E

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"LTCstudent" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> This is a question from my book that me my friend and I are struggling
> with.
>
>
>
> ::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING.
> They require full access to C:\ACCOUNTING\FORMS. This can be
> accomplished by:*
> ::
> *A)* not possible
>
> *B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and
> assigning the user Full control to C:\ACCOUNTING\FORMS
>
> *C)* assigning the user Full control to C:\ACCOUNTING
>
> *D)* blocking permission inheritance at C:\ACCOUNTING and assigning the
> user Full control to C:\ACCOUNTING\FORMS
>
> *E)* assigning the user Full control to C:\ACCOUNTING\FORMS
>
>
>
> My friend believes the answer is *E*. I believe that may give you the
> same end result that you are looking for, but that would be assuming
> that the _Full_Control_ permission would override the _Read_ permission
> (which may be true, but our book doesn't specifically state anything
> like that).
>
> I personally believe the answer is *B* because when you deny the
> permission inheritance, it will (as stated in the book) prompt you to
> clarify whether the permissions should be copied or just removed
> entirely. Then you can clarify what permission the C:\ACCOUNTING\FORMS
> folder should have.
>
>
>
> His reasoning is (I think this is crap by the way) that the book wants
> us to go the "shortest" route possible, similar to computer programming.
> The analogy he used was that when you are writing a program you try to
> write the program as small and use as few steps as possible in order to
> make the program as efficient as possible and that is the same with this
> question and that is why E is right. :sarc:
>
> My reasoning is that the book explains permissions as though you should
> remove the inheritance from the folder then assign the permission the
> way you want the person to have them. Period.
>
> Please help us figure this out. We have a mid-term Wednesday (in 2
> days) and I'm beginning to get confused. TIA
>
>
> --
> LTCstudent

On Tue, 13 Oct 2009 17:31:16 -0500, LTCstudent
<(E-Mail Removed)> wrote:


>I don't know. I'm not trying to aggravate anyone here and I'm not
>trying to insult anyone's knowledge in NTFS security, I'm just trying to
>understand why the answer is *E* and not *B* and why there are so many
>professionals giving different answers. Thanks again.

Both methods would work but why bother with B when E will suffice?

"LTCstudent" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Ok... When I checked the forum for responses to my question this morning
> before school, I had 2 responses: One saying the answer was *E* and the
> other saying the answer was *B*. That kind of sucked, but I wasn't
> worried because I figured I would just ask one of the teachers at
> school.
>
> Well, I asked Teacher #1 who is really knowledgeable about Server and
> permissions (he teaches Server, Exchange, etc at the school) and he said
> the answer was *B*. But then I mentioned it to Teacher #2 (who actually
> teaches the class where this question arose) and he said the answer was
> *E*. I guess 'street smarts' would say just go with the teacher who is
> teaching the class and be done with it, but i really want to understand
> this stuff.
>
> So now I've returned from school and it looks like the consensus on
> this forum is that the correct answer is *E* which is fine. BUT Teacher
> #1 made a convincing point to me. He stated that the _only_ permission
> assigned to a folder (c:\accounting\forms) that can override the
> inheritance permission is the 'Deny' permission unless you -block the
> permission inheritance-.
>

OK, now you're just trying to come up with a scenario where answer B might
work better and misinterpreted what Teacher #1 is saying to fit your
argument.

There's three states of access control.

Expressly granted access
If your name is on the guest list you get in.
The host knows you and you been invited.

No access permission granted
Your name is not on the guest list, you are not getting in.
The host does not know you and you're not invited in.

Expressly denied access
You name appears on list of people forbidden to enter, you're not getting
in.
The host knows you and told the guards to keep you out.


It seems to me, you're confusing "No access permission granted" with
"Expressly denied access." In the original scenario, it does not mention
"deny" at all. Not being granted access is not the same as expressly denied
access, although the net result is the same.

If you are expressly denied access to the party, but want to use the
port-a-potty outback and the guard at the port-a-potty is told to let you
use it, you can. In this case, Teacher
#1 is wrong. Block permission inheritance doesn't do any good here.
Expressly granted permission overrides denied inherited permission. As long
as you bypass the party and go directly to the port-a-potty.

Using the Command Prompt, you can CD (change directory) to
/Party/Port-a-Potty, but you can't CD to /Party.


Only "Expressly granted access" will get you in. "No permissions granted"
means you aren't granted access and "Expressly denied access" means you are
denied access by name. The latter two denies you permission.

Block permission inheritance is used when you want the subfolder to have
tighter restrictions than the parent folder. You want to grant full access
to ACCOUNTING, but only READ access to FORMS. So you use block permission
inheritance so the user doesn't get full access to FORMS, because they
inherited full access from ACCOUNTING.


> If the answer is *E* that would mean that 'Full Control' can also
> override the 'Read' permission. I'm assuming you guys say this because
> assigning 'Full Control' permission is giving the user more control
> therefore it will take precedence?
>

I strongly disagree with the usage of "override".

It's a logical AND, you have Read access AND Full Control, net permission
access is Full Control. Now, if you had inherited Expressly denied read
access and receive Full access control THEN that would override the
inherited expressly denied read access.

Blocking permission inheritance so the user doesn't get Read access makes no
sense if the net permission access is going to be Full Control. It doesn't
hurt, but it's a pointless gesture.

You want to block permission inheritance if you want to limit the access to
subfolders. It resets the access permissions, so you start with no access
granted. Then access permissions are added from there, rather than
inherited from the parent.


>
> I don't know. I'm not trying to aggravate anyone here and I'm not
> trying to insult anyone's knowledge in NTFS security, I'm just trying to
> understand why the answer is *E* and not *B* and why there are so many
> professionals giving different answers. Thanks again.
>
>
> --
> LTCstudent


Well, I haven't seen anyone pick B and you misinterpreted Teacher #1 and he
is also wrong about usage of block permission inheritance.


I would stick with what Teacher #2 says, he seems to know what he is talking
about. He IS the one teaching the class and you can do your own tests to
verify what he says is true.

But that's just my opinion.

Thanks to your post, I had to do some investigating and I ended up learning
a thing or two about NTFS security.

"Tae Song" <(E-Mail Removed)> wrote in message
news:406C5B33-706A-4168-9109-(E-Mail Removed)...
>
> "LTCstudent" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> Ok... When I checked the forum for responses to my question this
>> morning
>> before school, I had 2 responses: One saying the answer was *E* and
>> the
>> other saying the answer was *B*.

What I said was that I thought the "expected answer" was *B*, not that
it was the *right* answer. Often what is taught in schools is not
*right*. My thinking was that the teacher may be stressing a point to be
considered during your current level of understanding. I didn't like any
of the choices given. I thought (and it might be stressed later on) that
creating a group with the desired permissions and placing that *user* in
that group would be best (occam's razor be damned) for manageability.
Then, is the user's need to have full access truly correct - does he or
she *need* "take ownership" or "change permissions" - perhaps "modify"
rights would be sufficient (least privilege). Is it really desired that
some permissions for that subfolder be contingent upon whatever changes
to the parent folder are made in the future? If so, you would want
inheritance to remain intact.

>> That kind of sucked, but I wasn't
>> worried because I figured I would just ask one of the teachers at
>> school.

They probably stress "Occam's razor" and have the simplest solution
being the *correct* solution.

Can you forsee the mess created by adding more individual users and and
their desired permissions by explicit deny or allow on an object? When
(and if) there comes a time to rescind access, will you be able to keep
track of who has access to what?

>> Well, I asked Teacher #1 who is really knowledgeable about Server and
>> permissions (he teaches Server, Exchange, etc at the school) and he
>> said
>> the answer was *B*. But then I mentioned it to Teacher #2 (who
>> actually
>> teaches the class where this question arose) and he said the answer
>> was
>> *E*. I guess 'street smarts' would say just go with the teacher who
>> is
>> teaching the class and be done with it, but i really want to
>> understand
>> this stuff.

Teacher two (teaching the class in question) will give you the *correct*
answer for that class, so go with it.

>> So now I've returned from school and it looks like the consensus on
>> this forum is that the correct answer is *E* which is fine. BUT
>> Teacher
>> #1 made a convincing point to me. He stated that the _only_
>> permission
>> assigned to a folder (c:\accounting\forms) that can override the
>> inheritance permission is the 'Deny' permission unless you -block the
>> permission inheritance-.

He is wrong. A specific allow will take precedence over an inherited
deny.

The first check (after any Mandatory Label check) is the first ACE entry
which "should be" the explicit deny, then the explicit allow, then the
inherited deny, then the inherited allow (followed by grandparent
inheritance etcetera as required).

> OK, now you're just trying to come up with a scenario where answer B
> might work better and misinterpreted what Teacher #1 is saying to fit
> your argument.

If teacher #1 really said that specific allow won't take precendence
over inherited deny, I think he is wrong.

If *both* an allow and a deny appear at the same tier, the deny will
take precedence however.

> There's three states of access control.
>
> Expressly granted access
> If your name is on the guest list you get in.
> The host knows you and you been invited.
>
> No access permission granted
> Your name is not on the guest list, you are not getting in.
> The host does not know you and you're not invited in.

Please mister bouncer, check your *other* list if no specific deny or
allow is found on *this* list.

(I'm in the "bartender" and "firewatch" groups - so if you want drinks
and fire extinguishers at the ready....)

[...]