We help IT Professionals succeed at work.

AD security group

Eprs_Admin asked
Hi Experts,

I have a question regarding AD scurity groups.
Lets say I have two security groups.
One group is filled with users (modify rights).
The other group is filled with FullAccess Users.

Lets say one teamleader is in both groups, which group counts ?
The group with the highest right or lowest ?
Watch Question

Most Valuable Expert 2018
Distinguished Expert 2018
The combination of both. In this case, as Modify is a subset of Full, the "FullAccess Users".
IT Service Manager
Top Expert 2012
Highest Privilege takes precedence when a user is on 2 group with 2 different permission.
AlexA lack of information provides a lack of a decent solution.
Breaking it down further,

oBdA is correct to an extent.

Full access is what they will have, Modify rights allow you to modify the files, Full access will allow them to change the ACL on the folder. As such the full access would take precedence.

Realistically, you shouldn't ever give users full access to a folder, only modify rights which will allow them everything but change the ACL on the top level folder which would mean they can't screw up your security structure.


Distinguished Expert 2018

Permissions are additive with the exception of denials which overrule allowed things.
Most Valuable Expert 2018
Distinguished Expert 2018

There's no "Highest privilege precedence". When a user is a member of multiple groups, the rights of the groups will be combined.
The only precedence that comes into play is when the effective access is calculated. Deny normally overrides Allow, unless the Deny is inherited and the Allow is explicit - then the Allow wins after all. Explicit ACEs always override inherited ACEs.

When both Share and NTFS permissions apply, the more restrictive set applies. If the Share only allows Read, NTFS can't override this to anything more. When Share is Full, and NTFS is Read, NTFS wins.

Allowing Modify instead of Full only prevents changing permissions of objects that other users have created. For objects a user owns, he is still allowed to change the permissions. The best way to prevent this is to set the Share permissions for the users to Change, not Full.

How permissions are handled when you copy and move files and folders