Thanks, Joe. I'm definitely not scared of spelunking through the MSDN site. However, the most difficult thing is often just finding the relevant info.
Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 9:54 AM To: [email protected] Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow A good start would be MSDN. It is anathema to many admins but often the absolute best source of some info if you can read it and personally I think admins should be able to read dev docs. I can't explain how many times I found something digging through MSDN that helped me in the admin world. Something that I didn't know existed I find that exists so I go looking for the tool to do it which may be some obscure function in an MS tool or more often something I have to build or find elsewhere. It lets you know what is possible based on the actual capabilities versus what is exposed in the tools. Anyway, I would start here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauth z/se curity/order_of_aces_in_a_dacl.asp There is some more in a more english way here http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/ directory/activedirectory/actdid3.mspx -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Friday, January 13, 2006 8:13 AM To: [email protected] Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: [email protected] Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe <[EMAIL PROTECTED]> wrote: > It is a little more involved than that, when you do an access check, > last time I looked into it, it traverses the ACL until it has hit > enough ACES to grant the access requested or to deny it, once that is > achieved it stops. It doesn't stop on the first ACE that has that > security principal granting *something*. > > The ACEs are ordered in the ACL for enumeration such that the > inheritence hierarchy is preserved as is the ordering of deny versus > grant. If you had an explicit grant out of order and in front of an > explicit deny for instance, access would still be granted even though > if you looked at the ACL (especially in the GUI) it would show the > deny. This special dorked up ordering is called non-canonical ordering > and Exchange actually uses it on AD ACLs for hidden membership groups. > > But yes, the upshot of the whole thing is that a grant at a lower > level in the hierarchy will override a deny. Such as an explicit grant > or a grant one level above the object will override a deny more than > one level up from the object. > > If you ever want to make absolute sure that something is absolutely > denied, apply the deny directly to the object (explicit deny). > Alternatively, don't use deny ACEs, use pass denies by not granting > the access. Denies have been a source of confusion for access since > the whole inherited ACL model came around. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ASB > Sent: Thursday, January 12, 2006 8:38 PM > To: [email protected] > Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow > > It seems to me that if this were true, you would get inconsistent > access to a file or folder whenever you were member of two groups that > had access where one group had ReadOnly and the other had Full Control. > > Yet, I have never seen that behavior.... > > The answer from the earlier provided link seems more accurate. > > > -ASB > FAST, CHEAP, SECURE: Pick Any TWO > http://www.ultratech-llc.com/KB/ > > > > On 1/12/06, Mark Parris <[EMAIL PROTECTED]> wrote: > > The reason this happens is that that when looking for access to a > directory or file windows goes through its list of acls until it gets > a response - yes let me in or no don't let me in. But as soon as it > has a response it stops looking for further responses so if a yes > (allow) is found yet further down the list of acls there is a no > (deny) it is never read so it is not applied. > > > > This has been demonstrated in many of john craddocks ad sessions. > > > > Mark > > > > -----Original Message----- > > From: Ahmed Al-Awah <[EMAIL PROTECTED]> > > Date: Thu, 12 Jan 2006 14:40:34 > > To:"'[email protected]'" <[email protected]> > > Subject: [ActiveDir] File Permissions: Deny vs. Allow > > > > Hi all, > > > > I'm hoping someone can help explain a situation I came across > > recently. I > have a global security group that has been denied access to a specific > network drive (a folder on a server). However, certain members within > the global security group are able to access the drive. > > > > After some research I found that the global group was a "member of" > > a > domain local group with access to the drive in question. When the > group was removed from the domain local group (but were still members > of the global > group) the said users were no longer able to access the drive. > > > > File permissions, as I understand them, are designed such that deny > permissions will always override allow permissions but in this case it > seems that this is not the case, hence my confusion. > > > > > > P.S.: Just as an FYI, the global group and domain local group are > > located > in different OUs but are part of the same domain. > > > > Any clarifications on why this is happening are appreciated. > > > > Thanks, > > Ahmed > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
