Thanks, Joe... Extremely useful info. :)
-ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe <[EMAIL PROTECTED]> wrote: > It is a little more involved than that, when you do an access check, last > time I looked into it, it traverses the ACL until it has hit enough ACES to > grant the access requested or to deny it, once that is achieved it stops. It > doesn't stop on the first ACE that has that security principal granting > *something*. > > The ACEs are ordered in the ACL for enumeration such that the inheritence > hierarchy is preserved as is the ordering of deny versus grant. If you had > an explicit grant out of order and in front of an explicit deny for > instance, access would still be granted even though if you looked at the ACL > (especially in the GUI) it would show the deny. This special dorked up > ordering is called non-canonical ordering and Exchange actually uses it on > AD ACLs for hidden membership groups. > > But yes, the upshot of the whole thing is that a grant at a lower level in > the hierarchy will override a deny. Such as an explicit grant or a grant one > level above the object will override a deny more than one level up from the > object. > > If you ever want to make absolute sure that something is absolutely denied, > apply the deny directly to the object (explicit deny). Alternatively, don't > use deny ACEs, use pass denies by not granting the access. Denies have been > a source of confusion for access since the whole inherited ACL model came > around. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ASB > Sent: Thursday, January 12, 2006 8:38 PM > To: [email protected] > Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow > > It seems to me that if this were true, you would get inconsistent access to > a file or folder whenever you were member of two groups that had access > where one group had ReadOnly and the other had Full Control. > > Yet, I have never seen that behavior.... > > The answer from the earlier provided link seems more accurate. > > > -ASB > FAST, CHEAP, SECURE: Pick Any TWO > http://www.ultratech-llc.com/KB/ > > > > On 1/12/06, Mark Parris <[EMAIL PROTECTED]> wrote: > > The reason this happens is that that when looking for access to a > directory or file windows goes through its list of acls until it gets a > response - yes let me in or no don't let me in. But as soon as it has a > response it stops looking for further responses so if a yes (allow) is found > yet further down the list of acls there is a no (deny) it is never read so > it is not applied. > > > > This has been demonstrated in many of john craddocks ad sessions. > > > > Mark > > > > -----Original Message----- > > From: Ahmed Al-Awah <[EMAIL PROTECTED]> > > Date: Thu, 12 Jan 2006 14:40:34 > > To:"'[email protected]'" <[email protected]> > > Subject: [ActiveDir] File Permissions: Deny vs. Allow > > > > Hi all, > > > > I'm hoping someone can help explain a situation I came across recently. I > have a global security group that has been denied access to a specific > network drive (a folder on a server). However, certain members within the > global security group are able to access the drive. > > > > After some research I found that the global group was a "member of" a > domain local group with access to the drive in question. When the group was > removed from the domain local group (but were still members of the global > group) the said users were no longer able to access the drive. > > > > File permissions, as I understand them, are designed such that deny > permissions will always override allow permissions but in this case it seems > that this is not the case, hence my confusion. > > > > > > P.S.: Just as an FYI, the global group and domain local group are located > in different OUs but are part of the same domain. > > > > Any clarifications on why this is happening are appreciated. > > > > Thanks, > > Ahmed > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
