Re: Conflicting AD groups


Within SQL Server rights are additive. This means that the sum of rights granted to all groups (with rights to SQL Server) for a particular login are applied. This sums both GRANT and DENY, with DENY overriding any GRANTs for the same permission.

Here are articles:

And (off topic) an interesting follow-on about properties (as opposed to permissions) being assigned to groups.


"JRStern" <JRStern@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:414E90D7-22E1-41E0-BCB2-8886DF7D953F@xxxxxxxxxxxxxxxx
I'm not a security guy, don't know if this is a simple or complex question,
but it seems it would be common.

We're setting up a new environment where most SQL Server security will be by
the Active Directory group membership a Windows login has. If a login is in
several groups with different levels of privileges, how is this resolved?
Point to a KB article would be fine.