Security Vs. Share Permissions
-
There was a question on the 70-410 exam about sharing & security permission. Are they culmulative? The question was bassically:
Folder1 has sharing permissions for User1 (read & excute) and User2 (read & execute). The security permssions removed Everyone group and added Group1 with Modify. User1 was part of group one.
The question was:
Would user1 be able to delete files from Folder1?
Would user2 be able to delete files from Folder1? -
James,
Yes, the permissions are cumulative. The "effective" permissions in your scenario would be User1 (Read, Execute and Modify) and User2 (Read and Execute). So, User1 would be able to delete files, but User2 would not.
The exception to this is when you are mixing share permissions with NTFS file permissions. In that case, the "effective" permissions are calculated from whichever set of permissions is the most restrictive.
Let me know if you have any other questions,
Don Pezet
Host, ITProTV -
As a follow up I found an example. In advanced security settings for a share everyone has modify permissions. In the share tab everyone has change permissions. The question is i have is what permission gives you the ability to delete files from the share. My guest is that if you have change permissions on the share tab you can delete from the folder.
-
edit.
-
Nevermind on this. It is a bad Microsoft question. Once you give Everyone Change permission User 1 can delete files in the folder. Without and explicit deny on the user or group User 1 can delete the files. The permissions in the example were:
User 1: Member of Group 1
Group 1: Read & Execute
Everyone: Change permission
I don't know why the exam says User 1 can't delete files in the folder which is what caused me to ask the question to begin with, but I recreated the question in my lab and tested it that way. Thanks for the help. -
Hold the presses! I found my mistake. In advanced security you can set conditions. The condition for everyone was modify permissions for everyone except members of group 1. After testing User 1 could not delete files in that folder with that condition set. Tricky.