Question about NTFS Deny
Rulkiewicz
Member Posts: 29 ■□□□□□□□□□
I understand if Adam belongs to Sales group, which has Modify access to a file, and if we assign "Deny all" to Adam he will be denied.
But what if we switch it, and he group is denied, but he as an individual is granted Modify, does he still have "Deny"?
But what if we switch it, and he group is denied, but he as an individual is granted Modify, does he still have "Deny"?
Comments
-
Mishra Member Posts: 2,468 ■■■■□□□□□□Deny rule ALWAYS surpasses any kind of modify unless the deny rule is inherited and the allow rule is not inherited.
-
royal Member Posts: 3,352 ■■■■□□□□□□Lets say \ is your root. You create a folder under d:\ called Files. So now you have \Files. Your Files directory will inherit all permissions that the \ drive contained. You will see it is inherited because those permissions are greyed out. Now lets say you Denied all permissions on \ from Marketing. That means that \Files also has Deny to Marketing group on \Files due to it inhering permissions from \. You have 1 specific user named John Doe who is in the marketing group and you want to have access to \Files. You specifically add his name and give him Allow permissions. Deny will override all permissions EXCEPT for an explicit allow. That means, since the denies were inherited from C:\ but you explicitly gave John Doe Allow, that Allow wins.
Hope that helps.“For success, attitude is equally as important as ability.” - Harry F. Banks -
Rulkiewicz Member Posts: 29 ■□□□□□□□□□Ah. I think I got it.
If John is in the Marketing group, and the Marketing group is "Deny All", but I add John to Allow Full Control, John will have Full Control.
Right? -
royal Member Posts: 3,352 ■■■■□□□□□□Yep, and that's only because the Marketing group's deny was inherited while John's allow was explicit.
Explicit Allow > Inherited Deny > Inherited Allow“For success, attitude is equally as important as ability.” - Harry F. Banks