It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*.
The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: [email protected] Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior.... The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris <[EMAIL PROTECTED]> wrote: > The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. > > This has been demonstrated in many of john craddocks ad sessions. > > Mark > > -----Original Message----- > From: Ahmed Al-Awah <[EMAIL PROTECTED]> > Date: Thu, 12 Jan 2006 14:40:34 > To:"'[email protected]'" <[email protected]> > Subject: [ActiveDir] File Permissions: Deny vs. Allow > > Hi all, > > I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder on a server). However, certain members within the global security group are able to access the drive. > > After some research I found that the global group was a "member of" a domain local group with access to the drive in question. When the group was removed from the domain local group (but were still members of the global group) the said users were no longer able to access the drive. > > File permissions, as I understand them, are designed such that deny permissions will always override allow permissions but in this case it seems that this is not the case, hence my confusion. > > > P.S.: Just as an FYI, the global group and domain local group are located in different OUs but are part of the same domain. > > Any clarifications on why this is happening are appreciated. > > Thanks, > Ahmed > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
