Hi All,

I have 2 questions related with Permission.

1. let say I create one folder (name it as TEST). Then I add 2 AD groups in the NTFS security tab of that folder. 1st group I give access for Read & execute + List folder contents. 2nd group I give Full Access. What I wanted to know is. If my ID is part of those 2 groups. Which permission will take affect? Is it Read & execute + List folder contents, or Full Access? I read about this long time ago that windows will SUM all the permission and the highest permission (Full Access) will take effect in that folder. But I couldn't get the link now. Can anyone give me the link if you have? Just wanted to know what I understand is correct.

2. One of my user getting weird issue. Everytime he open one a file in share folder. 1st time he open the file will be Read-Only. But once he close the file and reopen it again for 2nd time. The file will become modify. At first I thought there is someone other than him opened the file before he open it. But when I check in Open Files on Computer Managment. He is the only one who open the fle. Could any one give me advice on this p

Hi G,

This link tells you all you need to know about NTFS permissions hopefully:

https://technet.microsoft.com/en-us/magazine/2005.11.howitworksntfs.aspx

Hope this helps!

Hi Basty,

Thank for the link. Looking into below statement from the link. Is it good to say Full Access/Modify Access will beat the Deny/Read Only access?

The user next attempts to edit the file and save the changes. On the Security tab of the property sheet of the file, either Deny Write is checked (in Windows 2000) or both Allow and Deny Write are checked (in Window XP). When the user tries to save the file, NTFS again evaluates the permissions to see if the user can perform the requested action. The evaluation starts on the Deny permissions, then the Allows, of the child object. No direct permissions were given at that level, so nothing allows or denies the requested action. Evaluation of the parent begins with the Deny permissions and finds none. The parent Allow permissions are evaluated next and Allow Write is specified. The evaluation stops there even though the grandparent object has Deny Write.

The DACL lists permissions by the object first, followed by the objects parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

• If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
• If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
• If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.

One more thing. User confirm to me the problem in no 2 happen with Power Point and Excell Files only. Word or txt document is fine.

It does sounds peculiar, however, I found this which explains the behaviour you're seeing and suggested workarounds...

https://support.microsoft.com/en-us/kb/102888#/en-us/kb/102888

Hi Bastys,

Problem is happen not when user saving the file. But the moment user open the Excell or Power Point file. The file become read-only...

In this case your permission will be Read & Execute +List folders , if you remove the first group from your users, you will be able to write to this folder.

Try it and let mw know.

Best.

Ramiro.

1. Situation is a bit more difficult as what you add in configuration "interacts" with inherited rights.

2. If you create folder and want to configure permissions, you should consider inherited rights, unless you stop inheritage. Start with "no" rights.

3. Always use advanced permissions.

4. Nothing would "survive" Deny which always wins.

5. Full + anything = Full (Full contains anything)

6. Nothing is better that wise testing. Test to get "feeling" for permissions.

7. For shared folders you should consider mixture of share permission and local permission. Start with Full share.

Minimal number of rights is best solution. Test and proof with cacls function.

HTH

Milos

Hi Ramiro,

I removed the Read & Execute +List folders. And leaving with one group only which is Full Access. But still user still having the same problem