Some of the exams required for an MCSA, MCSE, and MCDST will test your knowledge of permissions. What’s all the hubbub about? Well, the question begins simply enough: what happens when User Jane has X and Y share permissions, and A and B NTFS permissions? How does it all shake out? What’s more, let’s say that User Jane is a member of a group that gives her V and W share permissions, and another group that gives her C and D NTFS permissions. It gets pretty complicated relatively quickly. When dealing with multiple group memberships, it’s easy to understand why someone may become confused, and I certainly was until someone finally explained how share and NTFS permissions work.
The bottom line is that multiple NTFS permissions are cumulative. They stack upon each other, and the highest permission wins the day. Share permissions work the same way. Now when you mix NTFS permissions with Share permissions, the most restrictive permission between the two rules. In other words, the guy who’s at the bottom of the stack.
Think of this process as if you were looking over the network through a tunnel. A user attempts to access data over the network from left to right. The only way that he can do this is if the data is shared to begin with, so the permissions that are first encountered are share permissions. The resulting share permissions may reduce the size of the tunnel that the user looks through, reducing the amount of data that can be seen. The system then goes to the NTFS permissions. These permissions are unavoidable because they are attached to the file on the disk. The tunnel’s field of vision is further reduced based on the resulting NTFS permissions. From there, the user can see the data based on the resulting size of the tunnel.
Let’s put this to the practical test and see what happens. Jane has been denied all access share permissions to a specific folder. She has full control NTFS permissions to the same folder. The result is that she has no access to the folder because the share permissions completely blocked off the tunnel. Now, reverse the situation. Jane has Full control Share permissions to the same folder, but is Denied all NTFS permissions. Jane will first encounter the Share permissions, which do not reduce the size of the tunnel and will let her through to the NTFS permissions, but she will stop at that point because the NTFS permissions won’t allow any access. These are pretty clear-cut examples.
Let’s get a little more tricky. Jane has Read share permissions to the folder, but Change NTFS permissions. When Jane encounters the share permissions, she is granted Read and moves on. Because her field of vision has been effectively reduced to Read only, NTFS permissions cannot override this, and she accesses the data with Read only permissions. Now, turn it around: Change share permissions vs Read NTFS permissions. When Jane encounters the Change share permission, her field of vision is reduced to Change. When she encounters the Read NTFS permission, her vision is further reduced to read only, and that is the access she is granted.
What happens if Jane has multiple group memberships? This is one place where the Effective Permissions tool included with Windows Server 2003 comes in really handy. The Effective Permissions essentially runs through each membership-inherited share permission, takes the most permissive share permission, runs through each membership-inherited NTFS permission, takes the most permissive NTFS permission, and then runs the two of them through the share-first, NTFS-last procedure above.