Guest JohnB Posted July 18, 2008 Posted July 18, 2008 Isn't the "effective" permissions the most restrictive combination, calculated from group or individual permissions that apply? I just checked the effective permissions (setup by someone else) of a folder that contains confidential information, and everything is checked off except Change, Full Control and Take Ownership. I did this with random users that should only have Read permissions. There are 2 groups assigned permissions on this folder; one group - Users - is granted everything but Full Control, the other is group - Authenticated Users - is granted Read & Execute, List and Read. And I would have thought those combined permissions would have resulted in Read permissions. But apparently they don't. Everyone accesses these folders through RDP sessions. Why would the Effective permissions end up being more than just Read? TIA
Guest Meinolf Weber Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective Hello JohnB, As you said yourself, Users have much more rights then Authenticated users. And, assuming Users applies to the machinename\users, if you are connecting with RDP to the machine, you are also in that group as a local user of that machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Isn't the "effective" permissions the most restrictive combination, > calculated from group or individual permissions that apply? > > I just checked the effective permissions (setup by someone else) of a > folder that contains confidential information, and everything is > checked off except Change, Full Control and Take Ownership. I did > this with random users that should only have Read permissions. There > are 2 groups assigned permissions on this folder; one group - Users - > is granted everything but Full Control, the other is group - > Authenticated Users - is granted Read & Execute, List and Read. And I > would have thought those combined permissions would have resulted in > Read permissions. But apparently they don't. Everyone accesses these > folders through RDP sessions. > > Why would the Effective permissions end up being more than just Read? > > TIA >
Guest JohnB Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective I'm sorry but I don't think that explained anything for me. Shouldn't the combination of the permissions be, the most restrictive of the 2? That isn't the case. "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com... > Hello JohnB, > > As you said yourself, Users have much more rights then Authenticated > users. And, assuming Users applies to the machinename\users, if you are > connecting with RDP to the machine, you are also in that group as a local > user of that machine. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> Isn't the "effective" permissions the most restrictive combination, >> calculated from group or individual permissions that apply? >> >> I just checked the effective permissions (setup by someone else) of a >> folder that contains confidential information, and everything is >> checked off except Change, Full Control and Take Ownership. I did >> this with random users that should only have Read permissions. There >> are 2 groups assigned permissions on this folder; one group - Users - >> is granted everything but Full Control, the other is group - >> Authenticated Users - is granted Read & Execute, List and Read. And I >> would have thought those combined permissions would have resulted in >> Read permissions. But apparently they don't. Everyone accesses these >> folders through RDP sessions. >> >> Why would the Effective permissions end up being more than just Read? >> >> TIA >> > >
Guest Meinolf Weber Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective Hello JohnB, The user that belongs to the groups in any way will aplly the permissions, so the user is a local machine user and an authenticated user. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > I'm sorry but I don't think that explained anything for me. > > Shouldn't the combination of the permissions be, the most restrictive > of the 2? That isn't the case. > > "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message > news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com... > >> Hello JohnB, >> >> As you said yourself, Users have much more rights then Authenticated >> users. And, assuming Users applies to the machinename\users, if you >> are connecting with RDP to the machine, you are also in that group as >> a local user of that machine. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Isn't the "effective" permissions the most restrictive combination, >>> calculated from group or individual permissions that apply? >>> >>> I just checked the effective permissions (setup by someone else) of >>> a folder that contains confidential information, and everything is >>> checked off except Change, Full Control and Take Ownership. I did >>> this with random users that should only have Read permissions. >>> There are 2 groups assigned permissions on this folder; one group - >>> Users - is granted everything but Full Control, the other is group - >>> Authenticated Users - is granted Read & Execute, List and Read. And >>> I would have thought those combined permissions would have resulted >>> in Read permissions. But apparently they don't. Everyone accesses >>> these folders through RDP sessions. >>> >>> Why would the Effective permissions end up being more than just >>> Read? >>> >>> TIA >>>
Guest JohnB Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective >> so the user is a local machine user and an authenticated user Right. And if the permissions that are set for the 2 groups are different, the resulting combination of the 2 would, I thought, be the most restrictve combination. Right? "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com... > Hello JohnB, > > The user that belongs to the groups in any way will aplly the permissions, > so the user is a local machine user and an authenticated user. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> I'm sorry but I don't think that explained anything for me. >> >> Shouldn't the combination of the permissions be, the most restrictive >> of the 2? That isn't the case. >> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message >> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com... >> >>> Hello JohnB, >>> >>> As you said yourself, Users have much more rights then Authenticated >>> users. And, assuming Users applies to the machinename\users, if you >>> are connecting with RDP to the machine, you are also in that group as >>> a local user of that machine. >>> >>> Best regards >>> >>> Meinolf Weber >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>> confers no rights. >>> ** Please do NOT email, only reply to Newsgroups >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>> Isn't the "effective" permissions the most restrictive combination, >>>> calculated from group or individual permissions that apply? >>>> >>>> I just checked the effective permissions (setup by someone else) of >>>> a folder that contains confidential information, and everything is >>>> checked off except Change, Full Control and Take Ownership. I did >>>> this with random users that should only have Read permissions. >>>> There are 2 groups assigned permissions on this folder; one group - >>>> Users - is granted everything but Full Control, the other is group - >>>> Authenticated Users - is granted Read & Execute, List and Read. And >>>> I would have thought those combined permissions would have resulted >>>> in Read permissions. But apparently they don't. Everyone accesses >>>> these folders through RDP sessions. >>>> >>>> Why would the Effective permissions end up being more than just >>>> Read? >>>> >>>> TIA >>>> > >
Guest Meinolf Weber Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective Hello JohnB, From Notes under this: http://technet2.microsoft.com/windowsserver/en/library/87b011ec-b1b4-4baf-8ab0-53147b22a4201033.mspx?mfr=true If the specified object grants access to the Everyone group, the Authenticated Users group or the Local Users group, then the effective rights will always include those permissions, except when the specified user or group is the Anonymous group. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> so the user is a local machine user and an authenticated user >>> > Right. > > And if the permissions that are set for the 2 groups are different, > the resulting combination of the 2 would, I thought, be the most > restrictve combination. Right? > > "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message > news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com... > >> Hello JohnB, >> >> The user that belongs to the groups in any way will aplly the >> permissions, so the user is a local machine user and an authenticated >> user. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> I'm sorry but I don't think that explained anything for me. >>> >>> Shouldn't the combination of the permissions be, the most >>> restrictive of the 2? That isn't the case. >>> >>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message >>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com... >>> >>>> Hello JohnB, >>>> >>>> As you said yourself, Users have much more rights then >>>> Authenticated users. And, assuming Users applies to the >>>> machinename\users, if you are connecting with RDP to the machine, >>>> you are also in that group as a local user of that machine. >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>> and >>>> confers no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>> Isn't the "effective" permissions the most restrictive >>>>> combination, calculated from group or individual permissions that >>>>> apply? >>>>> >>>>> I just checked the effective permissions (setup by someone else) >>>>> of >>>>> a folder that contains confidential information, and everything is >>>>> checked off except Change, Full Control and Take Ownership. I did >>>>> this with random users that should only have Read permissions. >>>>> There are 2 groups assigned permissions on this folder; one group >>>>> - >>>>> Users - is granted everything but Full Control, the other is group >>>>> - >>>>> Authenticated Users - is granted Read & Execute, List and Read. >>>>> And >>>>> I would have thought those combined permissions would have >>>>> resulted >>>>> in Read permissions. But apparently they don't. Everyone >>>>> accesses >>>>> these folders through RDP sessions. >>>>> Why would the Effective permissions end up being more than just >>>>> Read? >>>>> >>>>> TIA >>>>>
Guest Newell White Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective Is this what you seek: Effective Permission for member of noth A and B = (PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB) -- Regards, Newell White "JohnB" wrote: > >> so the user is a local machine user and an authenticated user > Right. > > And if the permissions that are set for the 2 groups are different, the > resulting combination of the 2 would, I thought, be the most restrictve > combination. Right? > > > > > "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message > news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com... > > Hello JohnB, > > > > The user that belongs to the groups in any way will aplly the permissions, > > so the user is a local machine user and an authenticated user. > > > > Best regards > > > > Meinolf Weber > > Disclaimer: This posting is provided "AS IS" with no warranties, and > > confers no rights. > > ** Please do NOT email, only reply to Newsgroups > > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > >> I'm sorry but I don't think that explained anything for me. > >> > >> Shouldn't the combination of the permissions be, the most restrictive > >> of the 2? That isn't the case. > >> > >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message > >> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com... > >> > >>> Hello JohnB, > >>> > >>> As you said yourself, Users have much more rights then Authenticated > >>> users. And, assuming Users applies to the machinename\users, if you > >>> are connecting with RDP to the machine, you are also in that group as > >>> a local user of that machine. > >>> > >>> Best regards > >>> > >>> Meinolf Weber > >>> Disclaimer: This posting is provided "AS IS" with no warranties, and > >>> confers no rights. > >>> ** Please do NOT email, only reply to Newsgroups > >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >>>> Isn't the "effective" permissions the most restrictive combination, > >>>> calculated from group or individual permissions that apply? > >>>> > >>>> I just checked the effective permissions (setup by someone else) of > >>>> a folder that contains confidential information, and everything is > >>>> checked off except Change, Full Control and Take Ownership. I did > >>>> this with random users that should only have Read permissions. > >>>> There are 2 groups assigned permissions on this folder; one group - > >>>> Users - is granted everything but Full Control, the other is group - > >>>> Authenticated Users - is granted Read & Execute, List and Read. And > >>>> I would have thought those combined permissions would have resulted > >>>> in Read permissions. But apparently they don't. Everyone accesses > >>>> these folders through RDP sessions. > >>>> > >>>> Why would the Effective permissions end up being more than just > >>>> Read? > >>>> > >>>> TIA > >>>> > > > > > >
Guest JohnB Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective I did some more research and found the answer to my question. The "most restrictive combination" thing that I was remembering applies to combined Share and NTFS permissions. When combining those, the resulting permissions is the most restrictive combination. And as Meinolf pointed out, when Share permissions aren't involved, the NTFS permissions are cumulative. "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message news:E065A4E1-2971-480F-8304-80435478C84F@microsoft.com... > Is this what you seek: > > Effective Permission for member of noth A and B = > > (PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB) > -- > Regards, > Newell White > > > "JohnB" wrote: > >> >> so the user is a local machine user and an authenticated user >> Right. >> >> And if the permissions that are set for the 2 groups are different, the >> resulting combination of the 2 would, I thought, be the most restrictve >> combination. Right? >> >> >> >> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message >> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com... >> > Hello JohnB, >> > >> > The user that belongs to the groups in any way will aplly the >> > permissions, >> > so the user is a local machine user and an authenticated user. >> > >> > Best regards >> > >> > Meinolf Weber >> > Disclaimer: This posting is provided "AS IS" with no warranties, and >> > confers no rights. >> > ** Please do NOT email, only reply to Newsgroups >> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >> > >> >> I'm sorry but I don't think that explained anything for me. >> >> >> >> Shouldn't the combination of the permissions be, the most restrictive >> >> of the 2? That isn't the case. >> >> >> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message >> >> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com... >> >> >> >>> Hello JohnB, >> >>> >> >>> As you said yourself, Users have much more rights then Authenticated >> >>> users. And, assuming Users applies to the machinename\users, if you >> >>> are connecting with RDP to the machine, you are also in that group as >> >>> a local user of that machine. >> >>> >> >>> Best regards >> >>> >> >>> Meinolf Weber >> >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >> >>> confers no rights. >> >>> ** Please do NOT email, only reply to Newsgroups >> >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >> >>>> Isn't the "effective" permissions the most restrictive combination, >> >>>> calculated from group or individual permissions that apply? >> >>>> >> >>>> I just checked the effective permissions (setup by someone else) of >> >>>> a folder that contains confidential information, and everything is >> >>>> checked off except Change, Full Control and Take Ownership. I did >> >>>> this with random users that should only have Read permissions. >> >>>> There are 2 groups assigned permissions on this folder; one group - >> >>>> Users - is granted everything but Full Control, the other is group - >> >>>> Authenticated Users - is granted Read & Execute, List and Read. And >> >>>> I would have thought those combined permissions would have resulted >> >>>> in Read permissions. But apparently they don't. Everyone accesses >> >>>> these folders through RDP sessions. >> >>>> >> >>>> Why would the Effective permissions end up being more than just >> >>>> Read? >> >>>> >> >>>> TIA >> >>>> >> > >> > >> >>
Guest Meinolf Weber Posted July 18, 2008 Posted July 18, 2008 Re: NTFS Permissions - effective Hello JohnB, That's correct, so i misunderstood your question a bit. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > I did some more research and found the answer to my question. The > "most > restrictive combination" thing that I was remembering applies to > combined > Share and NTFS permissions. > When combining those, the resulting permissions is the most > restrictive > combination. > And as Meinolf pointed out, when Share permissions aren't involved, > the NTFS permissions are cumulative. > > "Newell White" <NewellWhite@discussions.microsoft.com> wrote in > message news:E065A4E1-2971-480F-8304-80435478C84F@microsoft.com... > >> Is this what you seek: >> >> Effective Permission for member of noth A and B = >> >> (PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB) >> -- >> Regards, >> Newell White >> "JohnB" wrote: >> >>>>> so the user is a local machine user and an authenticated user >>>>> >>> Right. >>> >>> And if the permissions that are set for the 2 groups are different, >>> the resulting combination of the 2 would, I thought, be the most >>> restrictve combination. Right? >>> >>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message >>> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com... >>> >>>> Hello JohnB, >>>> >>>> The user that belongs to the groups in any way will aplly the >>>> permissions, >>>> so the user is a local machine user and an authenticated user. >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>> and >>>> confers no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>> I'm sorry but I don't think that explained anything for me. >>>>> >>>>> Shouldn't the combination of the permissions be, the most >>>>> restrictive of the 2? That isn't the case. >>>>> >>>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message >>>>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com... >>>>> >>>>>> Hello JohnB, >>>>>> >>>>>> As you said yourself, Users have much more rights then >>>>>> Authenticated users. And, assuming Users applies to the >>>>>> machinename\users, if you are connecting with RDP to the machine, >>>>>> you are also in that group as a local user of that machine. >>>>>> >>>>>> Best regards >>>>>> >>>>>> Meinolf Weber >>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>> and >>>>>> confers no rights. >>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>> ** HELP us help YOU!!! >>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>> Isn't the "effective" permissions the most restrictive >>>>>>> combination, calculated from group or individual permissions >>>>>>> that apply? >>>>>>> >>>>>>> I just checked the effective permissions (setup by someone else) >>>>>>> of >>>>>>> a folder that contains confidential information, and everything >>>>>>> is >>>>>>> checked off except Change, Full Control and Take Ownership. I >>>>>>> did >>>>>>> this with random users that should only have Read permissions. >>>>>>> There are 2 groups assigned permissions on this folder; one >>>>>>> group - >>>>>>> Users - is granted everything but Full Control, the other is >>>>>>> group - >>>>>>> Authenticated Users - is granted Read & Execute, List and Read. >>>>>>> And >>>>>>> I would have thought those combined permissions would have >>>>>>> resulted >>>>>>> in Read permissions. But apparently they don't. Everyone >>>>>>> accesses >>>>>>> these folders through RDP sessions. >>>>>>> Why would the Effective permissions end up being more than just >>>>>>> Read? >>>>>>> >>>>>>> TIA >>>>>>>
Recommended Posts