Re: 70-290, properly answering access permission questions

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

In Windows 2000/XP Pro/2003 an explicit allow does indeed override and
inherited deny. This behavior was changed from Windows NT4.0. Try it
yourself and you will see. This is explained in the Microsoft Press book for
the 70-298 exam - designing security in chapter 9 page 12 and in the links
below. Maybe this is not something covered in the core exams. I don't know
as I took the upgrade exams. I guess you need to do some reviewing and
practicing.. --- Steve

http://www.pcguide.com/ref/hdd/file/ntfs/secRes-c.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/005ea897-f26f-4223-9af6-49540a945102.mspx

Notes

. Inherited Deny permissions do not prevent access to an object if the
object has an explicit Allow permission entry.

. Explicit permissions take precedence over inherited permissions,
even inherited Deny permissions.


For more information on inherited permissions, see How inheritance affects
file and folder permissions.



"Seshouan" <Seshouan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7E537CE2-02BA-4C53-82E9-909A72307F29@xxxxxxxxxxxxxxxx
> Once again, folks, I am very aware of what permissions are and what they
> do.
> I just needed some input on how the exam wanted us to apply them. Because
> either way it works and doesn't involve any unwanted sideeffects, and I
> don't
> see it as wrong or impractical because that's the way I've been doing it
> for
> ever.
>
> By the way, Steven, an explicit allow doesn't override an inherited deny,
> nothing overrides a deny. You'll need to do some reviewing
>
>
> "Steven L Umbach" wrote:
>
>> I agree with you that you should refrain from using deny permissions
>> wherever possible as no permission is an implicit deny. Just keep in mind
>> that an explicit allow will override an inherited deny permission. ---
>> Steve
>>
>>
>> "Jon" <j@xxxxx> wrote in message
>> news:C3e5e.464$qF5.460@xxxxxxxxxxxxxxxxxxxxxxxx
>> > DENY HAS PRIORITY over Allow.
>> > If all they need to do is read, then just give the read permission,
>> > (NTFS
>> > if
>> > applicable)
>> >
>> > You NEVER deny unless absolutely neccessary as it always powers over
>> > any
>> > Allow permission....
>> >
>> >
>> > "Seshouan" <Seshouan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:3864CE16-1E6C-4F5A-A125-6A8976E2A875@xxxxxxxxxxxxxxxx
>> >> I had a headache today after failing the exam with a 678 (missing only
>> >> one
>> > or
>> >> two questions).
>> >>
>> >> How are you supposed to answer permission access questions? should
>> >> you
>> >> explicitely deny write permissions when a person is only allowed to
>> >> read
>> > from
>> >> a file or folder, or should you just leave it blank and simply allow
>> >> the
>> > read
>> >> permission?
>> >>
>> >> I am a thorough person, when someone should only be allowed to read
>> >> from
>> >> a
>> >> file I prefer to deny him write permissions so that he doesn't get
>> >> access
>> > if
>> >> he is moved into a group or inherits from a containing folder. What
>> >> is
>> > the
>> >> proper approach?
>> >>
>> >> I think these were the questions that killed me, I must have had about
>> >> 7
>> >> questions like this. If I got them all wrong, then I know why I
>> >> failed
>> >> today. Thank you for your assistance.
>> >>
>> >>
>> >
>> >
>> >
>>
>>
>>


.

Relevant Pages

  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)
  • Re: how to restrict users to search in their own Organizational Unit
    ... decided a script can make it possible to accomplish, ... You could also TRY removing the "Authenticated Users" ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTFS Security Question.
    ... I was not sure that deleting the special permissions would work but you ... Since Windows 2000 deny NTFS permission does not work ... originally configured "closer" to the object in the chain of folders. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)