Active Directory Question

[Billzie7718]

SETUP: I have a company share that all users connect to through a logon script in group policy. The script maps this shared drive to all authenticated users and gives them read/write access as its not critical data. The security for the folder itself is also setup to give all authenticated users R/W access.

PROBLEM: I have a couple consultants that I need to DENY access to this share. If I explicitly deny access on the share permission will the security permissions (ie. folder access) over-rule and ALLOW him to browse directly?


Cliffs:
Does a share permission DENY over-rule a folder security permission ALLOW?
Or vice versa?

 

[coupland]

Windows always grants the *lowest* access based on combining all permissions with the following exceptions:

DENY permissions over-ride ALLOW permissions
Explicit permissions over-ride inherited permissions

Therefore, if you have Full Control in ACLs but Read-only share access, you will get Read-only. In your specific example, DENY trumps all others so those people will be denied access to the share and its contents. But keep in mind DENY permissions are generally bad practice. "Allow everyone the ability to do anything unless I specifically deny them the ability" goes directly in the face of good security practice.

EDIT: to fix my speeling

 

[Billzie7718]

Originally posted by: coupland
Windows always grants the *lowest* access based on combining all permissions with the following exceptions:

DENY permissions over-ride ALLOW permissions
Explicit permissions over-ride inherited permissions

Therefore, if you have Full Control in ACLs but Read-only share access, you will get Read-only. In your specific example, DENY trumps all others so those people will be denied access to the share and its contents. But keep in mind DENY permissions are generally bad practice. "Allow everyone the ability to do anything unless I specifically deny them the ability" goes directly in the face of good security practice.

EDIT: to fix my speeling

Thanks for your help.

 

[RebateMonger]

Normal practice in creating shares in NTFS is to set the "Sharing" permissions to give full access to EVERYONE. And then set your "Security" permissions to actually maintain security. Trying to predict the outcome of various combinations of "Sharing" and "Security" settings gets messy and is unnecessary. Besides, "Share" permissions only control access from the network and don't control access from the local computer where the share is located.

In the "Security" applet, you can either set up a "DENY" for the consultants or you can remove the default "Read and Execute" permissions given to "All Users" and then manually re-add more specific permissions while NOT adding the consultants to the Security list.

It's probably easiest to just use the "Deny" for the consultants in the "Security" settings.

After you are done, double-check the consultant's rights by checking the "Effective Permissions" in the Advanced Security Settings applet in the "Security" settings.