OK, so we have gone over NTFS permissions and share permissions. Now you need to understand what happens when these two types of permissions are combined. Multiple NTFS permissions are cumulative. They stack upon each other, and the highest permission is the effective permission. Share permissions work the same way. However, when you combine NTFS permissions and share permissions the most restrictive permission between the two becomes the effective permission.

For example, Jane has been denied all access share permission to a specific folder. She has full control NTFS permission to the same folder. The result is that she has no access to the folder because the share permission is the most restrictive permission. Now, reverse the situation. Jane has Full control share permission to the same folder, but Denied all NTFS permission. Jane will first encounter the share permission, which permit access and let her through to the NTFS permissions, but she will stop at that point because the NTFS permissions won’t allow any access. These are pretty clear-cut examples.

Here is a more difficult example. Jane has Read share permission to the folder, but Change NTFS permission. When Jane encounters the share permission, she is granted Read and moves on. Because the share permission is Read only and more the restrictive permission, the NTFS permission cannot override this, and she accesses the data with Read only permissions. Now, turn it around: Change share permissions vs Read NTFS permissions. When Jane encounters the Change share permission, her field of vision is reduced to Change. When she encounters the Read NTFS permission, her vision is further reduced to read only, and that is the access she is granted.

You also need to consider group membership. This is one place where the Effective Permissions tool included with Windows XP becomes very useful. The Effective Permissions essentially runs through each membership-inherited share permission, takes the most permissive share permission, runs through each membership-inherited NTFS permission, takes the most permissive NTFS permission, and then runs the two of them through the share-first, NTFS-last procedure above.

[tags]windows,xp,troubleshooting,exam 70-271,certification[/tags]