NTFS and CIFS share access and permissions

Question

Lets say I created NTFS partition my_ntfs_volume as local administrator and assigned two application groups to it: domain_group_app1_ro:

• Full control - no
• Modify - no
• Read & Execute - yes
• List folder Content - yes
• Read - yes
• Write - no
• Special Permissions - no

domain_group_app1_rw:

• Full control - no
• Modify - no
• Read & Execute - yes
• List folder Content - yes
• Read - yes
• Write - yes
• Special Permissions - no

What I try to understand is how permissions on NTFS level correlate with permissions on CIFS share level.

Scenario 1

I add my regular (without local admin. rights) account to both groups. Will resulted access be read-only for me? I guess, the answer is "yes".

Scenario 2

I removed my account from read-only group. Will resulted access be read-write for me? I guess, the answer is "yes".

Scenario 3

With permissions I assigned to group domain_group_app1_rw will I be able to add extra application groups to the list, so that users from application2 also be able to access the partition? I guess the answer is "no", since the Modify permissions is set to "no".

Scenario 4

As administrator I created CIFS share for my volume. Now I have a dilemma.

• I can remove application groups from NTFS ACLs and add Everyone with FUll control access. At the same time I assign those two application groups to the CIFS share with the access rights I mentioned above. This way anyone who can login to the Windows server where volume is created will be able to access the data and modify everything. Not very good solution, I guess.
• Therefore, on NTFS level I better add local administrators group with Full control and both application groups with the access I mentioned above. Then, using the CIFS share users will have their rights depending on their group membership. I consider it as safe and convenient way of managing NTFS volumes.
• I also have seen setup when on NTFS level administrator assigns those two application groups with those permissions, but on CIFS share level it was only Everyone with Full access. Technically it should be safe as well, since NTFS permissions will not allow anything beyond the access they provide. On the other hand I do not like the situation when I as a user or security inspector do not see list of groups and the way they provide access on CIFS share level.

Could someone assess my understanding of the setup in these scenarios. It is just there is no one around here who could look at the setup from multiple standpoints. I try to establish rules for safe setup and yet minimize administration overhead. I try to have two groups access as a standard setup.

Another set of questions related to "Modify" permission.

My understanding is if Modify is set to "yes", either to RO or RW group, the members of the group will be able to change different permissions and may be able to lock themselves out at some part of the folders tree. Which will require administrator to run re-permissioning through the entire tree of folders. Not pretty situation, I guess. Therefor, as a rule of thumb, the Modify permissions must be set to "no" for all application groups.