Effective Permissions


I've got a few question that are failry simple for you guys (i hope)

If a user belongs to a few groups. For example in Sales he has Read, in HR he has Read, and in Engineers he has Write. therefore, his effective permission is Write.

1) So when it says His effective is Write, does that means he has the ability to Write even though he is in the Sales, and HR groups, correct ??

2) If a user who is a member of 2 groups (Engineers, who have NTFS permissions Modify, and Sales who have a permission of Write) and has been Denied Read to a certain folder (not the whole group, just him), then is his effective permission still Write?

3) If someone had been Denied Read to one resource, would this affect their ability to Read other resources i.e. If someone is Denied Read to Folder A. Will they be unable to read somethign in Folder B

Im sorry if these questions are obvious, but im going back to my Microsoft courses after putting them off for ages, and there are few things i've forgot, so I just need to clear few things up.

Thanks in advanced
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Yes, deny the user, don't trust braindumps ;)
inbarasanConnect With a Mentor Commented:
Dear LFC1980,
My answers are below

1) Yes she has ability to write
2)Deny will take effect even if the user has Full control. Deny will supersede all the rights
3)Depends on the permissions on the resource. If other resource has read or write , that will take effect. It doesn't matter if a user id denied somewhere. The effective permission on the folder will take effective.

LFC1980Author Commented:
To clear up (3)....Say The user has Read perms for Folder A, and Read also for Folder B. And is then Denied Read for A, does that mean even though he has been denied Read on A, he CAN read on Folder B ?????

The reason this is confusing me is because I had a question where a user belongs to 2 groups. Engineers and Sales. And only he was to be denied read to a folder, so no one else is affected.  

The Folder has NTFS permis that allows Administrators Full control, and Engineers have Modify.
The Share permissions allow Everyone Change.

The user kept modifying files in Folder A, so the solution was to Deny him Read. (not the whole group). However, in the explanation of the answer, it also goes on to say as the user is also in Sales, you have to assign "Allow Read" permission for Sales.

Why is that????
How will his abilities as a Sales member be affected??????

PS: This has kind of turned into a new question so ill add extra points

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

denies goes over allow. if he is denied to read in folder A nothing happens to folder B (unless b is a subdir of A and inherit permissions)
permissions for folders are analized this way:
1 - the user is denied in any of the groups he belongs?
    yes-> then he is denied
    no-> then:
2 - the user is allowed in any of the groups he belongs?
    yes-> then he can access
    no-> then he cannot access
LFC1980Author Commented:
Ok. So why did the explanation ask to Allow Read for the Sales group.

As i mentioned before, i have not touched my books for a while, so sorry if these questions are obvious
I didn't understand the last....
LFC1980Author Commented:
Ok i'll re-write it and hopefully its more clear....if not, just let me know what part you cannot understand

To clear up the 3rd point)....If the user is initially allowed the Read permission for a folder named, Folder A, and also has the Read permission for a folder called Folder B. The user is then Denied the Read permission for Folder A.

Now does that mean even though he has been denied the Read permission on folder A, he is still able to Read on FolderB ?????....Or would he be Denied Read on FolderB as well?????

The reason this is confusing me is because I had a question..........

A user belongs to 2 groups. These two groups are Engineers and Sales..  

This user kept changing the files in a folder called XYZ. So he had to be Denied access to this folder, but you also have to make sure he remians in the groups he is in so he can carry out other tasks

XYZ has NTFS permis that allow Administrators Full control, and Engineers have the Modify permission.
The Share permissions for XYZ allow Everyone the Change permission.

The solution said Deny him Read and Execute. (not the whole group just him).

However, in the explanation of the answer it also goes on to say, as the user is also in Sales, you have to assign "Allow Read" permission for Sales, whcih would be the appropriate setting so as not to affect other users while allowing the user to remain and operate in the groups he is in.

Why is that...what is the reasoning behind allowing Read to the Sales group

How will his abilities as a Sales member be affected if you only Denied him Read for XYZ.

Hope the above is more clear
Rich RumbleSecurity SamuraiCommented:
I haven't read through all the post's... NTFS uses the MOST restrictive Access List entry as the "effective" permission.
If your account is in two groups, group1 and group2, in group1 your permission to read is denied, and group2 your given read access, you do not have read access even if explicitly allowed in another group. If that right is inheirited, sometimes, depending on how the ACL's are read, you may get conflicting results... taking ownership of files can prevent some of these overlaps, see these:
http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/?related=y (good links in here too)

LFC1980Author Commented:
Think it may help if you go over what i've typed

Im confused to why, after the user has been denied Read to a folder in one group (which will result in him being Denied Read even if another group he belongs has Allow Read) are we giving him Allow Read in another group...surely as deny takes priority, he will be denied Read in everything (for that folder).

In theory other folders will no be effected by him being Denied Read in another folder...so why is he being allowed Read for another group, when all we have done is deny Read in another folder
Rich RumbleSecurity SamuraiCommented:
In the article above(second link), you can see the same situation, it's the order in which the DACL is read that the right is applied, nice and confusing ;)
The parent object grants the user Modify, and the grandparent denies Write. The first thing evaluated is the child Deny permissions, and since the user is not denied, the evaluation continues to the child Allow permissions. The child object does not have Allow permissions so the evaluation continues to the parent object. The user has been granted Modify at the parent folder so they are able to open the file.
The DACL lists permissions by the object first, followed by the object’s parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:
    * If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
    * If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
    * If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.

File perms can get tricky, especially if users span more than one group and those groups have different
This article may also be helpful
LFC1980Author Commented:
Sorry mate, i have read that and its still not clear.

In the situation i had,

- The user is in 2 different groups (Engineers and sales)
- We have one folder called XYZ
- NTFS Perms for XYZ: Admins = Full control, Engineers = Modify
- Share perms For XYZ: Everyone = Change
- He keeps changing a file inside XYZ
- He needs to be stopped from accessing XYZ
- His group membership should not be changed
- Others in the groups should not be affected

Solution = Deny the USER the ability to Read

Thats where i would end the answer, and from what i've studied so far (MCDST), thats where i would expect the answer to end.

BUT in this example it goes on to say "To accomodate the users needs, since he forms part of both Engineers and Sales, you should configure the NTFS permissions to assign the Allow Read to the Sales which would be the approriate setting so others do not get affected, while allowing the user to remain in Sales"

So, what has Sales got to do with anything????....all we did was deny him Read, it shouldn't affect any other user/groups, should it??

New question the user wasn't even in the ACL so how can we deny him....they must have denied the engineers group Read, yes/no ??????.......if so surely it effects other users

I wish these questions were a bit more clear, it's not like you have access to Experts exchange in an exam

Sorry once again if that link explained everything, but i cant make sense of it.


*is very confused*
Rich RumbleSecurity SamuraiCommented:
It's tricky, and also the part where the example goes on to say "to accomodate..." that seems incorrect. Is this a brain-dump? Where folks go to take tests and write the questions down to later answer them... they are often wrong, even certified M$ materials have been wrong...

Look at the bottom for "Permission Precedence"
Permissions are almost the same from Windows NT’s NTFS 4.0 to Windows 2000/XP/2003’s NTFS 5.0. One of the main differences is the way that permissions inherit down through the structure with inherited and explicit permissions. It used to be that, if there was a Deny permission on the ACL, it was always evaluated first, then the Allow permissions would follow. Now, the permission hierarchy must be evaluated considering not only the Deny vs. Allow, but whether the permission is explicitly set or inherited down from a parent resource.
LFC1980Author Commented:
Yes mate, they are.

Do you think this question is wrong.....if so, would you just do as i thought it would be i.e. Just deny the Read to the user. if so (yes, if so again....sorry) shouldn't the user have been in the ACL too
LFC1980Author Commented:
Should the user himself have been in the ACL to deny only him read though?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.