It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control.
Yet, I have never seen that behavior.... The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris <[EMAIL PROTECTED]> wrote: > The reason this happens is that that when looking for access to a directory > or file windows goes through its list of acls until it gets a response - yes > let me in or no don't let me in. But as soon as it has a response it stops > looking for further responses so if a yes (allow) is found yet further down > the list of acls there is a no (deny) it is never read so it is not applied. > > This has been demonstrated in many of john craddocks ad sessions. > > Mark > > -----Original Message----- > From: Ahmed Al-Awah <[EMAIL PROTECTED]> > Date: Thu, 12 Jan 2006 14:40:34 > To:"'[email protected]'" <[email protected]> > Subject: [ActiveDir] File Permissions: Deny vs. Allow > > Hi all, > > I'm hoping someone can help explain a situation I came across recently. I > have a global security group that has been denied access to a specific > network drive (a folder on a server). However, certain members within the > global security group are able to access the drive. > > After some research I found that the global group was a "member of" a domain > local group with access to the drive in question. When the group was removed > from the domain local group (but were still members of the global group) the > said users were no longer able to access the drive. > > File permissions, as I understand them, are designed such that deny > permissions will always override allow permissions but in this case it seems > that this is not the case, hence my confusion. > > > P.S.: Just as an FYI, the global group and domain local group are located in > different OUs but are part of the same domain. > > Any clarifications on why this is happening are appreciated. > > Thanks, > Ahmed > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
