Studying for the A+, Network+ or Security+ exams? Get over 2,600 pages of FREE study guides at CertiGuide.com!|
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
|View over 750 of my fine art photos any time for free at DesktopScenes.com!|
Every time a user attempts a particular type of access to an object on NTFS, the system must determine if the access should be allowed. In theory, this is a simple matter of looking at the access control lists for the object, seeing what the permission settings are for the user, and determining if the desired access is allowed. Unfortunately, in reality, it's not this simple. :^) Since every object can have many different permission settings, it is possible that several different permission settings might apply to a particular object and access method. Furthermore, it is possible that these permission settings might conflict. When this occurs, the system must engage in a process of resolving the various permissions to determine which ones should govern the access.
Under the Windows NT permissions scheme, inheritance is static, so there is no issue with multiple inherited permission settings. Conflicts can still occur, however, because a particular user can have a permission associated with his user account and also a group of which he or she is a member--or, he or she could be a member of more than one user group. For example, user John may have permissions allowing him read permission on a particular file called "Struct01.acd". However, he may also be a member of the "Engineering" group, and that group may have both read and write access to that same file. There are two rules that are used for resolving permissions in the Windows NT scheme:
Windows 2000 offers much better control over how permissions are assigned, as well as the benefits of dynamic inheritance and advanced inheritance control. However, these extra features make permission resolution much more complicated. In addition to the potential conflicts caused by users being in more than one user group, as above, you can have conflicts between permissions that were set for the object directly and those that were inherited from any of the object's predecessors: its parent, grandparent and so on. Furthermore, the existence of both "allow" and "deny" permissions complicates matters further. To deal with these complexities, Windows 2000 uses an algorithm that follows these general rules:
The system combines these rules into a process that it uses to resolve various permission settings. Since directly-applied permissions take precedence over inherited ones, and "deny" permissions take precedence over "allow" permissions, it first looks for directly-set "deny" permissions, combining them all together for all groups the user is a member off. If it finds sufficient deny permission to refuse access, it is done--the access is refused. Otherwise, it looks at directly-set "allow" permissions. If it finds sufficient permission to allow access, the access is allowed. If not, it continues on; the sequence is as follows:
Well, this is certainly quite a bit more involved to explain than the NT permission resolution process--but that's the price you pay for the much more capable system implemented in Windows 2000. It's also not that difficult to understand once you get used to it. ;^) Here's an example that may help you to understand what's going on. Note that I am going to use only non-overlapping user groups to try to keep things somewhat manageable and not confuse you further. :^) Let's suppose we have the following permissions set on a structure:
Every member of the company is a member of "Everyone". All department managers and higher executives are members of group "Exec", and their assistants are members of "Assistants". All lower-level managers and workers are members of "Employees". The president and vice-president are members of groups "Exec" and "Top Exec". Now, consider the following access attempts:
That probably isn't the best of examples, but this page has already taken way too long to write, so it will have to do. :^) At any rate, it gives you an idea of the power you have with the Windows 2000 NTFS permissions system--and how much extra work the system has to do when it needs to figure out whether someone is allowed to do something with a particular file or folder.