Hi there
With NTFS file permissions, a user gets the greatest permission provided by
all the groups and users listed in the access control list.
So, say you'd given the following permissions on a folder:
Everyone: F
Accounts: R
The effective permissions for members of the accounts group will be Full
Control.
When accessing these files through a share, the share permissions work in a
similar way (i.e. you get the greatest permissions on the share's access
control list).
Once you've determined the permissions given on the filesystem (NTFS) and
those given by the share, you have to consider how they interact.
The rule with interaction of share permissions and NTFS permissions is that
the LOWEST permission is what governs the effective permission.
To take an example:
NTFS permissions
Group1:F
Group2:R
Share permissions:
Group1:C
Group2:F
Suppose you have a user who is a member of both the group1 and group2. At
the NTFS level, he will get Full Control by virtue of being in group1. At
the share level, he will get Full Control by virtue of being in group2. The
effective permission for that user accessing the files through the share
will be full control.
Suppose a user is a member of group1. He gets full control at the NTFS
level and change permissions at the share level. Result: change permission.
Although he has full control at the NTFS level, because he's accessing files
through the share, he is restricted to only change.
Finally, if a user is a member only of group2. NTFS=R, Share=F. Result=R
The only exception to this is if you use "Deny", which overrides any other
permission they may have. However, I would strongly recommend against use
of "deny" as you can get in a real mess.
What I do when I create a server is to create a data folder which has full
control for administrators and no permissions for anybody else. Then,
directories created underneath inherit this and it's up to the administrator
creating the directory to give appropriate permissions.
Hope this helps
Oli
