Sorry, must've missed that. Must've been in another response that I didn't see. If you search through the message I replied to, that quote is nowhere to be found (other than what you put in).
The problem with email lists is that often responses to threads get fragmented and sometimes it's easy to miss a valuable piece of info if you miss reading a response... The difficulties we have to learn to live with. :) Peace. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:59 AM To: [email protected] Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Did the response from Marcus Oh not suffice? "The security reference monitor evaluates the list of entries in this order: noninherited deny, noninherited allow, inherited deny, and inherited allow. That means the noninherited allow will override the inherited deny." neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: 13 January 2006 13:13 To: [email protected] Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: [email protected] Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe <[EMAIL PROTECTED]> wrote: > It is a little more involved than that, when you do an access check, > last time I looked into it, it traverses the ACL until it has hit > enough ACES to grant the access requested or to deny it, once that is > achieved it stops. It doesn't stop on the first ACE that has that > security principal granting *something*. > > The ACEs are ordered in the ACL for enumeration such that the > inheritence hierarchy is preserved as is the ordering of deny versus > grant. If you had an explicit grant out of order and in front of an > explicit deny for instance, access would still be granted even though > if you looked at the ACL (especially in the GUI) it would show the > deny. This special dorked up ordering is called non-canonical ordering > and Exchange actually uses it on AD ACLs for hidden membership groups. > > But yes, the upshot of the whole thing is that a grant at a lower > level in the hierarchy will override a deny. Such as an explicit grant > or a grant one level above the object will override a deny more than > one level up from the object. > > If you ever want to make absolute sure that something is absolutely > denied, apply the deny directly to the object (explicit deny). > Alternatively, don't use deny ACEs, use pass denies by not granting > the access. Denies have been a source of confusion for access since > the whole inherited ACL model came around. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ASB > Sent: Thursday, January 12, 2006 8:38 PM > To: [email protected] > Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow > > It seems to me that if this were true, you would get inconsistent > access to a file or folder whenever you were member of two groups that > had access where one group had ReadOnly and the other had Full Control. > > Yet, I have never seen that behavior.... > > The answer from the earlier provided link seems more accurate. > > > -ASB > FAST, CHEAP, SECURE: Pick Any TWO > http://www.ultratech-llc.com/KB/ > > > > On 1/12/06, Mark Parris <[EMAIL PROTECTED]> wrote: > > The reason this happens is that that when looking for access to a > directory or file windows goes through its list of acls until it gets > a response - yes let me in or no don't let me in. But as soon as it > has a response it stops looking for further responses so if a yes > (allow) is found yet further down the list of acls there is a no > (deny) it is never read so it is not applied. > > > > This has been demonstrated in many of john craddocks ad sessions. > > > > Mark > > > > -----Original Message----- > > From: Ahmed Al-Awah <[EMAIL PROTECTED]> > > Date: Thu, 12 Jan 2006 14:40:34 > > To:"'[email protected]'" <[email protected]> > > Subject: [ActiveDir] File Permissions: Deny vs. Allow > > > > Hi all, > > > > I'm hoping someone can help explain a situation I came across > > recently. I > have a global security group that has been denied access to a specific > network drive (a folder on a server). However, certain members within > the global security group are able to access the drive. > > > > After some research I found that the global group was a "member of" > > a > domain local group with access to the drive in question. When the > group was removed from the domain local group (but were still members > of the global > group) the said users were no longer able to access the drive. > > > > File permissions, as I understand them, are designed such that deny > permissions will always override allow permissions but in this case it > seems that this is not the case, hence my confusion. > > > > > > P.S.: Just as an FYI, the global group and domain local group are > > located > in different OUs but are part of the same domain. > > > > Any clarifications on why this is happening are appreciated. > > > > Thanks, > > Ahmed > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
