Otdfbt

Will google still index a page if I use a $_SESSION variable?

Is the Joker left-handed?

Anagram holiday

Forgetting the musical notes while performing in concert

Is it inappropriate for a student to attend their mentor's dissertation defense?

Can I ask the recruiters in my resume to put the reason why I am rejected?

How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?

Took a trip to a parallel universe, need help deciphering

Combinations of multiple lists

In Romance of the Three Kingdoms why do people still use bamboo sticks when paper had already been invented?

Arrow those variables!

A reference to a well-known characterization of scattered compact spaces

How to model explosives?

Intersection of two sorted vectors in C++

I'm flying to France today and my passport expires in less than 2 months

What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions?

What does it mean to describe someone as a butt steak?

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

How can I make my BBEG immortal short of making them a Lich or Vampire?

Why doesn't H₄O²⁺ exist?

Is "remove commented out code" correct English?

What exploit are these user agents trying to use?

What to put in ESTA if staying in US for a few days before going on to Canada

What mechanic is there to disable a threat instead of killing it?

Understanding Windows share deny permissions

Best practice ACLs to prepare for auditors?Domain-wide deny ACL not applied?Server 2012 R2 - hidden Share$ not accessibleHow to control access to folders to a Windows VPN client session?DFS-R replication: NTFS permissions don't work on some subfolders on membersAccess denied on single file with explicit permissions setSamba4 ignoring Windows Group PermissionsWindows Share Permissions VS NTFS Permissions IssueLet users see a folder in a Windows File Share, but not enter itAccess denied connecting to a share using Windows 10

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

1

I am developing some reporting for a series of Windows shares and I am not clear on the implementation details regarding permissions with deny types. While trying to calculate the resulting effective mask a user is subjected to after compensating for all share and ntfs permissions, it is not clear to me how to accomodate a deny type if present at the share level.

According to Permissions on a Shared Folder, the more restrictive permission takes precedence between the share and ntfs permissions and a deny type at the share level supersedes any permission at the ntfs level.

Consider the case where user-a has an explicit grant for Full Control at both the share and ntfs level.

If a group which user-a is a member of is added to the shares acl, any combination of a deny, Read, Change or Full Control manifests as no access at all for user-a. In addition, with the group set to Read on the share permission, user-a cannot delete a file if the path is known programmatically.

Effectively, if the context accessing a share acquires a deny of any mask, all access is denied based on my tests.

What is the use case for three mask options with a deny when the least restrictive (read) prevents all access entirely? I am aware that you can set finer grained permissions programmatically, however why expose even 3 from the UI when they all behave the same?

windows-server-2012-r2 access-control-list

share|improve this question

asked 2 days ago

Ritmo2kRitmo2k

1111

New contributor

Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.
  
  – Greg Askew
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
  
  – Ritmo2k
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
  
  – Stese
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
  
  – Harry Johnston
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
  
  – Harry Johnston
  2 days ago
  

  
  
  
  

 | 
show 4 more comments

2

1

I am developing some reporting for a series of Windows shares and I am not clear on the implementation details regarding permissions with deny types. While trying to calculate the resulting effective mask a user is subjected to after compensating for all share and ntfs permissions, it is not clear to me how to accomodate a deny type if present at the share level.

According to Permissions on a Shared Folder, the more restrictive permission takes precedence between the share and ntfs permissions and a deny type at the share level supersedes any permission at the ntfs level.

Consider the case where user-a has an explicit grant for Full Control at both the share and ntfs level.

If a group which user-a is a member of is added to the shares acl, any combination of a deny, Read, Change or Full Control manifests as no access at all for user-a. In addition, with the group set to Read on the share permission, user-a cannot delete a file if the path is known programmatically.

Effectively, if the context accessing a share acquires a deny of any mask, all access is denied based on my tests.

What is the use case for three mask options with a deny when the least restrictive (read) prevents all access entirely? I am aware that you can set finer grained permissions programmatically, however why expose even 3 from the UI when they all behave the same?

windows-server-2012-r2 access-control-list

share|improve this question

asked 2 days ago

Ritmo2kRitmo2k

1111

New contributor

Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  What is the use case for three mask options with a deny when the least restrictive (read) prevents all access. There isn't a use case.
  
  – Greg Askew
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  There most certainly has to be a valid reason for this misleading implementation detail, I would love to know it. Feel free to write this up as an answer and thanks for the confirmation.
  
  – Ritmo2k
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Share Permissions and NTFS permissions come from different areas of thinking. Share permissions existed before NTFS came along, and are included for backwards compatibility with older Drive Formats (fat, fat32). As far as I am personally aware, if you have NTFS permissions, share permissions are set to Everyone and full access. NTFS permissions will then apply without any quirks.
  
  – Stese
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Stese, it can sometimes be useful to have two shares pointing at the same directory, one of which is read-write and the other read-only. Also, setting the share permissions to "change" rather than "full control" can be a convenient way to prevent people messing with the file permissions, even for files they own.
  
  – Harry Johnston
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason there are three separate "deny" checkboxes is probably just that Microsoft wanted to use the user interface that already existed for file permissions, rather than trying to design and implement a new one.
  
  – Harry Johnston
  2 days ago
  

  
  
  
  

 | 
show 4 more comments

I am developing some reporting for a series of Windows shares and I am not clear on the implementation details regarding permissions with deny types. While trying to calculate the resulting effective mask a user is subjected to after compensating for all share and ntfs permissions, it is not clear to me how to accomodate a deny type if present at the share level.

According to Permissions on a Shared Folder, the more restrictive permission takes precedence between the share and ntfs permissions and a deny type at the share level supersedes any permission at the ntfs level.

Consider the case where user-a has an explicit grant for Full Control at both the share and ntfs level.

If a group which user-a is a member of is added to the shares acl, any combination of a deny, Read, Change or Full Control manifests as no access at all for user-a. In addition, with the group set to Read on the share permission, user-a cannot delete a file if the path is known programmatically.

Effectively, if the context accessing a share acquires a deny of any mask, all access is denied based on my tests.

What is the use case for three mask options with a deny when the least restrictive (read) prevents all access entirely? I am aware that you can set finer grained permissions programmatically, however why expose even 3 from the UI when they all behave the same?

windows-server-2012-r2 access-control-list

share|improve this question

asked 2 days ago

Ritmo2kRitmo2k

1111

New contributor

Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 2 days ago

Ritmo2kRitmo2k

1111

New contributor

Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 2 days ago

Ritmo2kRitmo2k

1111

New contributor

Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 days ago

Ritmo2kRitmo2k

1111

New contributor

Ritmo2k is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 days ago

Ritmo2kRitmo2k

1111