Re: Apply Group policy to all domain users but not users in group "a"

Tech-Archive recommends: Fix windows errors by optimizing your registry


"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OJda7T2uFHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> Kerry Brown schrieb:
>> What happens if a member of the tech group is also a member of a group
>> that
>> has read and apply permission? The only way I have been able to do this
>> is
>> with deny which always trumps everything else. Am I doing something
>> wrong?
>
> You are right. But your example works viceversa ...
> What happens if you want to apply the settings and the user
> is a member of a group where you deny it ... ;-)
>
> It´s just a case of how you like to work. I try to work as less
> as possible with deny, because IMHO it is the better way.
> If a User/Group doesn´t even has the permissoin on a Share, NTFs
> or DSACLs, than I don´t have to deny it. I think that makes the
> situation a little bit simpler.
>
> It´s a question of your OU structure in AD and how the default
> inheritance and the scope of your GPO is.
> A lot of OUs prevent you from using "deny", but it makes the
> structure even more complex.
> You have to find your golden mean by yourself ;-)
>

I agree that deny should be use sparingly. I have never had to use it for
file permissions for sharing. Group policy is the only place I've ever had
to use it. Even then it was only in one case where loopback processing was
involved.

Kerry


.

Relevant Pages

  • Re: Apply Group policy to all domain users but not users in group "a"
    ... > What happens if a member of the tech group is also a member of a group that ... > has read and apply permission? ... > with deny which always trumps everything else. ... Mark Heitbrink - MVP Windows Server ...
    (microsoft.public.windows.group_policy)
  • Re: Apply Group policy to all domain users but not users in group "a"
    ... > Instead of deny I would prefer removing the read and apply permission. ... What happens if a member of the tech group is also a member of a group that ...
    (microsoft.public.windows.group_policy)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... > that DENY ACLs trump any allow ACLs ... Deny permissions take precedence over allow ... the list of permission entries in the DACL. ... I understand that domain admins have the delete and delete subtree rights at the domain level. ...
    (microsoft.public.win2000.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... >> that DENY ACLs trump any allow ACLs ... Deny permissions take precedence over allow ... > the list of permission entries in the DACL. ... > You could modify the default domain admins permissions so that they no ...
    (microsoft.public.win2000.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >>>> It is even worse when Microsoft's own guidelines for parsing ACLs ... >>>> that DENY ACLs trump any allow ACLs ... >>> the list of permission entries in the DACL. ...
    (microsoft.public.win2000.active_directory)