Confusing Sybex question on permissions

OK, the Sybex assessment test asks the following question:

Susan is a member of the Sales and Managers groups.
The Managers group has been allowed Full Control of

\Data.
The Sales group has Read & Execute, but is denied Full Control.
What are Susan's effective rights?

The answer given is Read & Execute.

Why? I thought if you were denied Full Control then
you would be denied all permissions to the folder.

Find more posts tagged with

Comments

eurotrash

the deny permission always takes precedence.
but an explicit permission always overrides an implicit permission.

in the case above, the sales group has (as far as i can tell) been denied full control implicitly (inherited), but allowed the 'read & execute' permission explicitly.

thus the explicit allow overrides the implicit deny.

w^rl0rd

That answer has to be wrong.
I just created a folder and assigned a user Read & Execute, and when I set it to deny Full Control, all permissions were denied.

I know MS is notorious for having a "comments and corrections" page, but Sybex?

eurotrash

did you even read my explanation?

w^rl0rd

_omni_ wrote:

did you even read my explanation?

No, I didn't see it posted. Anyway, I can't tell based off of the question, but when I created a user and assigned the user to 2 seperate groups:
GroupA with Read and GroupB with Full Control, I received a msg from Windows stating that the group w/ Deny will override the other groups permissions.

How does this implicit vs. explicit work?
I mean, if a group is implicitly denied permissions, I won't be able to click on other permissions will I? Unless I set the folder to not inherit.

eurotrash

if the user has inherited deny permissions, they will be greyed out (so you can't change them without stopping inheritance) but the 'allow' column can still be configured.

this is what i did to test it out:

1. created userA.
2. added userA to groupA and groupB.
3. created folderA and subfolderA (subfolderA is within folderA).
4. added groupA and groupB to folderA's ACL (and removed all others, except me (so i can work on it)).
5. set groupA to Allow Full Control, groupB to Deny Full Control.
6. now i read the ACL entries on subfolderA, which had inherited the permissions from folderA: groupA has implicit Allow Full Control, groupB has implicit Deny Full Control.
7. since userA is a member of each group, i want to see what his effective permissions are. so from the security tab i click Advanced > Effective Permissions > Select > userA.
8. result: userA has no effective permissions for subfolderA.
9. now i go back to the security tab on subfolderA, and give groupB explicit 'allow read & execute' permissions. the implicit Denies are all still there.
10. i apply it, and go to the Effective permissions tab once again, choose userA.
11. userA has (written in special permissions) the Read & Execute permission.

the thing is, you cannot set a Deny Full and Allow *whatever* at the same time.
so one of them must be inherited.

deny overrides allow, but explicit overrides implicit, whether deny or allow.

w^rl0rd

Excellent explaination! That makes sense, I think we can agree that the question is worded very poorly. It mentions nothing about implicitly denied permissions. Hopefully, I won't encounter such a question on the exam. Thanks.