HOTSPOT
You have a file server named Server1 that runs Windows Server 2012. Server1 contains a folder named
Folder1.
A user named User1 is a member of Group1 and Group2. A user named User2 is a member of Group2 and
Group3.
You need to identify which actions the users can perform when they access the files in Share1.
What should you identify?
To answer, select the appropriate actions for each user in the answer area.
Answer: 
Explanation:
Incorrect. The most strict permissions apply so both users are limited by their membership in Group 2. Read\Read permissions.
Actually this is correct. NTFS permissions are the sum of the overall permissions.
The NTFS permissions are cumulative, so are the Share permissions cummalative.
Write permissions do not allow “Edit”, Modify NTFS and Change Share permissions are needed for Edit.
From Microsoft:
The minimum permission setting needed in order to open, edit, and save a document within a Windows folder is Modify.
http://support.microsoft.com/kb/277867
edit is allowed. write allows you to write to files aka edit files.
https://technet.microsoft.com/en-us/library/bb727008.aspx
User 1 does not have modify, rest is correct
I agree
Topcoder is right.
Share permissions are additive in that you accumulate permissions at the share level.
NTFS permissions are additive in that you accumulate permissions at the NTFS level.
But the most restrictive permissions between Share and NTFS take precedence. Since no deny permissions are set we would add up the Share permissions and then add up the NTFS permissions seperately and the most restrictive of the 2 levels take affect.
This means User1 has Read/Write NTFS permissions and FULL Control NTFS permissions. The share permissions are the most restrictive so Users 1 has Read/Write to the folder.
User2 has Read/Execute NTFS permissions and Full Control Share permissions. User2 then has Read/Execute to the folder.
Read the files = Both users can do this.
Edit the contents of the files = Only User1 can do this as it requires the Write permission.
Delete files created by other users = Neither user as this requires Modify NTFS permission and at least Change share permissions.
Modify the permissions on the files = Neither user as this requires Full Control at Share and NTFS levels.
Run executable files = Only User2 has the Execute permission.
Am I wrong here? I don’t think so but someone please correct me if I’m wrong.
I think you have done a type in your post as User1 does not have Full Control NTFS permissions. User1 has Full Control Share permission.
User1 has maximum of Read and Write NTFS which are the maximum rights.
Therefore User1 cannot Edit content of the files without Modify NTFS permissions.
From Microsoft:
NOTE: The minimum permission setting needed in order to open, edit, and save a document within a Windows folder is Modify.
http://support.microsoft.com/kb/277867
Beside the “typo” mistake (User1 has Full Control on SHARE (not NTFS), the answer is right.
The answer from top to bottom is:
User1 = Y-Y-N-N-N
User2 = Y-N-N-N-Y
Y=YES
N=NO
P.S. I have tested it in lab.
correct the solution
you are correct tvgeta
tvegeta is correct
tvegeta you didn’t consider the groups though. I agree with what you say however as both users are members of Group 2 which is Read\Read then that permission is the most restrictive and will only allow both users to read only.
http://technet.microsoft.com/en-gb/library/cc754178.aspx
To me it looks like only ‘read’ for both user 1 and 2.
Modify is equivalent to Change permission in Shared permissions. Write is just writing, but no modifying.
so User 1 has Read/Write in NTFS and Full in shared permission. So the restrictive permission is read/write
User s has Read/Execute INTFS and Read/Change in shared permission. So, the restrictive permission is Read/Execute.
Correct Answer: (As stated by Topcoder above)
__________________________________
Actions |User 1 |User 2|
___________________|_______|______|
Read the Files | YES | YES |
———————————–
Edit the contents | YES | NO |
———————————–
Delete Files | NO | NO |
———————————–
Modify Permissions | NO | NO |
———————————–
Run Executables | NO | YES |
———————————–
Reasoning: As many have stated NTFS/Shared permissions will take the most restrictive in each case.
Group1 = Read & Write
Group2 = Read
Group3 = Read & Execute
What seems to be causing confusion for some is Group2. Group2 is entirely irrelevant.
The overlapping groups/permission do not follow the same Most Restrictive policy.
Tested, using virtual environment.
Yes, I looked at the table and tested, the standard permission ‘Write’ also allows ‘Modifying files’ permission. The user 1 has ‘Edit the contents’.
I’m surprised, this was the time I eventually looked at the detail of standard permission and advanced permission how they’re linked, there’s no seperate permission for modifying files, but ‘write data’ in advanced permision has it, which is also a sub permission of ‘write’ standard permission.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
The other thing is, when I click ‘Modify’ it selects everything except ‘Full Controll’ check box in standard permission, this ‘Modify’ standard permission allows anything including deleting files except giving/taking out user permissions on the folder.
Yes, I looked at the table and tested, the standard permission ‘Write’ also allows ‘Modifying files’ permission. The user 1 has ‘Edit the contents’.
I’m surprised, this was the time I eventually looked at the detail of standard permission and advanced permission how they’re linked, there’s no seperate permission for modifying files, but ‘write data’ in advanced permision has it, which is also a sub permission of ‘write’ standard permission.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
The other thing is, when I click ‘Modify’ it selects everything except ‘Full Controll’ check box in standard permission, this ‘Modify’ standard permission allows anything including deleting files except giving/taking out user permissions on the folder.
If anyone get confused, I think below is sufficient for testing;
Read
Read & Execute (read + execute)
List folder contents
Write (includes modifying)
Modify (all lower permissions + delete)
Full (modify + user permission)
I TOTALLY AGREE WITH HAN! YOUR COMMENTS CLEAR THINGS UP. THANKS BUDDY!
I have not tested these permissions, however Microsoft contradicts your answer.
User1 cannot carry out Edit with Read and Write NTFS.
Modify NTFS is required for Edit.
From Microsoft:
NOTE: The minimum permission setting needed in order to open, edit, and save a document within a Windows folder is Modify.
http://support.microsoft.com/kb/277867
Actually, the questions just tells us the “Folder permissions”. There is no word that these permissions have been inherited to the files within the folder.
And “Read and Write” for a folder just means that you can list the files contained within (not showing their contens) and create new files (not change existing ones).
I´m not sure what the questions means by “Read the Files”. Does it just mean, read the contens of the folder and show what files are in, or does it mean “show the contens of the file”.
If you go for the second one, then the answer would be:
No No
No No
No No
No No
No Yes
Source:
http://technet.microsoft.com/en-us/library/bb727008.aspx
It’s going to be end of mine day, however before finish I am reading this impressive piece of writing to improve
my know-how.
Hi guys, I just tried it in my lab and, to my surprise, answer in original post is correct. User1 really can modify permissions. I checked setting several times and its exactly like in task.
Actions User 1 | User 2
——————————-
Read the files YES | YES
——————————-
Edit the contents YES | NO
——————————-
Delete files NO | NO
——————————-
Modify permissions YES | NO
——————————-
Run executables NO | YES
See following website.
http://www.ntfs.com/ntfs-permissions-file-folder.htm
Hey guys i just test it on my server and i came up with this:
YES – YES
YES – NO
YES – NO (*1)
YES – NO
YES – YES
Assuming that User1 will delete other files created by other users as user2 cannot create files. and the wording is in plural (Delete files created by other userS) and if it was in singular (Delete files created by the other user) it will be both NO.
I believe the answer should be as stated earlier by Topcoder
User 1 does not have modify
Write permission allows to modify the attributes of a file or folder like hidden and read-only, NOT the permissions.
Hey guys,
For anyone out there reading this.. this question on the exam and I took it last week on the 24th of October 2014 and yes the original post is correct!! What you see at the top is the right answer!! Just did it in my lab as well and it’s right!!
Write permission does include modify!
Now.. I just something else mid writing this comment and since “write” permissions allows you to modify the permissions of the file, I gave myself “user1” the “full control” on the folder and then I was able to do anything!! This is very confusing! Cause now I can actually do everything with user 1
The maximum rights User1 can have is Read and Write
The maximum rights User2 can have is Read, Execute and Write
After carefully checking the NTFS and Share permissions in a Microsoft support article.
Full Control NTFS / Full Control Share permissions are needed to Modify permissions on Files
Modify NTFS / Change Share permissions are required to Edit contents of a file.
Changing Permissions requires Full Control NTFS / Full Control Share permissions
Read & Execute requires Read and Execute NTFS and Read Share permissions
So User1 / User2 can do as follows:
Read Yes / Yes
Edit No / No
Delete No / No
Modify Permissions No / No
Read and Execute No / Yes
From Microsoft:
NOTE: The minimum permission setting needed in order to open, edit, and save a document within a Windows folder is Modify.
http://support.microsoft.com/kb/277867
I just tested this question
User 1 is y n n n n
User 2 is y n n n y
Remember the most restrictive will take over.
I’m doing the exam tomorrow, I keep coming up against this in practice tests and have never got a definitive answer. I’ve decided I need to just come to a decision on this and stick to it, reading all of the above and my own research leads me here…
The permission check runs against the specific groups and as we all know most restrictive between ntfs and share permissions wins which leaves the following (all NTFS)…
Group 1 – Read and write
Group 2 – Read
Group 3 – Read and execute
You then look at what groups each user is a member of and accumulate what NTFS permissions are combined, so in this instance you can just ignore the read attributes granted from group 2.
So here’s what I think, as i say this is my theory and I’d be interested to know what people think and if it comes up and I can tell if i got it right or not I’ll be sure to come back and let y’all know.
Actions User1 User2
Read Y Y
Edit (write) Y N
Delete N N
Modify permissions N N
Execute N Y
Peter is right.
1.Determine the effective NTFS permissions:
-NTFS permissions are cumulative and the least restrictive gets applied. Therefore User 1 has NTFS Read and Write. Similarly User 2 has Read and Execute.
2.Determine the effective share permissions
-User 1 gets Full Control. User 2 gets Change.
3.Take the most restrictive of the two, NTFS and Share:
-User 1 gets to Read and Write. User 2 gets to read and execute.
When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.
Answer:
yes yes
yes no
no no
no no
no yes
Correct, after some many people with wrong answers I did it on lab.
The result is
y y
y n
n n
n n
n y
above answer is confirmed:
yes / yes
yes / no
no / no
no / no
no / yes
I think original answers are correct.
*guide – https://msdn.microsoft.com/en-us/library/bb727008.aspx (file permissions)
*guide – https://technet.microsoft.com/en-us/library/cc784499%28v=ws.10%29.aspx (share permissions)
*Share Permission – Full Control allows all Read and Change permissions, plus:
Changing permissions (NTFS files and folders only)
**The original answers are correct:
YES YES (both have read permissions)
YES NO (user 1 can edit because he has write permission)
NO NO (Cannot delete because no one has modify permission)
YES NO (User1 can modify permissions on files because he has Full control share permission)
NO YES (User 2 has execute permission)
now im even more confused after reading this…
http://www.kalman.co.il/tech-break/ntfsvssharepermissions
Ill just get this answer wrong if it comes up on the test lol
No sneed, Peter, Jo, and Dave are correct. User1 cannot change permissions because the MOST RESTRICTIVE POLICY of Shares and NTFS apply. Since User1 does not have that right in the NTFS aspect, he does not have it.
YES YES
YES NO
NO NO
NO NO
NO YES
Originals answers are correct.
Tested on labs.
Some what nebulous on the Modify Permissions. User 1 can modify permissions on files User 1 creates.
Am I to assume the question refers to other users files?
Is there any body to tell the correct answer cons yesterday i gave an exam but i got 681 marks and also that question came to my exam so please just tell the real answer u body gave a lot of example just tell true on
ezordu put it very plain and simple. “The most strict permissions apply so both users are limited by their membership in Group 2. Read\Read permissions.” By that rule, the only possible answer is READ\READ. Over thinking the scenario usually causes you to completely loose sight of the basic concepts. If you just get a clear understanding of how NTFS and Share permissions work together you’ll see that the answer above is clearly incorrect.
Tested in lab environment, confirmed correct answers:
yes / yes
yes / no
no / no
no / no
no / yes
Derek is correct. I also tested it on my lab. for those confused , i guess better try it rather than arguing with the correct answer…
yes / yes
yes / no
no / no
no / no
no / yes
THE CORRECT ANSWER WAS GIVEN – I RECOMMEND READING HAN’S COMMENT… Most of the other comments are incorrect.