Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Effective Permissions

Posted on 2006-11-10
Medium Priority
Last Modified: 2012-05-05

I've got a few question that are failry simple for you guys (i hope)

If a user belongs to a few groups. For example in Sales he has Read, in HR he has Read, and in Engineers he has Write. therefore, his effective permission is Write.

1) So when it says His effective is Write, does that means he has the ability to Write even though he is in the Sales, and HR groups, correct ??

2) If a user who is a member of 2 groups (Engineers, who have NTFS permissions Modify, and Sales who have a permission of Write) and has been Denied Read to a certain folder (not the whole group, just him), then is his effective permission still Write?

3) If someone had been Denied Read to one resource, would this affect their ability to Read other resources i.e. If someone is Denied Read to Folder A. Will they be unable to read somethign in Folder B

Im sorry if these questions are obvious, but im going back to my Microsoft courses after putting them off for ages, and there are few things i've forgot, so I just need to clear few things up.

Thanks in advanced
Question by:LFC1980
  • 7
  • 4
  • 2
  • +1
LVL 14

Assisted Solution

inbarasan earned 200 total points
ID: 17913076
Dear LFC1980,
My answers are below

1) Yes she has ability to write
2)Deny will take effect even if the user has Full control. Deny will supersede all the rights
3)Depends on the permissions on the resource. If other resource has read or write , that will take effect. It doesn't matter if a user id denied somewhere. The effective permission on the folder will take effective.


Author Comment

ID: 17913679
To clear up (3)....Say The user has Read perms for Folder A, and Read also for Folder B. And is then Denied Read for A, does that mean even though he has been denied Read on A, he CAN read on Folder B ?????

The reason this is confusing me is because I had a question where a user belongs to 2 groups. Engineers and Sales. And only he was to be denied read to a folder, so no one else is affected.  

The Folder has NTFS permis that allows Administrators Full control, and Engineers have Modify.
The Share permissions allow Everyone Change.

The user kept modifying files in Folder A, so the solution was to Deny him Read. (not the whole group). However, in the explanation of the answer, it also goes on to say as the user is also in Sales, you have to assign "Allow Read" permission for Sales.

Why is that????
How will his abilities as a Sales member be affected??????

PS: This has kind of turned into a new question so ill add extra points


Expert Comment

ID: 17913779
denies goes over allow. if he is denied to read in folder A nothing happens to folder B (unless b is a subdir of A and inherit permissions)
permissions for folders are analized this way:
1 - the user is denied in any of the groups he belongs?
    yes-> then he is denied
    no-> then:
2 - the user is allowed in any of the groups he belongs?
    yes-> then he can access
    no-> then he cannot access
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.


Author Comment

ID: 17913815
Ok. So why did the explanation ask to Allow Read for the Sales group.

As i mentioned before, i have not touched my books for a while, so sorry if these questions are obvious

Expert Comment

ID: 17914223
I didn't understand the last....

Author Comment

ID: 17915187
Ok i'll re-write it and hopefully its more clear....if not, just let me know what part you cannot understand

To clear up the 3rd point)....If the user is initially allowed the Read permission for a folder named, Folder A, and also has the Read permission for a folder called Folder B. The user is then Denied the Read permission for Folder A.

Now does that mean even though he has been denied the Read permission on folder A, he is still able to Read on FolderB ?????....Or would he be Denied Read on FolderB as well?????

The reason this is confusing me is because I had a question..........

A user belongs to 2 groups. These two groups are Engineers and Sales..  

This user kept changing the files in a folder called XYZ. So he had to be Denied access to this folder, but you also have to make sure he remians in the groups he is in so he can carry out other tasks

XYZ has NTFS permis that allow Administrators Full control, and Engineers have the Modify permission.
The Share permissions for XYZ allow Everyone the Change permission.

The solution said Deny him Read and Execute. (not the whole group just him).

However, in the explanation of the answer it also goes on to say, as the user is also in Sales, you have to assign "Allow Read" permission for Sales, whcih would be the appropriate setting so as not to affect other users while allowing the user to remain and operate in the groups he is in.

Why is that...what is the reasoning behind allowing Read to the Sales group

How will his abilities as a Sales member be affected if you only Denied him Read for XYZ.

Hope the above is more clear
LVL 38

Expert Comment

by:Rich Rumble
ID: 17927725
I haven't read through all the post's... NTFS uses the MOST restrictive Access List entry as the "effective" permission.
If your account is in two groups, group1 and group2, in group1 your permission to read is denied, and group2 your given read access, you do not have read access even if explicitly allowed in another group. If that right is inheirited, sometimes, depending on how the ACL's are read, you may get conflicting results... taking ownership of files can prevent some of these overlaps, see these:
http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/?related=y (good links in here too)


Author Comment

ID: 17928789
Think it may help if you go over what i've typed

Im confused to why, after the user has been denied Read to a folder in one group (which will result in him being Denied Read even if another group he belongs has Allow Read) are we giving him Allow Read in another group...surely as deny takes priority, he will be denied Read in everything (for that folder).

In theory other folders will no be effected by him being Denied Read in another folder...so why is he being allowed Read for another group, when all we have done is deny Read in another folder
LVL 38

Expert Comment

by:Rich Rumble
ID: 17929537
In the article above(second link), you can see the same situation, it's the order in which the DACL is read that the right is applied, nice and confusing ;)
The parent object grants the user Modify, and the grandparent denies Write. The first thing evaluated is the child Deny permissions, and since the user is not denied, the evaluation continues to the child Allow permissions. The child object does not have Allow permissions so the evaluation continues to the parent object. The user has been granted Modify at the parent folder so they are able to open the file.
The DACL lists permissions by the object first, followed by the object’s parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:
    * If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
    * If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
    * If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.

File perms can get tricky, especially if users span more than one group and those groups have different
This article may also be helpful

Author Comment

ID: 17930072
Sorry mate, i have read that and its still not clear.

In the situation i had,

- The user is in 2 different groups (Engineers and sales)
- We have one folder called XYZ
- NTFS Perms for XYZ: Admins = Full control, Engineers = Modify
- Share perms For XYZ: Everyone = Change
- He keeps changing a file inside XYZ
- He needs to be stopped from accessing XYZ
- His group membership should not be changed
- Others in the groups should not be affected

Solution = Deny the USER the ability to Read

Thats where i would end the answer, and from what i've studied so far (MCDST), thats where i would expect the answer to end.

BUT in this example it goes on to say "To accomodate the users needs, since he forms part of both Engineers and Sales, you should configure the NTFS permissions to assign the Allow Read to the Sales which would be the approriate setting so others do not get affected, while allowing the user to remain in Sales"

So, what has Sales got to do with anything????....all we did was deny him Read, it shouldn't affect any other user/groups, should it??

New question the user wasn't even in the ACL so how can we deny him....they must have denied the engineers group Read, yes/no ??????.......if so surely it effects other users

I wish these questions were a bit more clear, it's not like you have access to Experts exchange in an exam

Sorry once again if that link explained everything, but i cant make sense of it.


*is very confused*
LVL 38

Expert Comment

by:Rich Rumble
ID: 17930306
It's tricky, and also the part where the example goes on to say "to accomodate..." that seems incorrect. Is this a brain-dump? Where folks go to take tests and write the questions down to later answer them... they are often wrong, even certified M$ materials have been wrong...

Look at the bottom for "Permission Precedence"
Permissions are almost the same from Windows NT’s NTFS 4.0 to Windows 2000/XP/2003’s NTFS 5.0. One of the main differences is the way that permissions inherit down through the structure with inherited and explicit permissions. It used to be that, if there was a Deny permission on the ACL, it was always evaluated first, then the Allow permissions would follow. Now, the permission hierarchy must be evaluated considering not only the Deny vs. Allow, but whether the permission is explicitly set or inherited down from a parent resource.

Author Comment

ID: 17930584
Yes mate, they are.

Do you think this question is wrong.....if so, would you just do as i thought it would be i.e. Just deny the Read to the user. if so (yes, if so again....sorry) shouldn't the user have been in the ACL too
LVL 38

Accepted Solution

Rich Rumble earned 600 total points
ID: 17930620
Yes, deny the user, don't trust braindumps ;)

Author Comment

ID: 17934132
Should the user himself have been in the ACL to deny only him read though?

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question