Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
Certification Preparation
Microsoft
Windows XP Professional
Question about NTFS Deny
Rulkiewicz
I understand if Adam belongs to Sales group, which has Modify access to a file, and if we assign "Deny all" to Adam he will be denied.
But what if we switch it, and he group is denied, but he as an individual is granted Modify, does he still have "Deny"?
Find more posts tagged with
Comments
Mishra
Deny rule ALWAYS surpasses any kind of modify unless the deny rule is inherited and the allow rule is not inherited.
Rulkiewicz
Could you elaborate on inheritance?
royal
Lets say
\ is your root. You create a folder under d:\ called Files. So now you have
\Files. Your Files directory will inherit all permissions that the
\ drive contained. You will see it is inherited because those permissions are greyed out. Now lets say you Denied all permissions on
\ from Marketing. That means that
\Files also has Deny to Marketing group on
\Files due to it inhering permissions from
\. You have 1 specific user named John Doe who is in the marketing group and you want to have access to
\Files. You specifically add his name and give him Allow permissions. Deny will override all permissions EXCEPT for an explicit allow. That means, since the denies were inherited from C:\ but you explicitly gave John Doe Allow, that Allow wins.
Hope that helps.
Rulkiewicz
Ah. I think I got it.
If John is in the Marketing group, and the Marketing group is "Deny All", but I add John to Allow Full Control, John will have Full Control.
Right?
royal
Yep, and that's only because the Marketing group's deny was inherited while John's allow was explicit.
Explicit Allow > Inherited Deny > Inherited Allow
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
