Solved

AD Groups question

Posted on 2013-02-01
13
281 Views
Last Modified: 2013-02-04
If the use is a member of higher privilege group and lesser privilege group.  Which one is prevails?  For some reason user put himself into the lesser privilege group that locks himself out.
0
Comment
Question by:Tiras25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +3
13 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 143 total points
ID: 38845723
Providing you don't use DENY then the higher permissions prevail.
In most cases you don't need to use deny.
0
 
LVL 6

Assisted Solution

by:sconstable
sconstable earned 72 total points
ID: 38845750
Id depends,
NTFS permissions assuming 1 group has permissions and the other one is just not in the ACL then the user will have access, if the "lower priv" group is in the ACL with deny, they will be denied rights.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38845757
The lower privilege is a Global Security Group.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38845767
How does he lock himself out by being put in a group?

Thanks

Mike
0
 
LVL 4

Assisted Solution

by:Thomas WERNHER
Thomas WERNHER earned 72 total points
ID: 38846536
Hi,

if permissions are set on the NTFS file system (facing the internal side of the system), you'll have the higher permissions prevailing (if the user is in the two groups).

But, what about the shared folder permissions ?

Cheers
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 213 total points
ID: 38853049
What are we talking about here? I did not see the author mention folders/file permissions.
Please clarify.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38853090
Sorry i was talking about the access to some internal URL link.  Seems the user added himself to the least permissive group and lock himself out.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 213 total points
ID: 38853094
Come on, is it about file permissions or not. Or about a web server and its permissions. Where did he add himself? How does the lockout look like, "access denied" errors?
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38853126
access denied yet.  So something about website permissions.  Sorry for the confusion.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 213 total points
ID: 38853141
"So something about website permissions"
Man :) What makes it so complicated to tell us what he is trying to do? If you are looking for a solution, you need a question first. No really. Still not clear at all.
Where and how did he add himself?
What is he doing exactly?
Is he getting access denials in windows explorer or in his browser?
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 143 total points
ID: 38853144
Now I'm confused ?

Please can you explain clearly and exactly what the problem is
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38853190
Sorry again for the confusion.  The user added himself into the least permissive group in AD and denied himself access to the internal web site.  Once remove that specific group the access got back to normal.   Sorry I wasn't clear.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 38853289
???
Willie Wang: [as they are about to leave Twain Manor] ... I don't get something, Pop: WAS there a murder, or WASN'T there?
Sidney Wang: Yes: Killed good weekend. Drive, please
See http://www.imdb.com/title/tt0074937/quotes
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question