The security reference monitor evaluates the list of entries in this order: noninherited deny, noninherited allow, inherited deny, and inherited allow.
That means the noninherited allow will override the inherited deny. :m:dsm:cci:mvp marcusoh.blogspot.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: [email protected] Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior.... The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris <[EMAIL PROTECTED]> wrote: > The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. > > This has been demonstrated in many of john craddocks ad sessions. > > Mark > > -----Original Message----- > From: Ahmed Al-Awah <[EMAIL PROTECTED]> > Date: Thu, 12 Jan 2006 14:40:34 > To:"'[email protected]'" <[email protected]> > Subject: [ActiveDir] File Permissions: Deny vs. Allow > > Hi all, > > I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder on a server). However, certain members within the global security group are able to access the drive. > > After some research I found that the global group was a "member of" a domain local group with access to the drive in question. When the group was removed from the domain local group (but were still members of the global group) the said users were no longer able to access the drive. > > File permissions, as I understand them, are designed such that deny permissions will always override allow permissions but in this case it seems that this is not the case, hence my confusion. > > > P.S.: Just as an FYI, the global group and domain local group are located in different OUs but are part of the same domain. > > Any clarifications on why this is happening are appreciated. > > Thanks, > Ahmed > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
