Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.
Permissions vs. privileges
Generally speaking, permissions and privileges collide when the privileges required to perform some administrative action conflict or overlap with the permissions of a resource. Whenever a conflict arises between a permission and a privilege, the privilege always wins. To show why, I'll give you a quick example of the process of backing up the folders and files on a computer.
If you need to back up a complete volume, your backup software needs to be able to traverse all the folders on the NTFS volume, read the folder contents, read the attributes of every file, and read the data of every file. Obviously, you don't want to ask every one of your users to grant you access to perform your backup. To get around this situation, you use the Back Up Files and Directories privilege to access the account from which you perform backups. This privilege allows you to back up the necessary folders and files on the system because it overrides the permissions on the NTFS volume.
Click for the next excerpt in this series: Security groups