Explicitly deny permissions

Hi,

In one PPT MOC slide about Server 2008 I found:
- .Explicitly deny permissions override allow permissions ----- Clear, OK

- .Explicitly allow permissions override explicit deny permissions ---- what
does mean? if I have setup Deny for Helpdesk group and Allow for one user
who belong to Heldesk group, what will be result? I tried it - access
denied, Deny is always stronger then Allow.

Can someone please explain me this example and second part?

"James" <> wrote in message
news:...
> Hi,
>
> In one PPT MOC slide about Server 2008 I found:
> - .Explicitly deny permissions override allow permissions ----- Clear, OK
>
> - .Explicitly allow permissions override explicit deny permissions ----
> what does mean? if I have setup Deny for Helpdesk group and Allow for one
> user who belong to Heldesk group, what will be result? I tried it - access
> denied, Deny is always stronger then Allow.
>
> Can someone please explain me this example and second part?
>



Whenever quoting a passage, it is cite the source, so all are aware of where
it came from, and to actually read it in context.

However, I believe you mean the following.

===
MOC 6419A Configuring, Managing and Maintaining Windows Server® 2008 Servers
Volume1
Page 4-34

Key Points
Windows Server 2008 provides a tool (Effective Permissions tool) that shows
effective permissions, which are cumulative permissions based on group
membership.

The following principles determine effective permissions:

• Cumulative permissions are the combination of the highest NTFS
permissions granted to the user and all the groups of which the user is a
member. For example, if a user is a member of a group that has Read
permission and a member of a group that has Modify permission, the user has
Modify permission.

• Explicit Deny permissions override equivalent Allow permissions.
However, an explicit Allow permission can override an inherited deny
permission. For example, if a user is denied write access to a folder
explicitly
but explicitly allowed write access to a subfolder or a particular file, the
explicit
Allow would override the inherited Deny.
===

This means that if a parent folder has an explicit deny, and its child
folder has inherited permissions set (default), then the child folder will
have an implied deny. It is not explicit because you didn't specifically
(explicitly) deny it in the child, but rather in the parent, which inherited
down hill.

If you explicitly allow a security principle (user, group, computer) a
permission in that child folder, the explicitly added Allow permission you
added for that security object will override the Inherited Implied Deny.

I hope that helps.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

> • Explicit Deny permissions override equivalent Allow permissions.
> However, an explicit Allow permission can override an inherited deny
> permission. For example, if a user is denied write access to a folder
> explicitly
> but explicitly allowed write access to a subfolder or a particular file,
> the explicit
> Allow would override the inherited Deny.

OK, I tried that and it works as you said.

> This means that if a parent folder has an explicit deny, and its child
> folder has inherited permissions set (default), then the child folder will
> have an implied deny. It is not explicit because you didn't specifically
> (explicitly) deny it in the child, but rather in the parent, which
> inherited down hill.
>
> If you explicitly allow a security principle (user, group, computer) a
> permission in that child folder, the explicitly added Allow permission you
> added for that security object will override the Inherited Implied Deny.
>

Is this possible to setup this on the same folder level? I assume your
explanation about folder and subfolders, so I'm interesting to setup this
scenario on the same folder - add group deny and user allow. I think that
wouldn't work (deny is strongest).

"James" <> wrote in message
news:...
>> • Explicit Deny permissions override equivalent Allow permissions.
>> However, an explicit Allow permission can override an inherited deny
>> permission. For example, if a user is denied write access to a folder
>> explicitly
>> but explicitly allowed write access to a subfolder or a particular file,
>> the explicit
>> Allow would override the inherited Deny.
>
> OK, I tried that and it works as you said.
>
>> This means that if a parent folder has an explicit deny, and its child
>> folder has inherited permissions set (default), then the child folder
>> will have an implied deny. It is not explicit because you didn't
>> specifically (explicitly) deny it in the child, but rather in the parent,
>> which inherited down hill.
>>
>> If you explicitly allow a security principle (user, group, computer) a
>> permission in that child folder, the explicitly added Allow permission
>> you added for that security object will override the Inherited Implied
>> Deny.
>>
>
> Is this possible to setup this on the same folder level? I assume your
> explanation about folder and subfolders, so I'm interesting to setup this
> scenario on the same folder - add group deny and user allow. I think that
> wouldn't work (deny is strongest).
>


No, that won't work. This rule only works with an inherited (implied) Deny,
not an explicit Deny.

Ace

> No, that won't work. This rule only works with an inherited (implied)
> Deny, not an explicit Deny.
>

Ok, thnx.
EOD

"James" <> wrote in message
news:...
>> No, that won't work. This rule only works with an inherited (implied)
>> Deny, not an explicit Deny.
>>
>
> Ok, thnx.
> EOD
>


You are welcome.

Assuming you are going after your certifications, good luck!. Post back if
you have any other questions.

Ace