Mechanism for applying shared and NTFS permissions

Hello All,

Can someone point me to documentation explaining the mechanism for security
decriptors/attributes when applying permissions via changing group
memberships for users. I do not need to know what file permissions are and
what needs to be set but rather the background mechanism on how it actually
gets applied and when it takes effect. For example, suppose a user is mapped
to a shared drive and has full control on sharing and file system
permissions via group membership. I decide that this person no longer needs
full but rather read access on file/folder, after making the change
(removing from the group) when does the modification take effect? Outside of
network conditions, a minute? an hour? upon reboot? refresh? new security
token?, etc. Also would the same apply if the person is not in a group and i
changed the ACLs directly for the user?

I have done perm modifications countless times but I never had to count the
time lapse of when it would take effect. I assumed it was immediate but now
I would like to know the exact process happening and avg. length of time.

Thanks,
Altria

Hi Altria,

> [removed from a group] when does the modification take effect?

At next logon, group tokens are only updated at logon.

> Also would the same apply if the person is not in a group and i
> changed the ACLs directly for the user?

No, if it were a permission directly assigned to the user the effect is
immediate and will apply as soon as the ACL is enumerated (next time the
user attempts to access a resource).

Chris

On Feb 26, 10:58*am, Chris Dent <ch...@noreply.null> wrote:
> Hi Altria,
>
> *> [removed from a group] when does the modification take effect?
>
> At next logon, group tokens are only updated at logon.
>
> *> Also would the same apply if the person is not in a group and i
> *> changed the ACLs directly for the user?
>
> No, if it were a permission directly assigned to the user the effect is
> immediate and will apply as soon as the ACL is enumerated (next time the
> user attempts to access a resource).
>
> Chris

However if it's the other way around ie: User needs access to the
files/folders and you add them to the group, then a logoff/logon will
need to happen in order for the new group membership to apply to that
user.

Thanks all for your fast responses. Does anyone know any technet documents
that specify that this is indeed the case.

So to be clear, User set ACLs to a resource are applied upon access to a
request and are immediate, whereas group memebership modifications take
place upon logon from obtaining a new token. Is that correct?

TIA,
Altria
"RemyMaza" <remymaza@gmail.com> wrote in message
news:91ed1a91-ae61-4717-b099-944beac49eec@v25g2000yqk.googlegroups.com...
On Feb 26, 10:58 am, Chris Dent <ch...@noreply.null> wrote:
> Hi Altria,
>
> > [removed from a group] when does the modification take effect?
>
> At next logon, group tokens are only updated at logon.
>
> > Also would the same apply if the person is not in a group and i
> > changed the ACLs directly for the user?
>
> No, if it were a permission directly assigned to the user the effect is
> immediate and will apply as soon as the ACL is enumerated (next time the
> user attempts to access a resource).
>
> Chris

However if it's the other way around ie: User needs access to the
files/folders and you add them to the group, then a logoff/logon will
need to happen in order for the new group membership to apply to that
user.

Hi Altria,

Yes, see this:

http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

The first paragraph states that the log off and log on again is required
to update the token, with a fair amount of detail about how the token is
built and used.

And yes, your clarification is correct.

There is one other issue that's perhaps worth introducing. If you use
universal and global group caching it may take up to 8 hours for a
membership change to apply. See:

http://support.microsoft.com/kb/871159

All the best,

Chris

Altria wrote:
> Thanks all for your fast responses. Does anyone know any technet documents
> that specify that this is indeed the case.
>
> So to be clear, User set ACLs to a resource are applied upon access to a
> request and are immediate, whereas group memebership modifications take
> place upon logon from obtaining a new token. Is that correct?
>
> TIA,
> Altria
> "RemyMaza" <remymaza@gmail.com> wrote in message
> news:91ed1a91-ae61-4717-b099-944beac49eec@v25g2000yqk.googlegroups.com...
> On Feb 26, 10:58 am, Chris Dent <ch...@noreply.null> wrote:
>> Hi Altria,
>>
>>> [removed from a group] when does the modification take effect?
>> At next logon, group tokens are only updated at logon.
>>
>>> Also would the same apply if the person is not in a group and i
>>> changed the ACLs directly for the user?
>> No, if it were a permission directly assigned to the user the effect is
>> immediate and will apply as soon as the ACL is enumerated (next time the
>> user attempts to access a resource).
>>
>> Chris
>
> However if it's the other way around ie: User needs access to the
> files/folders and you add them to the group, then a logoff/logon will
> need to happen in order for the new group membership to apply to that
> user.
>
>