Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Mechanism for applying shared and NTFS permissions
Mechanism for applying shared and NTFS permissions [message #400470] Fri, 26 February 2010 08:35 Go to next message
Altria  is currently offline Altria  United States
Messages: 14
Registered: July 2009
Junior Member
Hello All,

Can someone point me to documentation explaining the mechanism for security
decriptors/attributes when applying permissions via changing group
memberships for users. I do not need to know what file permissions are and
what needs to be set but rather the background mechanism on how it actually
gets applied and when it takes effect. For example, suppose a user is mapped
to a shared drive and has full control on sharing and file system
permissions via group membership. I decide that this person no longer needs
full but rather read access on file/folder, after making the change
(removing from the group) when does the modification take effect? Outside of
network conditions, a minute? an hour? upon reboot? refresh? new security
token?, etc. Also would the same apply if the person is not in a group and i
changed the ACLs directly for the user?

I have done perm modifications countless times but I never had to count the
time lapse of when it would take effect. I assumed it was immediate but now
I would like to know the exact process happening and avg. length of time.

Thanks,
Altria
Re: Mechanism for applying shared and NTFS permissions [message #400496 is a reply to message #400470] Fri, 26 February 2010 08:58 Go to previous messageGo to next message
Chris Dent  is currently offline Chris Dent  United Kingdom
Messages: 189
Registered: July 2009
Senior Member
Hi Altria,

> [removed from a group] when does the modification take effect?

At next logon, group tokens are only updated at logon.

> Also would the same apply if the person is not in a group and i
> changed the ACLs directly for the user?

No, if it were a permission directly assigned to the user the effect is
immediate and will apply as soon as the ACL is enumerated (next time the
user attempts to access a resource).

Chris
Re: Mechanism for applying shared and NTFS permissions [message #400562 is a reply to message #400496] Fri, 26 February 2010 09:55 Go to previous messageGo to next message
Remy  is currently offline Remy  United States
Messages: 7
Registered: August 2009
Junior Member
On Feb 26, 10:58 am, Chris Dent <ch...@noreply.null> wrote:
> Hi Altria,
>
>  > [removed from a group] when does the modification take effect?
>
> At next logon, group tokens are only updated at logon.
>
>  > Also would the same apply if the person is not in a group and i
>  > changed the ACLs directly for the user?
>
> No, if it were a permission directly assigned to the user the effect is
> immediate and will apply as soon as the ACL is enumerated (next time the
> user attempts to access a resource).
>
> Chris

However if it's the other way around ie: User needs access to the
files/folders and you add them to the group, then a logoff/logon will
need to happen in order for the new group membership to apply to that
user.
Re: Mechanism for applying shared and NTFS permissions [message #400798 is a reply to message #400562] Fri, 26 February 2010 14:13 Go to previous messageGo to next message
Altria  is currently offline Altria  United States
Messages: 14
Registered: July 2009
Junior Member
Thanks all for your fast responses. Does anyone know any technet documents
that specify that this is indeed the case.

So to be clear, User set ACLs to a resource are applied upon access to a
request and are immediate, whereas group memebership modifications take
place upon logon from obtaining a new token. Is that correct?

TIA,
Altria
"RemyMaza" <remymaza@gmail.com> wrote in message
news:91ed1a91-ae61-4717-b099-944beac49eec@v25g2000yqk.googlegroups.com...
On Feb 26, 10:58 am, Chris Dent <ch...@noreply.null> wrote:
> Hi Altria,
>
> > [removed from a group] when does the modification take effect?
>
> At next logon, group tokens are only updated at logon.
>
> > Also would the same apply if the person is not in a group and i
> > changed the ACLs directly for the user?
>
> No, if it were a permission directly assigned to the user the effect is
> immediate and will apply as soon as the ACL is enumerated (next time the
> user attempts to access a resource).
>
> Chris

However if it's the other way around ie: User needs access to the
files/folders and you add them to the group, then a logoff/logon will
need to happen in order for the new group membership to apply to that
user.
Re: Mechanism for applying shared and NTFS permissions [message #402252 is a reply to message #400798] Mon, 01 March 2010 02:11 Go to previous message
Chris Dent  is currently offline Chris Dent  United Kingdom
Messages: 189
Registered: July 2009
Senior Member
Hi Altria,

Yes, see this:

http://technet.microsoft.com/en-us/library/cc783557%28WS.10% 29.aspx

The first paragraph states that the log off and log on again is required
to update the token, with a fair amount of detail about how the token is
built and used.

And yes, your clarification is correct.

There is one other issue that's perhaps worth introducing. If you use
universal and global group caching it may take up to 8 hours for a
membership change to apply. See:

http://support.microsoft.com/kb/871159

All the best,

Chris

Altria wrote:
> Thanks all for your fast responses. Does anyone know any technet documents
> that specify that this is indeed the case.
>
> So to be clear, User set ACLs to a resource are applied upon access to a
> request and are immediate, whereas group memebership modifications take
> place upon logon from obtaining a new token. Is that correct?
>
> TIA,
> Altria
> "RemyMaza" <remymaza@gmail.com> wrote in message
> news:91ed1a91-ae61-4717-b099-944beac49eec@v25g2000yqk.googlegroups.com...
> On Feb 26, 10:58 am, Chris Dent <ch...@noreply.null> wrote:
>> Hi Altria,
>>
>>> [removed from a group] when does the modification take effect?
>> At next logon, group tokens are only updated at logon.
>>
>>> Also would the same apply if the person is not in a group and i
>>> changed the ACLs directly for the user?
>> No, if it were a permission directly assigned to the user the effect is
>> immediate and will apply as soon as the ACL is enumerated (next time the
>> user attempts to access a resource).
>>
>> Chris
>
> However if it's the other way around ie: User needs access to the
> files/folders and you add them to the group, then a logoff/logon will
> need to happen in order for the new group membership to apply to that
> user.
>
>
Previous Topic:Time
Next Topic:Applock
Goto Forum:
  


Current Time: Tue Jan 23 16:16:16 MST 2018

Total time taken to generate the page: 0.09907 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software