Re: 70-290, properly answering access permission questions

Tech-Archive recommends: Fix windows errors by optimizing your registry


Seshouan wrote:
> Once again, folks, I am very aware of what permissions are and what
they do.
> I just needed some input on how the exam wanted us to apply them.
Because
> either way it works and doesn't involve any unwanted sideeffects, and
I don't
> see it as wrong or impractical because that's the way I've been doing
it for
> ever.
>
> By the way, Steven, an explicit allow doesn't override an inherited
deny,
> nothing overrides a deny. You'll need to do some reviewing

I can see why you got a 678. He was absolutely right - an explicit
Allow DOES override an inheritted Deny.

All explicit permissions override implicit permissions, regardless of
what they are.

Nothing overrides an EXPLICIT Deny. And that rule really only makes
sense when you're discussing a user who belongs to multiple groups - if
they have a Deny permission from one group, that overrides all Allows
from any other group(s).

Furthermore, you were also off in stating that no bad could come from
issuing Denys. In fact, it is generally regarded as poor practice to
hand out Deny permissions in every situation. It complicates the
permissions tree in general and makes it more difficult to troubleshoot
permissions headaches down the road. This from the MS Press Book:
Managing and Maintaining a Windows Server 2003 Environment, page
Chapter 6, Lesson 2, Page 21:

"Note: Best practice dictates that you minimize the use of Deny
permissions and focus instead on allowing the minimal resources
permissions required to achieve the business task. Deny permissions add
a level of complexity to the administration of ACLs, and should be used
only where absolutely necessary to exclude access to a user who has
been granted permissions to the resource through other group
memberships."

Now, my suggestion to you -- since you don't seem keen on hearing the
CORRECT way permissions operate from others, is that you go see for
yourself. Fire up a Win 2k3 Server box, create a test user and assign
him Deny permissions at the folder level and explicit Allow permissions
to files within the folder.

Then come back here and tell us what you've learned.

.

Relevant Pages

  • Re: Explicitly deny permissions
    ... Deny is always stronger then Allow. ... Windows Server 2008 provides a tool (Effective Permissions tool) that shows ... Explicit Deny permissions override equivalent Allow permissions. ... This means that if a parent folder has an explicit deny, ...
    (microsoft.public.windows.server.general)
  • Re: Permissions inherited..from where?
    ... The difference is in Explicit and Inherited permissions. ... An Explicit Deny ... How to Get Service Account Access to All Mailboxes in Exchange ...
    (microsoft.public.exchange2000.admin)
  • Re: NTFS Deny not Working STRANGE
    ... So, it is not that deny overrides everything else, but that deny ... Microsoft MVP (Windows Server: Security) ... > to override everything else but for some reason it is not working. ... > I have gone into Advanced and reset permissions on files and folders. ...
    (microsoft.public.windows.server.security)
  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)