It is common for users to belong to more than one group, and for those groups to have varying levels of resource access. When an ACL contains multiple entries, you must be able to evaluate the permissions that apply to a user based on his or her group memberships. The resulting permissions are called effective permissions. ! Exam Tip Effective permissions are a common exam objective on most of the Microsoft Windows Server 2003 core exams, as well as on design and client exams. Pay close attention to this information, and to any practice questions regarding effective permissions so you can be certain you have mastered the topic. Understanding Effective Permissions
The rules that determine effective permissions are as follows:
■File permissions override folder permissions. This isn’t really a rule, but it is often presented that way in documentation, so it is worth addressing. Each resource maintains an ACL that is solely responsible for determining resource access. Although entries on that ACL may appear because they are inherited from a parent folder, they are nevertheless entries on that resource’s ACL. The security subsystem does not consult the parent folder to determine access at all. So you may interpret this rule as: The only ACL that matters is the ACL on the resource.
■Allow permissions are cumulative. Your level of resource access may be determined by permissions assigned to one or more groups to which you belong. The Allow permissions that are assigned to any of the user, group, or computer IDs in your security access token will apply to you, so your effective permissions are fundamentally the sum of those Allow permissions. If the Sales Reps group is allowed Read & Execute and Write permissions to a folder, and the Sales Managers group is allowed Read & Execute and Delete permissions, a user who belongs to
! ! Lesson 2 Configuring File System Permissions 6-21 both groups will have effective permissions equivalent to the Modify permissions template: Read & Execute, Write and Delete.
■Deny permissions take precedence over Allow permissions. A permission that is denied will override a permission entry that allows the same access. Extending the example above, if the Temporary Employees group is denied Read permission, and a user is a temporary sales representative, belonging to both Sales Reps and Temporary Employees, that user will not be able to read the folder. Note Best practice dictates that you minimize the use of Deny permissions and focus instead on allowing the minimal resources permissions required to achieve the business task. Deny permissions add a layer of complexity to the administration of ACLs, and should be used only where absolutely necessary to exclude access to a user who has been granted permissions to the resource through other group memberships. Exam Tip If a user is unable to access a resource due to a Deny permission, but access is desired, you must either remove the Deny permission or remove the user from the group to which the Deny permission is applied. If the Deny permission is inherited, you may provide access by adding an explicit Allow permission. ■Explicit permissions take precedence over inherited permissions. A per-mission entry that is explicitly defined for a resource will override a conflicting inherited permission entry. This follows common-sense design principles: A parent folder sets a “rule” through its inheritable permissions. A child object requires access that is an exception to the rule, and so an explicit permission is added to its ACL. The explicit permission takes precedence. Exam Tip A result of this dynamic is that an explicit Allow permission will override an inherited Deny permission. Evaluating Effective Permissions
Complexity is a possibility, given the extraordinary control over granular permissions and inheritance that NTFS supports. With all those permissions, users and groups, how can you know what access a user actually has?
Microsoft added a long-awaited tool to help answer that question. The Effective Per-missions tab of the Advanced Security Settings dialog box, shown in Figure 6-8, provides a reliable approximation of a user’s resulting resource access.
6-22 Chapter 6 Files and Folders Figure 6-8 The Effective Permissions tab of the Advanced Security Settings dialog box To use the Effective Permissions tool, click Select and identify the user, group, or built- in account to analyze. Windows Server 2003 then produces a list of effective permis sions. This list is an approximation only. It does not take share permissions into account, nor does it evaluate the account’s special memberships, such as the following:
■ Anonymous Logon ■ Batch ■ Creator Group ■ Dialup ■ Enterprise Domain Controllers ■ Interactive ■ Network ■ Proxy ■ Restricted ■ Remote Interactive Logon ■ Service ■ System ■ Terminal Server User ■ Other Organization ■ This Organization
Lesson 2 Configuring File System Permissions 6-23 An ACL can contain entries for the Network or Interactive accounts, for example, which would provide the opportunity for a user to experience different levels of resource access depending on whether the user was logged on to the machine or using a net-work client. Because the user in question is not logged on, logon-specific permissions entries are ignored. However, as an extra step, you can evaluate effective permissions for a built-in or special account such as Interactive or Network.
Windows Server 2003 includes a special security principal called Creator Owner, and an entry in a resource’s security descriptor that defines the object’s owner. To fully manage and troubleshoot resource permissions, you must understand these two parts of the security picture.
When a user creates a file or folder (which is possible if that user is allowed Create Files/Write Data or Create Folders/Append Data, respectively), the user is the creator and initial owner of that resource. Any permissions on the parent folder assigned to the special account Creator Owner are explicitly assigned to the user on the new resource.
As an example, assume that a folder allows users to create files (allow Create Files/ Write Data), and the folder’s permissions allows users to Read & Execute, and Creator Owner Full Control. This permission set would allow Maria to create a file. Maria, as the creator of that file, would have full control of that file. Tia can also create a file, and would have full control of her file. However, Tia and Maria would only be able to read each other’s files. Tia could, however, change the ACL on the file she created. Full Control includes the Change Permission.
If for some reason Tia managed to modify the ACL and deny herself Full Control, she could nevertheless modify the ACL, because an object’s owner can always modify its ACL, preventing users from permanently locking themselves out of their files and folders.
It is best practice to manage object ownership so that an object’s owner is correctly defined. This is partly because owners can modify ACLs of their objects, and also because newer technologies, such as disk quotas, rely on the ownership attribute to calculate disk space used by a particular user. Prior to Windows Server 2003, managing ownership was awkward. Windows Server 2003 has added an important tool to simplify ownership transfer.
6-24 Chapter 6 Files and Folders An object’s owner is defined in its security descriptor. The user who creates a file or folder is its initial owner. Another user can take ownership, or be given ownership of the object using one of the following processes:
■ Administrators can take ownership. A user who belongs to the Administrators group of a system, or who has otherwise been granted the Take Ownership user right, can take ownership of any object on the system.
To take ownership of a resource, click the Owner tab of the Advanced Security Settings dialog box, as shown in Figure 6-9. Select your user account from the list and click Apply. Select the Replace Owner On Subcontainers And Objects check box to take ownership of subfolders and files. Figure 6-9 The Owner tab of the Advanced Security Settings dialog box ■ Users can take ownership if they are allowed Take Ownership per-mission. The special permission Take Ownership can be granted to any user or group. A user with an Allow Take Ownership permission can take ownership of the resource and then, as owner, modify the ACL to provide sufficient permissions.
■ Administrators can facilitate the transfer of ownership. An administrator can take ownership of any file or folder. Then, as owner, the administrator can change permissions on the resource to grant Allow Take Ownership permission to the new owner, who then can take ownership of the resource.
■ Restore Files And Directories user right enables the transfer of owner-ship. A user with the Restore Files And Directories rights may transfer owner-ship of a file from one user to another. If you have been assigned the Restore Files And Directories right, you can click Other Users Or Groups and select the new owner. This capability is new in Windows Server 2003, and makes it possible for administrators and backup operators to manage and transfer resource ownership without requiring user intervention.
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元