WOW, read the question!!!! Box 1: No. User 1 share permission in Change (domain users), NTFS = Full Control, most restrictive applies when combining permissions Box 2: Yes. User 2 has Read NTFS and Change (share) Read wins Box 3: Yes. User 3 has Write NTFS and Change (share) Write wins

Wrong, NYY

YYY 1) User 1 has direct non-inherited Full Control rights (same as the highest level admin), so they can take ownership. 2) User 2 has read rights on the folder. List folder is part of those rights, so they can see the file. 3) User 3 has read rights on the folder. List folder is part of those rights, so they can see the file.

Let's analyze each of the statements: When User1 connects to \Server1.adatum.com\Share1), the user can take ownership of File1.txt. Yes, User1 can take ownership of File1.txt. This is because User1 has full control, which includes the permission to take ownership of a file. When User2 connects to \Server1.adatum.com\Share1), File1.txt is visible. Yes, File1.txt will be visible to User2. User2 has “Change” permission, which includes permission to read files. When User3 connects to \Server1.adatum.com\Share1, File1.txt is visible. Yes, File1.txt will be visible to User3. User3 has “Change” permission, which includes permission to read files.

NYN You guys are confuse WRITE permission with MODIFY MODIFY implies READ WRITE doesn't imply READ - can be a separate permission without READ Screenshot shows WRITE permission and NOT READ so the file is not visible

Test it for yourself in your labs. User3 cannot see it. Write doesn't give you "Read" permissions. You need to explicitly tick "Read" (and also "Write") if you want User3 to be able to write to the file. Answer is: N

1. NO, you will also need full share access to change the ownership. [tested] 2. YES, user has read permissions. [tested] 3. NO, user only has write permissions, therefore cannot read the file. [tested]

Correct NO. YES. YES. (reason below) - Usee3 has NTFS Write permission on File1.txt. - SHARE1 is a shared folder with Domain users having CHANGE allow permissions. which includes the ability to view files and folders within the share. - FolderEnumerationMode is set to AccessBased, which means that file and folder visibility is determined based on the user's NTFS permissions. So, in summary, User1 will be able to see and access File1.txt when connecting to \SERVER1\SHARE1\ due to their NTFS Write permission and the share-level CHANGE permissions granted to Domain users.

In an NTFS file share where the FolderEnumerationMode is set to "AccessBased," users who have access to a folder (or share) can see the items within that folder based on their effective permissions. This means that users will only see files and folders for which they have at least the "List Folder Contents" permission. In your scenario, User3 has only WRITE permission on the file "file1.txt." Since WRITE permission does not include the "List Folder Contents" permission, User3 would not be able to see the file "file1.txt" in the share, even though they have write access to that specific file. They would not have the necessary permission to enumerate the contents of the folder that contains "file1.txt," so the file would be effectively hidden from User3 when they browse the share. To summarize, with the settings you described, User3 would not be able to see the file "file1.txt" in the share. They can only modify the file since they have WRITE permission directly on that file, but they don't have the necessary permissions to list the contents of the folder that contains the file.

Good : N,Y,Y https://www.varonis.com/blog/ntfs-permissions-vs-share

#3 is definitely NO. I just tested this out as described. The key is the FolderEnumerationMode. Write permissions isn't enough to see the file over the network. User3 would also need to have READ permissions.

https://www.ntfs.com/ntfs-permissions-ownership.htm#:~:text=You%20must%20have%20Full%20Control,to%20any%20user%20or%20group. You must have Full Control or the special permissions "Take Ownership" to be able to take ownership of a file or folder. I would say Yes to all

Reproduced in Lab - It's N Y N

I just tested this in a lab, and it seems that it's YYN. User1 - Sees the txt file and is able to open the txt file, make changes, and save them. User2 - Sees the txt file and is able to open the txt file, but cannot save any changes (when you try and save, the "save as" prompt comes up User3 - when navigating to that share, they cannot see that file Pretty quick and easy to recreate. Not sure if anyone else has tested this but this is correct in my lab setting.

Box1: no- has change but not full controll cannot take ownership Box2: yes Box 3:no - Has write but not read- Access based enumeration says no see

Suggested answer is wrong! Correct one should be: No - because Share permission is only Change thus it blocks possibility of taking ownership Yes - no comment is necessary No - there is information in question text that Share1 has option FolderEnumerationMode set to AccessBased - it means that if some account does not have Read permission to the file, that account does not see that file. I tested it in my lab

NYY That's specifically the point I taught to my team members that why sharing permissions are important