You have a file server named Server1 that runs Windows Server 2012. Server1 contains a folder named
Folder1.
You share Folder1 as Share1 by using Advanced Sharing. Access-based enumeration is enabled.
Share1 contains an Application named App1.exe.
You configure the NTFS permissions on Folder1 as shown in the following table.
The members of Group2 report that they cannot make changes to the files in Share1. The members of Group1
and Group2 run App1.exe successfully.
You need to ensure that the members of Group2 can edit the files in Share1.
What should you do?
A.
Edit the Share permissions.
B.
Disable access-based enumeration.
C.
Replace the NTFS permissions on all of the child objects.
D.
Edit the NTFS permissions.
Explanation:
Suppose you’ve shared a folder on a Windows Server 2012 system and you’ve created the share as a
readonlyshare, but the NTFS permissions for the folder are Full Control for the Everyone group. When conflicts
likethis arise between share and NTFS permissions, the most restrictive permission set wins out.
There are a number of additional settings that you can enable for the share. ABE allows users to see just
thefiles and folders to which they have been granted access and not even be able to see that other itemsexist.
http://blogs.technet.com/b/keithmayer/archive/2012/10/21/ntfs-shared-folders-a-whole-lot- easier-inwindowsserver-2012.aspx
http://www.techrepublic.com/blog/networking/how-to-share-a-folder-in-windows-server- 2012/6057
http://www.techrepublic.com/blog/networking/windows-server-2012-tips-for-setting-share- vsntfspermissions/6204
Don’t you need the “Modify” permissions to edit the contents of the files rather than the “Write” one, which allows you to create or copy new files?
I would say D, edit the NTFS permissions, anyone can clear this up?
Any second opinions on this?
The answer is A (in my opinion).
If the user has Read/Write but still can’t make changes, the problem has to be with the share permission.
Alex, based on this link (http://www.ntfs.com/ntfs-permissions-file-folder.htm) Modify = Read + Write
So the user already has “modify”, but with a different name.
Base on that link bogdan, you can see that if you join read, write and execute and compare the output with the modify permission you still missing delete attribute.
I think the answer is D
Write allows editing files contents. Modify allows modifying the files (delete,rename)
The correct answer is A. The NTFS permissions are set correctly, so the likely culprit would be the Share permissions “bottlenecking” into a more restrictive permission set.
write gives you the right to write to files (edit them).
It doesn’t allow you to create new files or folders you need “change” for that.
Answer A is correct as users can’t edit files the share permission only gives read access.
I would have to say A. It looks like the groups are getting Read only access to share (the default). Group2 don’t have modify NTFS permissions, but Modify only adds permission to delete!
Thanks for the input guys.
Answer is D. You need Modify permission to “make changes to files”.
Share permission by default is set to Everyone with Read, so anyone can get into the folder, any permissions on files within the folder will be controlled by NTFS permissions (in which Group 2 users will need Modify permission)
Windows treats a file renaming operation as a deletion of the file and creation of a new file with the new name. There used to actually be a Delete permission but that has changed to Modify (aka delete and move permission)
The answer is “A”. The effective permission for the user is based on the restrictive permissions. Share1 is more restrictive than the NTFS in this question. Group2 already has the “Write” permission yet the group still can’t write/modify the contents. Therefore the share permission must be modified.
Remember NTFS perms = the SECURITY tab of the properties of an object.
You could have FULL control on Group 2 in the NTFS portion, and if logged in locally to the machine you would indeed have full access and do anything you like.
BUT if you simply tried to get at the data by \\servername\sharename and the share permission is only read (out of read, change, or full control) you are bound by the most restrictive of the cumulative share + NTFS permissions.
Tried on my computer, Read and Write allows me to edit a text file locally.
NTFS permission is effective if you log on to a system localy.
Here group 1 and group 2 logged on in network computer and accessing a share1 folder of another computer in same network. Then group 2 share permission should be modified to provide them a desired access . Hope my explanation is simple .
Answer A is correct.
A. Most likely the share has the default read permission, and remember you get the combined permission on share and on NTFS but you get the most restrictive when you combine Share and NTFS permission, see it as two windows, if Share doesn’t allow write it wont reach NTFS and vice versa.
B. ABE is used to hide objects users doesn’t have permission to, n/a in this case since the user see the files (hence read on share at least)
C. Permission is inherit by default, no text mention it is a sub item or blocking so n/a
D. User is member of group 2 got write permission on NTFS level so it should be able to write/edit/modify files unless… the user doesn’t have write permission on share level… leaves us to choice A.
A. seems correct – If there is a Deny permission set at the Share level it could block access.
A – Edit the Share Permission, because Group2 already has Write NTFS Permission that allows its users to make changes on Folder1 files, so no need to edit NTFS permissions. In this case, the only reason for Group2 users report that they can not edit Folder1 files is because Share1 is giving them read only access to the share. The result is the most restrictive permissions when Share and NTFS permissions are combined.
The answer is A. I have tested in my lab environment.
I. for user1:
1. i add NTFS permissions read&execute, write + modify
2. i add Share permissions only read
the result was i can not edit a document, but i have to save it on other location or save it like other file
II. for user1:
1. i add NTFS permissions read&execute, write
2. i add Share permissions read + Change
the result was i can edit the documents inside the shared folder
If the question said “You need to ensure that the members of Group2 can DELETE files in Share1” then we’d also need the MODIFY NTFS permission, however we only need to edit files, WRITE is enough. Answer is A.
A: Share permissions
This is from technet (which says that if you have a read share and write NTFS permissions then you can only read files):
Share permissions and NTFS permissions are independent in the sense that neither changes the other. The final access permissions on a shared folder are determined by taking into consideration both the share permission and the NTFS permission entries. The more restrictive permissions are then applied.