HOTSPOT
You have a file server named Server1 that runs Windows Server 2012 R2.Server1 contains
a folder named Folder1.
A user named User1 is a member of Group1 and Group2.A user named User2 is a member
of Group2 and Group3.
You need to identify which actions the users can perform when they access the files in Share1.
What should you identify?
To answer, select the appropriate actions for each user in the answer area.
Answer: See the explanation.
Explanation:
User 1:
– Read the files
– Edit the contents of the files
– Delete files created by other users
– Modify the permissions on the files
– Execute executable files
User 2:
– Read the files
– Edit the contents of the filesShare permissions apply to users who connect to a shared folder over the network. Group
membership of User1 means that he has Full control permission and User2 only has Read
and change permission.
References:
http://technet.microsoft.com/en-us/library/cc754178.aspx
Exam Ref 70-410: Installing and configuring Windows Server 2012 R2, Chapter 2: Configure
server roles and features, Objective 2.1: Configure file and share access, p.75-80
User1 can read can Read the files. Edit the contents of files and execute files only.
user2 can read and execute the files only.
I thought it should be
user1 can read and edit
user2 can read and execute
but I tested it on windows 2012 r2
the result came out surprised me, your answer is right. care to explain why user1 can execute please??
I tested the case and User1 can not execute files. So answer is:
U1: Y-Y-N-N-N; U2: Y-N-N-N-Y.
Tested, as well. This is correct.
tested it too
User1
Y-Y-N-N-N
User2
Y-N-N-N-Y
Yes this one is correct but if you’re going to disable inheritance then the answers should be:
User1: YYNNN
User2: YNNNY
Tested and confirmed!!!
No because question is talking about share permission and it would be combination of two different sets.
User1: yes to all
USER2: 1st and last only
How user2 can edit content of the files how? he only has READ and EXECUTE permission.
The restrictive permission pervail only between Share and NTFS
But the restritive permission “deny” in NTFS pervail over others NTFS permission (not the case).
This aplly to groups.
the provided answers are right
The share and NTFS permissions assigned to a file or folder can conflict. For example, if a user has the NTFS Write and Modify permissions for a folder but lacks the Change share permission, that user will not be able to modify a file in that folder.
Exam Ref 70-410: Installing and configuring Windows Server 2012 R2, Chapter 2: Configure server roles and features, Objective 2.1: Configure file and share access, p.85
How Combining File and Shared Folder Permissions Works
When you apply both file and shared folder permissions, remember that the more restrictive of the two permissions dictates what access a user has to a file or folder. The following two examples explain this further:
• If you set the file permissions on a folder to Full Control, but you set the shared folder permissions to Read, then that user has only Read permission when accessing the folder over the network. Access is restricted at the shared folder level, and any greater access at the file permissions level does not apply.
• Likewise, if you set the shared folder permission to Full Control, and you set the file permissions to Write, then the user will have no restrictions at the shared folder level, but the file permissions on the folder grants only Write permissions to that folder.
The user must have both file permissions and shared folder permissions. If no permissions exist for the user (either as an individual or as the member of a group) on either resource, access is denied.
@cutedevil, did you even read what you wrote?
User1 has only read & write access at the NTFS level. Even though he has Full Control at the Share level, the least restrictive permission applies here (as you’ve quoted from Microsoft’s article already). So how in the world will User1 have permissions to delete or modify the file?
Pfft.
@cutedevil
refer to your opinion : the user 1 dont have Full access to the file
is that right?
Hi Guys!
I am absolutelly not conform with the answers at all.
User1 has read & write on NTFS an Full Control on Share through Group1.
User1 has read on NTFS and read on Share through Group2.
So User1 has read & write Access. NO modify right.
So User1 can:
– read the files
-create new files (which is not asked)
– AND THAT`S IT
(no execution, no permission for modification and no Change of permission)
So the answer for User1 would be: Y-N-N-N-N
User2 has read on NTFS and read on Share through Group2
User2 has read & execute on NTFS and Change on Share through Group3
So effectively User2 has read & execute Rights.
User2 ca:
– read the files
-execute
So the correct answer for User2 would be Y-N-N-N-Y
Be careful write is not Change and not execute. So why should User1 could delete Files of other Users? If the Creator Rights were still set in this Environment, he could delete his own files, Change permissions on his own files, but surely not on files belonged to others. Why should he be able to execute files? And why should he be able to Change Contents of files?
So in my understanding of file and share ACLs, the result would be only, that user1 can read the files and user2 can read and execute files. (Apart from files owned by themselves, because for example User1 could modify the permissions of Files he ows, as the Share permission is full Access and on NTFS a user can Change the permissions of files in his ownership…)
I guess, some poeple who have tested this forgot, that the files they were testing with beloged to the user they were using for the tests…
Cheers, Michael
bravo !!
I believe this is correct. Thanks!
You’re 100% right. I’m happy you spent the time to do it and not me. 😀
Most people here were using share permissions as the go to for effective access, which is whacky.
Analysis is OK with one mistake. Write permission allows user to change files. So answer is:
U1: Y-Y-N-N-N; U2: Y-N-N-N-Y.
Agree with dbKarlo. U1: Y-Y-N-N-N; U2: Y-N-N-N-Y.
https://technet.microsoft.com/en-us/library/cc784990(v=ws.10).aspx
Full Control. Users can do anything to the file, including taking ownership of it. It is recommended that you grant this level of access only to administrators.
• Modify. Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file. Users cannot take ownership or change permissions on the file.
• Read & Execute. Users can run executable files, including scripts.
• List Folder Contents. Users can view a list of a folder’s contents.
• Read. Users can view files and file properties.
• Write. Users can write to a file.
user1:
A:folder permission: group1 + 2 –> read & write.
B:shared permission: group1 + 2 –> full control.
final: A and B, choose “strict”.–> read & write.
so user1 answer: Y-Y-N-N-N
user2:
A:folder permission: group2 + 3 –>read & execute.
B:shared permission: group2 + 3 –>change(*).
final: A and B, choose “strict” –>read & execute.
so user2 answer: Y-N-N-N-Y
*:when choose change, read will also be choosen, and read include execute.
ps.
read in folder permission didn’t include execute,
read in shared permission include execute.
folder rights:
http://technet.microsoft.com/en-us/library/cc732880.aspx
share rights are:
read view files subfolder names, data in files, execute
change read rights and add files, change data, delete subfolders and files
full change rights and change permissions (NTFS files and folders only)
User1: for the folder keeps read and write permission from group1 as rights
for the share keeps full control through the group1 group membership.
Read means can view folder, attributes, files, synchronize (read), view permissions
Write means van add folders, add files, change files, change attributes, change permissions, synchronize (write)
since the most restrictive applies the share, in this case, doesn’t matter.
http://technet.microsoft.com/en-us/library/cc754178.aspx
User 1 can only read files
User2: for the folder gets read and execute through the group membership of group3
for the share retrieves change rights as a member of group3
most restrictive for this is that again the share does not make our rights more restricted
so user 2 is allowed the following actions: Read the files and Run the executable Files.
Check the following it is very well explained
the above answer is right
https://www.idp.net/NTFS/
to my knowledge the most restrictive permission over-rides so both could only read as they are both members of group 2
exam on December 12,2014
you have too choose 3 permissions for each user!
user1:
read,write,modify permissions
user2:
read,write,execute
Those who are granted the Change permission can perform all of the functions that the Read permissions grant as well as create and delete files and subfolders. Users are also able to change file attributes, change the data in files, and append data to files.
the correct answer is
user1 read,write, modify permissions
user read,execute, modify permissions
cause if u are the creator of a file you can modify permissions per default!
yhawx is correct
user1:
folder permission: group1 + 2 –> read & write.
shared permission: group1 + 2 –> full control.
final: A and B, choose “strict”.–> read & write.
so user1 answer: Y-Y-N-N-N
user2:
folder permission: group2 + 3 –>read & execute.
shared permission: group2 + 3 –>change.
final: A and B, choose “strict” –>read & execute.
so user2 answer: Y-N-N-N-Y
I beleive this is right. WHy the hell USer1 would be able to run files??? Neither “read” or “write” gives him this ability, The same with “delete”, USer1 will not be able to delete
yhawx is correct.
Remember, the question is asking SHARE permissions.
Share permissions are like the front door of a motel room…it gets you in.
NTFS are more granular and are when you get in the door. This is like the motel bolting the TV remote to the night stand.
Don’t confuse share rights with NTFS.
PROBLEM SOLVED. Tested in my virtual environment. yhawx user has the right answer.
Remember this:
1)if user A is member of Group1 and Group2
2)Group1 has full permission
3)Group2 has read permission only
then user A has finally full permission over folder/file.
The situation change if, for Group2, permissions are explicitly denied. In this case, Group2 permissions prevails over Group1, then the user cannot access to the folder/file.
The answer in most learning resources is wrong as is this one here. Some of the commenters on this question have it right.
User1 Y-N-N-N-Y
User2 Y-Y-N-N-N
Why? Permissions are CUMULATIVE WITHIN a technology with DENY taking precedence but MOST RESTRICTIVE wins when LAYERING TECHNOLOGY. Meaning it doesn’t matter if you have FULL at the NTFS/Folder level if at the share you only have READ, the user inherits READ ONLY perms. Vice versa, if you have FULL at the share but only Read & Execute at the file level you can only Read and Execute.
User1 is given FULL via Group1 but only READ via Group2 at teh share level. Add these together and you get FULL. At the NTFS level it is Read & Write via Group1 and READ via Group2, add together and Read/Write is the maximum. Read and Write NTFS perm WINS because it is the more restrictive perm than the share permission of FULL.
User2 is the same, the highest Share permission it has from group memberships is CHANGE but the highest NTFS permission is Read and Execute. Read and Execute being the most restrictive wins.
After detail lab testing, I’m pretty sure that answer is:
U1: Y-Y-N-Y-N; U2: Y-N-N-N-Y.
Explanation:
Permissions from groups should be added and permission form share and NTFS (folder) are combined so that less rights are effective. Therefore, result is:
User1: Read & Write; User2: Read & Execute.
Write means that user can create files and modify its content (modify permission adds only delete right), but it also means that user can change permission on his own files (user is owner). This covers 1., 2. and 4. permission from question. Indirectly User1 could give himself full right on his files and delete them but in 3. action, it states “Delete file created by other users” what he cannot do in any way. User1 cannot execute files because he has not this permission.
User2 can read and execute files (1. and 5. action). Here comes important thing, User2 cannot change permissions on his own files because he has only “Change” permission on share and User1 has “Full control”.
There is just one doubt about “Modify the permissions on the files”. User1 can modify permissions on his own files but not on other files. So, should this be market or not? I choose to mark it but I don’t have convincing argument.
Please comment!
I do agree with you, but i don’t think “write” gives you the right to create new files. That’s exclusive to “modify” (and fc ofcourse)
https://technet.microsoft.com/en-us/library/cc784990(v=ws.10).aspx
Full Control. Users can do anything to the file, including taking ownership of it. It is recommended that you grant this level of access only to administrators.
• Modify. Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file. Users cannot take ownership or change permissions on the file.
• Read & Execute. Users can run executable files, including scripts.
• List Folder Contents. Users can view a list of a folder’s contents.
• Read. Users can view files and file properties.
• Write. Users can write to a file.
If you do the following test:
– Administrator creates Folder1, disable inheritance, grant User1 Read+Write (nothing else)on Folder1 – Share permissions are not relevant in this exercise, because they are less restrictive
– Administrator creates File1 in Folder1 – The question is “Modify the permissions on THE files”, not “Modify the permissions on HIS OWN files”
Then, if you bring up the Effective Access of User1 on File1 you will see that there is a red cross next to “Change Permissions”
I would go for U1: Y-Y-N-N-N U2: Y-N-N-N-Y
What is confusing me is, I thought that Read = Read ONLY AND NOT WRITE. Where is the answer says that user can both now read and write, this means Read is sepereated from Edit/Write, is this correct?
OK. Crazy question first of all and can be a little ambiguous.
1. Folder permissions is always going to trump the share permissions so you can disregard share permissions for this question.
2. Take into consideration that NOT ALLOWING permissions is not the same as EXPLICITLY DENYING IT (explicit deny will always win).
3. This question does not state there is explicit denies for folder permissions, thus these permissions are cumulative for the user.
User 1: Read/Write – YYNNN
User 2: Read/Execute – YNNNY
Correct NB, I agree with you.
User1: YYNNN (Only Read & Write)
User2: YNNNY (Only Read & Execute)
First we need to understand few things, so we can get to the right answer:
– All NTFS permissions for a specific account, whether a specific account is added, or the account is part of a group, are combined to provide an Effective Permission using the Least Restrictive rule.
– All Share permissions are combined to provide the Effective Permissions using the Least Restrictive rule.
– The NTFS & Share permissions are combined and evaluated to provide the Effective Permissions using the Most Restrictive rule.
I will go step by step:
——————
Share permission: Least restrictive
——————
User1: Full control + Read = Full Control
User2: Read + Change = Change
——————
NTFS permission: Least restrictive
——————
User1: Read&write + Read = Read&Write
User2: Read&Execute + Read = Read&Execute
—————————————–
Combining the NTFS and Share permissions: Most restrictive
—————————————–
User1: Read&Write + Full Control = Read&Write
User2: Read&Execute + Change = Read&Execute
So the right answers are:
user1: YYNNN
user2: YNNNY
Hope it helps
Very well explained, Agree 100% with your answer! 🙂
User1: YYNNN
User2: YNNNY
User1 = y-y-n-n-n
User2 = y-n-n-n-y
When accessing a shared folder the user only gets common permissions between the share and NTFS permissions. So if a user has Read/Write on NTFS and Read-only share permissions they can only read over the share but they would have read/write logged in locally.
The opposite is true as well, if they had read-only NTFS and read-write shared permissions, they could only read over the share and locally.
The Read share permission grants read and execute, which is why User2 can execute as well as read.
@simo
Your explanation helped me understand. Thanks.
I have to agree on
User1 = y-y-n-n-n
User2 = y-n-n-n-y
write permissioen only give you the following permissions:
Permits adding of files and subfolders – Permits writing to a file
The problem is that on my exam I had to choose three options per user.
In my opinion that is not possible
1:YYYNY
2:YYNNN
So many posts, just to make it easier for everyone, you can totally ignore all permission given by Group2, just forget about group 2
Why: Because the permission group2 gives is already given by group 1 and Group 3 in both NTFS and Share. You got read already in Full control and Change.
User 1: YYNNN (most restrictive between share and NTFS gives permission = Read + Write
User 2: YNNNY (Most restrictive between share and NTFS gives permission = Read + Execute
Modify permission on OTHERS files requires “Full control”
Tested on lab :yhawk and simo are correct.
yhawx says:
user1:read & write.
so user1 answer: Y-Y-N-N-N
user2:read & execute.
so user2 answer: Y-N-N-N-Y
USER 1:YYNNN
USER 2:YNNY
hahahaha. funny how people guess for answers. I also tried this on my lab. and ian and biloux are correct.
USER 1:YYNNN
USER 2:YNNY
To all EXAMINERS!!!! do it on LAB instead of begging and guessing for answers!!!!
@cutedevil, did you even read what you wrote?
User1 has only read & write access at the NTFS level. Even though he has Full Control at the Share level, the least restrictive permission applies here (as you’ve quoted from Microsoft’s article already). So how in the world will User1 have permissions to delete or modify the file?
Pfft.
My results was
User1 : Y – Y – Y – Y – Y
User2 : Y – N – N – N – Y
User1: Y-Y-N-N-N
User2: Y-N-N-N-Y
https://msdn.microsoft.com/en-us/library/bb727008.aspx
As per the share permission and NTFS permission video on James (CBT). The most liberal permission wins over other except for deny permissions. As deny wins first. Having that in mind. I did this test on my lab and I got
User1 Y – Y – N – N – Y
User2 Y – N – N – N – Y
Running executable (such as .exe .bat) did work except for EXE is prompting for admin credentials. Regardless, its is executable.
Editing the contents of a file, not a folder. I created a notepad txt using another user and tried editing with user1, which worked but not user2.
Hi guys,
I tested this in my own LAB.
Server 2012 R2 Datacenter and Windows 10 pro.
So I can confirm that the following answer is 100% correct…
User1 : yes,yes,no,yes,no
User2 : yes,no ,no,no ,yes
confirmed, tested on lab
Please refer the link
https://technet.microsoft.com/en-ca/library/cc783530(d=printer,v=ws.10).aspx
Answer
user1:read & write.
so user1 answer: Y-Y-N-N-N
user2:read & execute.
so user2 answer: Y-N-N-N-Y
Your 100% right, just tested on LAB.