I am trying to figure several different scenarios of permission settings, and how to know which permission takes precedence over another. Now I have been testing this alot, but sometimes it seems like I am not getting any logic into this. For example I have often read that if a user is a member of two groups, the group with the more restrictive permission takes precedence. Then there is the thing about inherited permission vs explicit permission - where explicit should take precedence over the other...
What happens in the following scenarios (On a computer client, joined to a domain)?
NTFS permission of a folder:
Administrator group : Inherited, Full Control
Users (builtin group) : Inherited, Read and Execute
Users (builtin group) : Explicit, Read.
In the above case, if a user is both a member of the Administrator Group and the Users group - what happens with the NTFS permissions of the administrators group? If Explicit permissions always takes precedence over the Inherited, do the users in the administrators group suddenly loose some of their permissions?
Another similar scenario is when the group "users (builtin)" has inherited read and execute permission on a folder, and I need to prevent this. Then I have the possibility of going into the advanced option and clear the box where it says "include permission from the parent object". But if I do that, ALL users and groups are removed - even the "SYSTEM" user account. Now why would anyone want to exclude the system account to begin with? Risking that the folder gets unusable, and cannot be deleted? Then again, I could specifically deny the "User group" permission to the folder - but how will that effect other specific users or groups which I want to allow access to this folder? Since every user in the domain automatically becomes a part of the "User Group (builtin)", through the "Domain Members group" - this explicit deny permission would take precence over all other group permissions?