP (70-410, 70-411)
    #4
    When share and NTFS are combined it is always most restrictive. If the share is accessed locally only NTFS will be applied for obvious reasons. Fulcrum45 is correct, an explicit deny will take precedence over all else. Keep your AGDLP as best practice and use deny only when needed. Yeah, NetworkNewb is right but you need to click a couple of check boxes to turn off inherited permissions. If so, then the explicit will apply. Server 2012 does include the effective permissions tab on all folders.
    Use it!
    Last edited by AvgITGeek; 04-28-2017 at 12:30 AM.
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    Jun 2016
    Location
    New England
    Posts
    8

    Certifications
    MTA: Server Fundamentals
    #5
    Got it. Thank you for the information, went a long way in helping understand why the effective permissions were what they were.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks