Jump to content

NTFS Permissions - effective

Guest JohnB

By Guest JohnB
in Windows 2003 Server

 Share

Recommended Posts

Guest JohnB

Guest JohnB

Posted
Posted

Isn't the "effective" permissions the most restrictive combination,

calculated from group or individual permissions that apply?

 

I just checked the effective permissions (setup by someone else) of a folder

that contains confidential information, and everything is checked off except

Change, Full Control and Take Ownership. I did this with random users that

should only have Read permissions. There are 2 groups assigned permissions

on this folder; one group - Users - is granted everything but Full Control,

the other is group - Authenticated Users - is granted Read & Execute, List

and Read. And I would have thought those combined permissions would have

resulted in Read permissions. But apparently they don't. Everyone accesses

these folders through RDP sessions.

 

Why would the Effective permissions end up being more than just Read?

 

TIA

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Meinolf Weber

Guest Meinolf Weber

Posted
Posted

Re: NTFS Permissions - effective

 

Hello JohnB,

 

As you said yourself, Users have much more rights then Authenticated users.

And, assuming Users applies to the machinename\users, if you are connecting

with RDP to the machine, you are also in that group as a local user of that

machine.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Isn't the "effective" permissions the most restrictive combination,

> calculated from group or individual permissions that apply?

>

> I just checked the effective permissions (setup by someone else) of a

> folder that contains confidential information, and everything is

> checked off except Change, Full Control and Take Ownership. I did

> this with random users that should only have Read permissions. There

> are 2 groups assigned permissions on this folder; one group - Users -

> is granted everything but Full Control, the other is group -

> Authenticated Users - is granted Read & Execute, List and Read. And I

> would have thought those combined permissions would have resulted in

> Read permissions. But apparently they don't. Everyone accesses these

> folders through RDP sessions.

>

> Why would the Effective permissions end up being more than just Read?

>

> TIA

>

Guest JohnB

Guest JohnB

Posted
Posted

Re: NTFS Permissions - effective

 

I'm sorry but I don't think that explained anything for me.

 

Shouldn't the combination of the permissions be, the most restrictive of the

2? That isn't the case.

 

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...

> Hello JohnB,

>

> As you said yourself, Users have much more rights then Authenticated

> users. And, assuming Users applies to the machinename\users, if you are

> connecting with RDP to the machine, you are also in that group as a local

> user of that machine.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and

> confers no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

>> Isn't the "effective" permissions the most restrictive combination,

>> calculated from group or individual permissions that apply?

>>

>> I just checked the effective permissions (setup by someone else) of a

>> folder that contains confidential information, and everything is

>> checked off except Change, Full Control and Take Ownership. I did

>> this with random users that should only have Read permissions. There

>> are 2 groups assigned permissions on this folder; one group - Users -

>> is granted everything but Full Control, the other is group -

>> Authenticated Users - is granted Read & Execute, List and Read. And I

>> would have thought those combined permissions would have resulted in

>> Read permissions. But apparently they don't. Everyone accesses these

>> folders through RDP sessions.

>>

>> Why would the Effective permissions end up being more than just Read?

>>

>> TIA

>>

>

>

Guest Meinolf Weber

Guest Meinolf Weber

Posted
Posted

Re: NTFS Permissions - effective

 

Hello JohnB,

 

The user that belongs to the groups in any way will aplly the permissions,

so the user is a local machine user and an authenticated user.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I'm sorry but I don't think that explained anything for me.

>

> Shouldn't the combination of the permissions be, the most restrictive

> of the 2? That isn't the case.

>

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...

>

>> Hello JohnB,

>>

>> As you said yourself, Users have much more rights then Authenticated

>> users. And, assuming Users applies to the machinename\users, if you

>> are connecting with RDP to the machine, you are also in that group as

>> a local user of that machine.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> Isn't the "effective" permissions the most restrictive combination,

>>> calculated from group or individual permissions that apply?

>>>

>>> I just checked the effective permissions (setup by someone else) of

>>> a folder that contains confidential information, and everything is

>>> checked off except Change, Full Control and Take Ownership. I did

>>> this with random users that should only have Read permissions.

>>> There are 2 groups assigned permissions on this folder; one group -

>>> Users - is granted everything but Full Control, the other is group -

>>> Authenticated Users - is granted Read & Execute, List and Read. And

>>> I would have thought those combined permissions would have resulted

>>> in Read permissions. But apparently they don't. Everyone accesses

>>> these folders through RDP sessions.

>>>

>>> Why would the Effective permissions end up being more than just

>>> Read?

>>>

>>> TIA

>>>

Guest JohnB

Guest JohnB

Posted
Posted

Re: NTFS Permissions - effective

 

>> so the user is a local machine user and an authenticated user

Right.

 

And if the permissions that are set for the 2 groups are different, the

resulting combination of the 2 would, I thought, be the most restrictve

combination. Right?

 

 

 

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...

> Hello JohnB,

>

> The user that belongs to the groups in any way will aplly the permissions,

> so the user is a local machine user and an authenticated user.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and

> confers no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

>> I'm sorry but I don't think that explained anything for me.

>>

>> Shouldn't the combination of the permissions be, the most restrictive

>> of the 2? That isn't the case.

>>

>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...

>>

>>> Hello JohnB,

>>>

>>> As you said yourself, Users have much more rights then Authenticated

>>> users. And, assuming Users applies to the machinename\users, if you

>>> are connecting with RDP to the machine, you are also in that group as

>>> a local user of that machine.

>>>

>>> Best regards

>>>

>>> Meinolf Weber

>>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>>> confers no rights.

>>> ** Please do NOT email, only reply to Newsgroups

>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>>> Isn't the "effective" permissions the most restrictive combination,

>>>> calculated from group or individual permissions that apply?

>>>>

>>>> I just checked the effective permissions (setup by someone else) of

>>>> a folder that contains confidential information, and everything is

>>>> checked off except Change, Full Control and Take Ownership. I did

>>>> this with random users that should only have Read permissions.

>>>> There are 2 groups assigned permissions on this folder; one group -

>>>> Users - is granted everything but Full Control, the other is group -

>>>> Authenticated Users - is granted Read & Execute, List and Read. And

>>>> I would have thought those combined permissions would have resulted

>>>> in Read permissions. But apparently they don't. Everyone accesses

>>>> these folders through RDP sessions.

>>>>

>>>> Why would the Effective permissions end up being more than just

>>>> Read?

>>>>

>>>> TIA

>>>>

>

>

Guest Meinolf Weber

Guest Meinolf Weber

Posted
Posted

Re: NTFS Permissions - effective

 

Hello JohnB,

 

From Notes under this: http://technet2.microsoft.com/windowsserver/en/library/87b011ec-b1b4-4baf-8ab0-53147b22a4201033.mspx?mfr=true

 

If the specified object grants access to the Everyone group, the Authenticated

Users group or the Local Users group, then the effective rights will always

include those permissions, except when the specified user or group is the

Anonymous group.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> so the user is a local machine user and an authenticated user

>>>

> Right.

>

> And if the permissions that are set for the 2 groups are different,

> the resulting combination of the 2 would, I thought, be the most

> restrictve combination. Right?

>

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...

>

>> Hello JohnB,

>>

>> The user that belongs to the groups in any way will aplly the

>> permissions, so the user is a local machine user and an authenticated

>> user.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> I'm sorry but I don't think that explained anything for me.

>>>

>>> Shouldn't the combination of the permissions be, the most

>>> restrictive of the 2? That isn't the case.

>>>

>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...

>>>

>>>> Hello JohnB,

>>>>

>>>> As you said yourself, Users have much more rights then

>>>> Authenticated users. And, assuming Users applies to the

>>>> machinename\users, if you are connecting with RDP to the machine,

>>>> you are also in that group as a local user of that machine.

>>>>

>>>> Best regards

>>>>

>>>> Meinolf Weber

>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>> and

>>>> confers no rights.

>>>> ** Please do NOT email, only reply to Newsgroups

>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>>>> Isn't the "effective" permissions the most restrictive

>>>>> combination, calculated from group or individual permissions that

>>>>> apply?

>>>>>

>>>>> I just checked the effective permissions (setup by someone else)

>>>>> of

>>>>> a folder that contains confidential information, and everything is

>>>>> checked off except Change, Full Control and Take Ownership. I did

>>>>> this with random users that should only have Read permissions.

>>>>> There are 2 groups assigned permissions on this folder; one group

>>>>> -

>>>>> Users - is granted everything but Full Control, the other is group

>>>>> -

>>>>> Authenticated Users - is granted Read & Execute, List and Read.

>>>>> And

>>>>> I would have thought those combined permissions would have

>>>>> resulted

>>>>> in Read permissions. But apparently they don't. Everyone

>>>>> accesses

>>>>> these folders through RDP sessions.

>>>>> Why would the Effective permissions end up being more than just

>>>>> Read?

>>>>>

>>>>> TIA

>>>>>

Guest Newell White

Guest Newell White

Posted
Posted

Re: NTFS Permissions - effective

 

Is this what you seek:

 

Effective Permission for member of noth A and B =

 

(PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB)

--

Regards,

Newell White

 

 

"JohnB" wrote:

> >> so the user is a local machine user and an authenticated user

> Right.

>

> And if the permissions that are set for the 2 groups are different, the

> resulting combination of the 2 would, I thought, be the most restrictve

> combination. Right?

>

>

>

>

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...

> > Hello JohnB,

> >

> > The user that belongs to the groups in any way will aplly the permissions,

> > so the user is a local machine user and an authenticated user.

> >

> > Best regards

> >

> > Meinolf Weber

> > Disclaimer: This posting is provided "AS IS" with no warranties, and

> > confers no rights.

> > ** Please do NOT email, only reply to Newsgroups

> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> >

> >> I'm sorry but I don't think that explained anything for me.

> >>

> >> Shouldn't the combination of the permissions be, the most restrictive

> >> of the 2? That isn't the case.

> >>

> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> >> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...

> >>

> >>> Hello JohnB,

> >>>

> >>> As you said yourself, Users have much more rights then Authenticated

> >>> users. And, assuming Users applies to the machinename\users, if you

> >>> are connecting with RDP to the machine, you are also in that group as

> >>> a local user of that machine.

> >>>

> >>> Best regards

> >>>

> >>> Meinolf Weber

> >>> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >>> confers no rights.

> >>> ** Please do NOT email, only reply to Newsgroups

> >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> >>>> Isn't the "effective" permissions the most restrictive combination,

> >>>> calculated from group or individual permissions that apply?

> >>>>

> >>>> I just checked the effective permissions (setup by someone else) of

> >>>> a folder that contains confidential information, and everything is

> >>>> checked off except Change, Full Control and Take Ownership. I did

> >>>> this with random users that should only have Read permissions.

> >>>> There are 2 groups assigned permissions on this folder; one group -

> >>>> Users - is granted everything but Full Control, the other is group -

> >>>> Authenticated Users - is granted Read & Execute, List and Read. And

> >>>> I would have thought those combined permissions would have resulted

> >>>> in Read permissions. But apparently they don't. Everyone accesses

> >>>> these folders through RDP sessions.

> >>>>

> >>>> Why would the Effective permissions end up being more than just

> >>>> Read?

> >>>>

> >>>> TIA

> >>>>

> >

> >

>

>

Guest JohnB

Guest JohnB

Posted
Posted

Re: NTFS Permissions - effective

 

I did some more research and found the answer to my question. The "most

restrictive combination" thing that I was remembering applies to combined

Share and NTFS permissions.

When combining those, the resulting permissions is the most restrictive

combination.

 

And as Meinolf pointed out, when Share permissions aren't involved, the NTFS

permissions are cumulative.

 

 

"Newell White" <NewellWhite@discussions.microsoft.com> wrote in message

news:E065A4E1-2971-480F-8304-80435478C84F@microsoft.com...

> Is this what you seek:

>

> Effective Permission for member of noth A and B =

>

> (PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB)

> --

> Regards,

> Newell White

>

>

> "JohnB" wrote:

>

>> >> so the user is a local machine user and an authenticated user

>> Right.

>>

>> And if the permissions that are set for the 2 groups are different, the

>> resulting combination of the 2 would, I thought, be the most restrictve

>> combination. Right?

>>

>>

>>

>>

>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...

>> > Hello JohnB,

>> >

>> > The user that belongs to the groups in any way will aplly the

>> > permissions,

>> > so the user is a local machine user and an authenticated user.

>> >

>> > Best regards

>> >

>> > Meinolf Weber

>> > Disclaimer: This posting is provided "AS IS" with no warranties, and

>> > confers no rights.

>> > ** Please do NOT email, only reply to Newsgroups

>> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>> >

>> >> I'm sorry but I don't think that explained anything for me.

>> >>

>> >> Shouldn't the combination of the permissions be, the most restrictive

>> >> of the 2? That isn't the case.

>> >>

>> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>> >> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...

>> >>

>> >>> Hello JohnB,

>> >>>

>> >>> As you said yourself, Users have much more rights then Authenticated

>> >>> users. And, assuming Users applies to the machinename\users, if you

>> >>> are connecting with RDP to the machine, you are also in that group as

>> >>> a local user of that machine.

>> >>>

>> >>> Best regards

>> >>>

>> >>> Meinolf Weber

>> >>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> >>> confers no rights.

>> >>> ** Please do NOT email, only reply to Newsgroups

>> >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>> >>>> Isn't the "effective" permissions the most restrictive combination,

>> >>>> calculated from group or individual permissions that apply?

>> >>>>

>> >>>> I just checked the effective permissions (setup by someone else) of

>> >>>> a folder that contains confidential information, and everything is

>> >>>> checked off except Change, Full Control and Take Ownership. I did

>> >>>> this with random users that should only have Read permissions.

>> >>>> There are 2 groups assigned permissions on this folder; one group -

>> >>>> Users - is granted everything but Full Control, the other is group -

>> >>>> Authenticated Users - is granted Read & Execute, List and Read. And

>> >>>> I would have thought those combined permissions would have resulted

>> >>>> in Read permissions. But apparently they don't. Everyone accesses

>> >>>> these folders through RDP sessions.

>> >>>>

>> >>>> Why would the Effective permissions end up being more than just

>> >>>> Read?

>> >>>>

>> >>>> TIA

>> >>>>

>> >

>> >

>>

>>

Guest Meinolf Weber

Guest Meinolf Weber

Posted
Posted

Re: NTFS Permissions - effective

 

Hello JohnB,

 

That's correct, so i misunderstood your question a bit.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I did some more research and found the answer to my question. The

> "most

> restrictive combination" thing that I was remembering applies to

> combined

> Share and NTFS permissions.

> When combining those, the resulting permissions is the most

> restrictive

> combination.

> And as Meinolf pointed out, when Share permissions aren't involved,

> the NTFS permissions are cumulative.

>

> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in

> message news:E065A4E1-2971-480F-8304-80435478C84F@microsoft.com...

>

>> Is this what you seek:

>>

>> Effective Permission for member of noth A and B =

>>

>> (PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB)

>> --

>> Regards,

>> Newell White

>> "JohnB" wrote:

>>

>>>>> so the user is a local machine user and an authenticated user

>>>>>

>>> Right.

>>>

>>> And if the permissions that are set for the 2 groups are different,

>>> the resulting combination of the 2 would, I thought, be the most

>>> restrictve combination. Right?

>>>

>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>>> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...

>>>

>>>> Hello JohnB,

>>>>

>>>> The user that belongs to the groups in any way will aplly the

>>>> permissions,

>>>> so the user is a local machine user and an authenticated user.

>>>> Best regards

>>>>

>>>> Meinolf Weber

>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>> and

>>>> confers no rights.

>>>> ** Please do NOT email, only reply to Newsgroups

>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>>>> I'm sorry but I don't think that explained anything for me.

>>>>>

>>>>> Shouldn't the combination of the permissions be, the most

>>>>> restrictive of the 2? That isn't the case.

>>>>>

>>>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>>>>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...

>>>>>

>>>>>> Hello JohnB,

>>>>>>

>>>>>> As you said yourself, Users have much more rights then

>>>>>> Authenticated users. And, assuming Users applies to the

>>>>>> machinename\users, if you are connecting with RDP to the machine,

>>>>>> you are also in that group as a local user of that machine.

>>>>>>

>>>>>> Best regards

>>>>>>

>>>>>> Meinolf Weber

>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>>>> and

>>>>>> confers no rights.

>>>>>> ** Please do NOT email, only reply to Newsgroups

>>>>>> ** HELP us help YOU!!!

>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm

>>>>>>> Isn't the "effective" permissions the most restrictive

>>>>>>> combination, calculated from group or individual permissions

>>>>>>> that apply?

>>>>>>>

>>>>>>> I just checked the effective permissions (setup by someone else)

>>>>>>> of

>>>>>>> a folder that contains confidential information, and everything

>>>>>>> is

>>>>>>> checked off except Change, Full Control and Take Ownership. I

>>>>>>> did

>>>>>>> this with random users that should only have Read permissions.

>>>>>>> There are 2 groups assigned permissions on this folder; one

>>>>>>> group -

>>>>>>> Users - is granted everything but Full Control, the other is

>>>>>>> group -

>>>>>>> Authenticated Users - is granted Read & Execute, List and Read.

>>>>>>> And

>>>>>>> I would have thought those combined permissions would have

>>>>>>> resulted

>>>>>>> in Read permissions. But apparently they don't. Everyone

>>>>>>> accesses

>>>>>>> these folders through RDP sessions.

>>>>>>> Why would the Effective permissions end up being more than just

>>>>>>> Read?

>>>>>>>

>>>>>>> TIA

>>>>>>>

 Share
Go to topic listing
×
×
  • Create New...