Deny rights always override Allow rights in Windows ACLs. If a user is a member of the Administrator group *AND* the Users group the deny you applied on the 2nd win_acl task will cause an access is denied message. I'm pretty sure by default an Admin account is a member of both and that's probably what is tripping you up.
As a side note, it's better not not apply FullControl as a right but use the granular entries to give the user only what they need. That's probably something you can look into once this is all working and you have a better understanding of the whole ACL side. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c405932a-3f94-41dd-b2fd-456b40383499%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.