NTFS Permissions - effective

  • Thread starter Thread starter JohnB
  • Start date Start date
J

JohnB

Guest
Isn't the "effective" permissions the most restrictive combination,
calculated from group or individual permissions that apply?

I just checked the effective permissions (setup by someone else) of a folder
that contains confidential information, and everything is checked off except
Change, Full Control and Take Ownership. I did this with random users that
should only have Read permissions. There are 2 groups assigned permissions
on this folder; one group - Users - is granted everything but Full Control,
the other is group - Authenticated Users - is granted Read & Execute, List
and Read. And I would have thought those combined permissions would have
resulted in Read permissions. But apparently they don't. Everyone accesses
these folders through RDP sessions.

Why would the Effective permissions end up being more than just Read?

TIA
 
Re: NTFS Permissions - effective

Hello JohnB,

As you said yourself, Users have much more rights then Authenticated users.
And, assuming Users applies to the machinename\users, if you are connecting
with RDP to the machine, you are also in that group as a local user of that
machine.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Isn't the "effective" permissions the most restrictive combination,
> calculated from group or individual permissions that apply?
>
> I just checked the effective permissions (setup by someone else) of a
> folder that contains confidential information, and everything is
> checked off except Change, Full Control and Take Ownership. I did
> this with random users that should only have Read permissions. There
> are 2 groups assigned permissions on this folder; one group - Users -
> is granted everything but Full Control, the other is group -
> Authenticated Users - is granted Read & Execute, List and Read. And I
> would have thought those combined permissions would have resulted in
> Read permissions. But apparently they don't. Everyone accesses these
> folders through RDP sessions.
>
> Why would the Effective permissions end up being more than just Read?
>
> TIA
>
 
Re: NTFS Permissions - effective

I'm sorry but I don't think that explained anything for me.

Shouldn't the combination of the permissions be, the most restrictive of the
2? That isn't the case.


"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...
> Hello JohnB,
>
> As you said yourself, Users have much more rights then Authenticated
> users. And, assuming Users applies to the machinename\users, if you are
> connecting with RDP to the machine, you are also in that group as a local
> user of that machine.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Isn't the "effective" permissions the most restrictive combination,
>> calculated from group or individual permissions that apply?
>>
>> I just checked the effective permissions (setup by someone else) of a
>> folder that contains confidential information, and everything is
>> checked off except Change, Full Control and Take Ownership. I did
>> this with random users that should only have Read permissions. There
>> are 2 groups assigned permissions on this folder; one group - Users -
>> is granted everything but Full Control, the other is group -
>> Authenticated Users - is granted Read & Execute, List and Read. And I
>> would have thought those combined permissions would have resulted in
>> Read permissions. But apparently they don't. Everyone accesses these
>> folders through RDP sessions.
>>
>> Why would the Effective permissions end up being more than just Read?
>>
>> TIA
>>
>
>
 
Re: NTFS Permissions - effective

Hello JohnB,

The user that belongs to the groups in any way will aplly the permissions,
so the user is a local machine user and an authenticated user.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I'm sorry but I don't think that explained anything for me.
>
> Shouldn't the combination of the permissions be, the most restrictive
> of the 2? That isn't the case.
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...
>
>> Hello JohnB,
>>
>> As you said yourself, Users have much more rights then Authenticated
>> users. And, assuming Users applies to the machinename\users, if you
>> are connecting with RDP to the machine, you are also in that group as
>> a local user of that machine.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Isn't the "effective" permissions the most restrictive combination,
>>> calculated from group or individual permissions that apply?
>>>
>>> I just checked the effective permissions (setup by someone else) of
>>> a folder that contains confidential information, and everything is
>>> checked off except Change, Full Control and Take Ownership. I did
>>> this with random users that should only have Read permissions.
>>> There are 2 groups assigned permissions on this folder; one group -
>>> Users - is granted everything but Full Control, the other is group -
>>> Authenticated Users - is granted Read & Execute, List and Read. And
>>> I would have thought those combined permissions would have resulted
>>> in Read permissions. But apparently they don't. Everyone accesses
>>> these folders through RDP sessions.
>>>
>>> Why would the Effective permissions end up being more than just
>>> Read?
>>>
>>> TIA
>>>
 
Re: NTFS Permissions - effective

>> so the user is a local machine user and an authenticated user
Right.

And if the permissions that are set for the 2 groups are different, the
resulting combination of the 2 would, I thought, be the most restrictve
combination. Right?




"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...
> Hello JohnB,
>
> The user that belongs to the groups in any way will aplly the permissions,
> so the user is a local machine user and an authenticated user.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I'm sorry but I don't think that explained anything for me.
>>
>> Shouldn't the combination of the permissions be, the most restrictive
>> of the 2? That isn't the case.
>>
>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...
>>
>>> Hello JohnB,
>>>
>>> As you said yourself, Users have much more rights then Authenticated
>>> users. And, assuming Users applies to the machinename\users, if you
>>> are connecting with RDP to the machine, you are also in that group as
>>> a local user of that machine.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Isn't the "effective" permissions the most restrictive combination,
>>>> calculated from group or individual permissions that apply?
>>>>
>>>> I just checked the effective permissions (setup by someone else) of
>>>> a folder that contains confidential information, and everything is
>>>> checked off except Change, Full Control and Take Ownership. I did
>>>> this with random users that should only have Read permissions.
>>>> There are 2 groups assigned permissions on this folder; one group -
>>>> Users - is granted everything but Full Control, the other is group -
>>>> Authenticated Users - is granted Read & Execute, List and Read. And
>>>> I would have thought those combined permissions would have resulted
>>>> in Read permissions. But apparently they don't. Everyone accesses
>>>> these folders through RDP sessions.
>>>>
>>>> Why would the Effective permissions end up being more than just
>>>> Read?
>>>>
>>>> TIA
>>>>
>
>
 
Re: NTFS Permissions - effective

Hello JohnB,

From Notes under this: http://technet2.microsoft.com/windo...b1b4-4baf-8ab0-53147b22a4201033.mspx?mfr=true

If the specified object grants access to the Everyone group, the Authenticated
Users group or the Local Users group, then the effective rights will always
include those permissions, except when the specified user or group is the
Anonymous group.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> so the user is a local machine user and an authenticated user
>>>
> Right.
>
> And if the permissions that are set for the 2 groups are different,
> the resulting combination of the 2 would, I thought, be the most
> restrictve combination. Right?
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...
>
>> Hello JohnB,
>>
>> The user that belongs to the groups in any way will aplly the
>> permissions, so the user is a local machine user and an authenticated
>> user.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I'm sorry but I don't think that explained anything for me.
>>>
>>> Shouldn't the combination of the permissions be, the most
>>> restrictive of the 2? That isn't the case.
>>>
>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...
>>>
>>>> Hello JohnB,
>>>>
>>>> As you said yourself, Users have much more rights then
>>>> Authenticated users. And, assuming Users applies to the
>>>> machinename\users, if you are connecting with RDP to the machine,
>>>> you are also in that group as a local user of that machine.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Isn't the "effective" permissions the most restrictive
>>>>> combination, calculated from group or individual permissions that
>>>>> apply?
>>>>>
>>>>> I just checked the effective permissions (setup by someone else)
>>>>> of
>>>>> a folder that contains confidential information, and everything is
>>>>> checked off except Change, Full Control and Take Ownership. I did
>>>>> this with random users that should only have Read permissions.
>>>>> There are 2 groups assigned permissions on this folder; one group
>>>>> -
>>>>> Users - is granted everything but Full Control, the other is group
>>>>> -
>>>>> Authenticated Users - is granted Read & Execute, List and Read.
>>>>> And
>>>>> I would have thought those combined permissions would have
>>>>> resulted
>>>>> in Read permissions. But apparently they don't. Everyone
>>>>> accesses
>>>>> these folders through RDP sessions.
>>>>> Why would the Effective permissions end up being more than just
>>>>> Read?
>>>>>
>>>>> TIA
>>>>>
 
Re: NTFS Permissions - effective

Is this what you seek:

Effective Permission for member of noth A and B =

(PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB)
--
Regards,
Newell White


"JohnB" wrote:

> >> so the user is a local machine user and an authenticated user
> Right.
>
> And if the permissions that are set for the 2 groups are different, the
> resulting combination of the 2 would, I thought, be the most restrictve
> combination. Right?
>
>
>
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...
> > Hello JohnB,
> >
> > The user that belongs to the groups in any way will aplly the permissions,
> > so the user is a local machine user and an authenticated user.
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >> I'm sorry but I don't think that explained anything for me.
> >>
> >> Shouldn't the combination of the permissions be, the most restrictive
> >> of the 2? That isn't the case.
> >>
> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> >> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...
> >>
> >>> Hello JohnB,
> >>>
> >>> As you said yourself, Users have much more rights then Authenticated
> >>> users. And, assuming Users applies to the machinename\users, if you
> >>> are connecting with RDP to the machine, you are also in that group as
> >>> a local user of that machine.
> >>>
> >>> Best regards
> >>>
> >>> Meinolf Weber
> >>> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >>> confers no rights.
> >>> ** Please do NOT email, only reply to Newsgroups
> >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>>> Isn't the "effective" permissions the most restrictive combination,
> >>>> calculated from group or individual permissions that apply?
> >>>>
> >>>> I just checked the effective permissions (setup by someone else) of
> >>>> a folder that contains confidential information, and everything is
> >>>> checked off except Change, Full Control and Take Ownership. I did
> >>>> this with random users that should only have Read permissions.
> >>>> There are 2 groups assigned permissions on this folder; one group -
> >>>> Users - is granted everything but Full Control, the other is group -
> >>>> Authenticated Users - is granted Read & Execute, List and Read. And
> >>>> I would have thought those combined permissions would have resulted
> >>>> in Read permissions. But apparently they don't. Everyone accesses
> >>>> these folders through RDP sessions.
> >>>>
> >>>> Why would the Effective permissions end up being more than just
> >>>> Read?
> >>>>
> >>>> TIA
> >>>>
> >
> >
>
>
 
Re: NTFS Permissions - effective

I did some more research and found the answer to my question. The "most
restrictive combination" thing that I was remembering applies to combined
Share and NTFS permissions.
When combining those, the resulting permissions is the most restrictive
combination.

And as Meinolf pointed out, when Share permissions aren't involved, the NTFS
permissions are cumulative.


"Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
news:E065A4E1-2971-480F-8304-80435478C84F@microsoft.com...
> Is this what you seek:
>
> Effective Permission for member of noth A and B =
>
> (PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB)
> --
> Regards,
> Newell White
>
>
> "JohnB" wrote:
>
>> >> so the user is a local machine user and an authenticated user
>> Right.
>>
>> And if the permissions that are set for the 2 groups are different, the
>> resulting combination of the 2 would, I thought, be the most restrictve
>> combination. Right?
>>
>>
>>
>>
>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...
>> > Hello JohnB,
>> >
>> > The user that belongs to the groups in any way will aplly the
>> > permissions,
>> > so the user is a local machine user and an authenticated user.
>> >
>> > Best regards
>> >
>> > Meinolf Weber
>> > Disclaimer: This posting is provided "AS IS" with no warranties, and
>> > confers no rights.
>> > ** Please do NOT email, only reply to Newsgroups
>> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >
>> >> I'm sorry but I don't think that explained anything for me.
>> >>
>> >> Shouldn't the combination of the permissions be, the most restrictive
>> >> of the 2? That isn't the case.
>> >>
>> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>> >> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...
>> >>
>> >>> Hello JohnB,
>> >>>
>> >>> As you said yourself, Users have much more rights then Authenticated
>> >>> users. And, assuming Users applies to the machinename\users, if you
>> >>> are connecting with RDP to the machine, you are also in that group as
>> >>> a local user of that machine.
>> >>>
>> >>> Best regards
>> >>>
>> >>> Meinolf Weber
>> >>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> >>> confers no rights.
>> >>> ** Please do NOT email, only reply to Newsgroups
>> >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >>>> Isn't the "effective" permissions the most restrictive combination,
>> >>>> calculated from group or individual permissions that apply?
>> >>>>
>> >>>> I just checked the effective permissions (setup by someone else) of
>> >>>> a folder that contains confidential information, and everything is
>> >>>> checked off except Change, Full Control and Take Ownership. I did
>> >>>> this with random users that should only have Read permissions.
>> >>>> There are 2 groups assigned permissions on this folder; one group -
>> >>>> Users - is granted everything but Full Control, the other is group -
>> >>>> Authenticated Users - is granted Read & Execute, List and Read. And
>> >>>> I would have thought those combined permissions would have resulted
>> >>>> in Read permissions. But apparently they don't. Everyone accesses
>> >>>> these folders through RDP sessions.
>> >>>>
>> >>>> Why would the Effective permissions end up being more than just
>> >>>> Read?
>> >>>>
>> >>>> TIA
>> >>>>
>> >
>> >
>>
>>
 
Re: NTFS Permissions - effective

Hello JohnB,

That's correct, so i misunderstood your question a bit.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I did some more research and found the answer to my question. The
> "most
> restrictive combination" thing that I was remembering applies to
> combined
> Share and NTFS permissions.
> When combining those, the resulting permissions is the most
> restrictive
> combination.
> And as Meinolf pointed out, when Share permissions aren't involved,
> the NTFS permissions are cumulative.
>
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in
> message news:E065A4E1-2971-480F-8304-80435478C84F@microsoft.com...
>
>> Is this what you seek:
>>
>> Effective Permission for member of noth A and B =
>>
>> (PermissionA.OR.PermissionB).AND.NOT.(DenyA.OR.DenyB)
>> --
>> Regards,
>> Newell White
>> "JohnB" wrote:
>>
>>>>> so the user is a local machine user and an authenticated user
>>>>>
>>> Right.
>>>
>>> And if the permissions that are set for the 2 groups are different,
>>> the resulting combination of the 2 would, I thought, be the most
>>> restrictve combination. Right?
>>>
>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb66a407b8cab703cbd4dbfc@msnews.microsoft.com...
>>>
>>>> Hello JohnB,
>>>>
>>>> The user that belongs to the groups in any way will aplly the
>>>> permissions,
>>>> so the user is a local machine user and an authenticated user.
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> I'm sorry but I don't think that explained anything for me.
>>>>>
>>>>> Shouldn't the combination of the permissions be, the most
>>>>> restrictive of the 2? That isn't the case.
>>>>>
>>>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>>>>> news:ff16fb66a406a8cab6fdfbae852c@msnews.microsoft.com...
>>>>>
>>>>>> Hello JohnB,
>>>>>>
>>>>>> As you said yourself, Users have much more rights then
>>>>>> Authenticated users. And, assuming Users applies to the
>>>>>> machinename\users, if you are connecting with RDP to the machine,
>>>>>> you are also in that group as a local user of that machine.
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> Meinolf Weber
>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers no rights.
>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>> ** HELP us help YOU!!!
>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>> Isn't the "effective" permissions the most restrictive
>>>>>>> combination, calculated from group or individual permissions
>>>>>>> that apply?
>>>>>>>
>>>>>>> I just checked the effective permissions (setup by someone else)
>>>>>>> of
>>>>>>> a folder that contains confidential information, and everything
>>>>>>> is
>>>>>>> checked off except Change, Full Control and Take Ownership. I
>>>>>>> did
>>>>>>> this with random users that should only have Read permissions.
>>>>>>> There are 2 groups assigned permissions on this folder; one
>>>>>>> group -
>>>>>>> Users - is granted everything but Full Control, the other is
>>>>>>> group -
>>>>>>> Authenticated Users - is granted Read & Execute, List and Read.
>>>>>>> And
>>>>>>> I would have thought those combined permissions would have
>>>>>>> resulted
>>>>>>> in Read permissions. But apparently they don't. Everyone
>>>>>>> accesses
>>>>>>> these folders through RDP sessions.
>>>>>>> Why would the Effective permissions end up being more than just
>>>>>>> Read?
>>>>>>>
>>>>>>> TIA
>>>>>>>
 
Back
Top