Windows Small Business Server 2011 : Working with Permissions (part 3) - Understanding Effective Permissions

2.2 Using Group Permissions

Although it is possible to assign permissions to individual users, the general rule of thumb for network administrators is to assign permissions to groups instead. You can then grant permissions to users simply by adding them to a group. This way, when creating accounts for new users, or when a user changes jobs within the organization, you only have to manage group memberships instead of assigning and revoking a large number of permissions to different resources.

2.3 Understanding Permission Inheritance

Permissions always flow downward through a tree hierarchy by default. In the case of an NTFS volume, the permissions you assign to a folder are inherited by all the files and subfolders in that folder. Therefore, if you grant a user permission to access the root of a disk, that user receives the same permission for all the subordinate files and folders on that disk.

As a general rule, administrators design the directory structures of their disks to accommodate this phenomenon by placing the more restricted folders lower in the directory tree. For example, Windows SBS 2011 creates a Users folder on the C drive during the operating system installation and grants the Users group the following NTFS permissions to it:

• Allow Read & Execute

• Allow List folder Contents

• Allow Read

These permissions enable all members of the Users group to look at the contents of the folder, but they can’t modify or delete the files there. Beneath the Users folder are individual subfolders, named for each person who has logged onto the system. These folders contain the user profiles, with each user receiving the Allow Full Control permission for his or her profile folder. Thus, the permissions become more specific as you move downward through the tree.

It is possible to prevent folders from inheriting permissions from their parent folders, if necessary. One way to do this is to assign Deny permissions for a particular folder to a particular user or group. As you can see in the permission interfaces shown earlier, Windows SBS 2011 enables you to allow permissions or deny them. Deny permissions always override Allow permissions, so even if a user inherits permissions to a particular folder from a parent, an explicit Deny permission for that folder takes precedence. Another way to prevent permission inheritance is to open the Advanced Security Settings dialog box and clear the Include inheritable permissions from this object’s parent check box.

Both of these methods are effective ways of controlling permission inheritance, but they can complicate the access control process enormously, particularly if you have multiple administrators with different philosophies managing permissions for your network. Most administrators avoid using Deny permissions entirely and leave the default permission inheritance policies in place.

2.4 Understanding Effective Permissions

As you have seen, Windows SBS 2011 users can receive NTFS permissions for a particular file or folder in a variety of ways, including these:

• From explicit user assignments

• Inherited from parent folders

• Through group memberships

In many cases, users receive permissions for a specific file or folder from multiple sources, and those permissions can sometimes conflict. In a case like this, it is important for administrators to understand how Windows SBS resolves these permission conflicts. The combination of Allow and Deny permissions for a file or folder that a security principal receives from all possible sources is called its effective permissions for that resource. The three basic rules to remember when evaluating permission combinations are as follows:

• Allow permissions are cumulative. When a security principal receives different Allow permissions from various sources, the system combines them to form the effective permissions. For example, if a user inherits the Allow Read and Allow List Folder Contents permissions for a file from its parent folder, and receives the Allow Write and Allow Modify permissions for the same file from a group membership, the user’s effective permissions for the file is the combination of all four permissions.

• Deny permissions override Allow permissions. When a security principal receives both Allow and Deny permissions from any single source, the Deny permissions take precedence over the Allow permissions. For example, if a user receives the Allow Full Control permission for a file from one group membership and the Deny Full Control permission for the same file from another group membership, then the Deny Full Control permission overrides the Allow Full Control permission, preventing the user from accessing the file in any way.

• Explicit permissions take precedence over inherited permissions. When you explicitly assign a security principal permissions to a file or folder, these permissions override any permissions that the security principal inherits from a parent folder or receives from group memberships. For example, if a user inherits the Deny Full Control permission for a file from its parent folder, assigning the user the Allow Full Control permission for that file overrides the inherited permission and provides the user with full access.

Because the interactions of the various permission sources can sometimes be difficult to evaluate, the Advanced Security Settings dialog box for an NTFS file or folder enables you to view the effective permissions for a specific user or group. To view effective permissions, use the following procedure:

1. Log on to your Windows SBS 2011 server using a domain account with administrative privileges.

2. Open Windows Explorer and browse to the parent folder of the folder you want to access.

3. Right-click the file or folder whose effective permissions you want to view. From the context menu, select Properties. The Properties sheet for the file or folder appears.

4. Click the Security tab.

   

5. Click Advanced. The Advanced Security Settings dialog box for the file or folder appears.

6. Click the Effective permissions tab.

   

7. Click Select. The Select User, Computer, Service Account, Or Group dialog box appears.

   

8. In the Enter the object name to select text box, type the name of the security principal whose effective permissions you want to view and click OK. The security principal appears in the Group or user name text box and the Effective permissions box displays the permissions that the security principal currently possesses.

   

   Note

   Selected gray check boxes indicate permissions that the security principal has inherited from a parent folder. Selected white check boxes indicate permissions explicitly assigned to the security principal.

9. Click OK to close the Advanced Security Settings dialog box.

10. Click OK again to close the Properties sheet.

11. Close Windows Explorer.