Thanks all. That makes sense but it would've helped if MS had something built-in to raise a flag in such situations where an allow may override a deny.
AA -----Original Message----- From: Mark Parris [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 3:55 PM To: ActiveDir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -----Original Message----- From: Ahmed Al-Awah <[EMAIL PROTECTED]> Date: Thu, 12 Jan 2006 14:40:34 To:"'[email protected]'" <[email protected]> Subject: [ActiveDir] File Permissions: Deny vs. Allow Hi all, I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder on a server). However, certain members within the global security group are able to access the drive. After some research I found that the global group was a "member of" a domain local group with access to the drive in question. When the group was removed from the domain local group (but were still members of the global group) the said users were no longer able to access the drive. File permissions, as I understand them, are designed such that deny permissions will always override allow permissions but in this case it seems that this is not the case, hence my confusion. P.S.: Just as an FYI, the global group and domain local group are located in different OUs but are part of the same domain. Any clarifications on why this is happening are appreciated. Thanks, Ahmed List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
