Re: effective permission issue

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 01/22/05 

Date: Sat, 22 Jan 2005 17:14:42 -0000

Actually, Pegasus, that's incorrect.

For a folder or files, the permissions accumulate and you get the highest
permissions that apply to you. Deny overrides everything. Next, consider
the share permissions. You get the highest permissions that apply. To find
the effective permission, you apply the most restrictive of the share and
folder permissions.

Since, in BW's scenario, the share permission is everyone:F, the only thing
to consider is the folder permissions.

BW, I assume you've just created this "Admin" group and placed the new users
into it. These users will need to log out and back in before they will be
able to access anything ACLed to the new group. Could that explain what
you're seeing?

Oli

"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:%23QxzkkCAFHA.612@TK2MSFTNGP09.phx.gbl...
>
> "BW" <BW@discussions.microsoft.com> wrote in message
> news:D5376BED-3B1E-48E6-BFB3-437467743976@microsoft.com...
>> Hi All,
>>
>> I have a folder that is shared on a win2k3 server used to hold info for
>> staff. The share permissions is full control for everyone. The general
>> Staff group has read access to this folder. This works fine and staff
>> are
>> able to read and access all docs. However a couple of sub folders
>> require
>> full control for a select number of staff (in a group called Admin). I
> have
>> added the admin group to ACL with full control, which includes read
>> access
>> for Staff group inherited from above.
>>
>> Now these admin group staff still cannot write. The only way I can get
>> it
>> to work is by removing staff group permissions (of which they are also a
>> member) or giving staff group full control also. There is no deny ACL
>> set
>> and the effective permissions for admin group report as full control. Am
> I
>> missing something here? If any one can shed some light I be very
> grateful.
>>
>> BW.
>
> AFAIK, when you have ambiguous permissions, the more restrictive
> permissions apply. While admin staff are members of the General
> Staff group, they will have read-access only, regardless of any
> other permissions that you apply/
>
>

Relevant Pages

  • Re: cant get local security - error opening database
    ... I fixed the users logging in problem, they had been in admin group before ... I am working on the corrupt secedit.sdb problem now. ... > not have proper permissions to the folder. ... > modify permissions to their profile folder under documents and settings. ...
    (microsoft.public.win2000.security)
  • Re: Authentication!!
    ... the admin group isn't your primary ... The application folders defaults are to allow writing by root ... I'd suggest checking to see of the OP's permissions are the same. ... Applications folder to incorrect permissions too...not sure what. ...
    (comp.sys.mac.apps)
  • Re: Strange Client Permissions Issue
    ... I have managed to grant the required perms to the org forms folder ... When I try and configure client permissions on an organisational forms ... I have full permissions over the Admin group where I am trying to ... This offline address list will not be generated. ...
    (microsoft.public.exchange.admin)
  • Strange Client Permissions Issue
    ... When I try and configure client permissions on an organisational forms ... permissions to this folder but cannot see that either. ... I have full permissions over the Admin group where I am trying to ... This offline address list will not be generated. ...
    (microsoft.public.exchange.admin)
  • Re: effective permission issue
    ... The share permissions is full control for everyone. ... > Staff group has read access to this folder. ... > Now these admin group staff still cannot write. ...
    (microsoft.public.windows.server.general)
Quantcast