Solved

AD Groups question

Posted on 2013-02-01
13
276 Views
Last Modified: 2013-02-04
If the use is a member of higher privilege group and lesser privilege group.  Which one is prevails?  For some reason user put himself into the lesser privilege group that locks himself out.
0
Comment
Question by:Tiras25
  • 4
  • 4
  • 2
  • +3
13 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 143 total points
ID: 38845723
Providing you don't use DENY then the higher permissions prevail.
In most cases you don't need to use deny.
0
 
LVL 6

Assisted Solution

by:sconstable
sconstable earned 72 total points
ID: 38845750
Id depends,
NTFS permissions assuming 1 group has permissions and the other one is just not in the ACL then the user will have access, if the "lower priv" group is in the ACL with deny, they will be denied rights.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38845757
The lower privilege is a Global Security Group.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38845767
How does he lock himself out by being put in a group?

Thanks

Mike
0
 
LVL 4

Assisted Solution

by:Thomas WERNHER
Thomas WERNHER earned 72 total points
ID: 38846536
Hi,

if permissions are set on the NTFS file system (facing the internal side of the system), you'll have the higher permissions prevailing (if the user is in the two groups).

But, what about the shared folder permissions ?

Cheers
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 213 total points
ID: 38853049
What are we talking about here? I did not see the author mention folders/file permissions.
Please clarify.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38853090
Sorry i was talking about the access to some internal URL link.  Seems the user added himself to the least permissive group and lock himself out.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 213 total points
ID: 38853094
Come on, is it about file permissions or not. Or about a web server and its permissions. Where did he add himself? How does the lockout look like, "access denied" errors?
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38853126
access denied yet.  So something about website permissions.  Sorry for the confusion.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 213 total points
ID: 38853141
"So something about website permissions"
Man :) What makes it so complicated to tell us what he is trying to do? If you are looking for a solution, you need a question first. No really. Still not clear at all.
Where and how did he add himself?
What is he doing exactly?
Is he getting access denials in windows explorer or in his browser?
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 143 total points
ID: 38853144
Now I'm confused ?

Please can you explain clearly and exactly what the problem is
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38853190
Sorry again for the confusion.  The user added himself into the least permissive group in AD and denied himself access to the internal web site.  Once remove that specific group the access got back to normal.   Sorry I wasn't clear.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 38853289
???
Willie Wang: [as they are about to leave Twain Manor] ... I don't get something, Pop: WAS there a murder, or WASN'T there?
Sidney Wang: Yes: Killed good weekend. Drive, please
See http://www.imdb.com/title/tt0074937/quotes
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question