I understand this, but I wonder if someone could suggest a better way of achieving what I currently do with a deny ACE.
I work in a college and there is a security group for each course we run (about 4000). Each student is in the security group for their course(s). Most students are not allowed to access the control panel, desktop etc and this is controlled by a group policy. A small number of students need this access so we deny their groups access to the policy which would otherwise enforce the desktop restrictions. This works but, from the stuff below and elsewhere, is obviously a "bad idea". The obvious solution is to remove the allow ACE for authenticated users and explicitly allow access for all the groups that do need to be restricted. This would be a lot of groups (but I'd guess they could all be added to a single group for tidiness) but could cause conflicts - a student might take course ABCD1234 which doesn't allow desktop access but also DEFG5678 which does need desktop access. The fact that the first group is allowed to apply the policy means that this student won't get to control panel etc and I can't see any way round this. Help! Steve -----Original Message----- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: 10 June 2003 19:58 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and GPO Design Comments > "Note: Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE given > to a user or computer because of membership in another group." > I liked the way one of the MS guys put it in the GP newsgroup a while back- > "I would discourage you from using "Deny" ACEs - they tend to over-complicate your security group model and make > things difficult to troubleshoot. You can also get into trouble if you accidentally set a deny permission for the > wrong group and end up denying them from having access to the GPO to fix it." List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
