1. Take the least restrictive share permission assigned to that user, either directly or through group membership. So if a user has been directly assigned the READ share permission, and is a member of a group that has been assigned the CHANGE permission, their effective Share permission is CHANGE.
2. Take the least restrictive NTFS permission assigned to that user, either directly or through group membership. So if a user has been directly assigned the READ NTFS permission, and is a member of a group that has been assigned the FULL CONTROL permission, their effective Share permission is FULL CONTROL.
3. Take the MOST restrictive permission between the effective permissions in steps 1 & 2. So if a user's effective share permission is CHANGE and their effective NTFS permission is FULL CONTROL, their permission on the file is CHANGE.
You should also look for any "Deny" settings that could be preventing the user from accessing the file, since a "Deny" entry in an Access Control List will override any other permissions that have been directly assigned.
Dig deeper on Microsoft Active Directory Tools and Troubleshooting
Related Q&A from Laura E. Hunter
Active Directory expert Laura E. Hunter offers some advice for changing the IP addresses of domain controllers.continue reading
A Windows administrator moving from Windows Server 2003 to Windows Server 2003 R2 wants to perform a restore of a previous server to a new one ...continue reading
An admin has two domains and two Active Directories. He wants to know how to join the Active Directories so that internal staff can access both, but ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.