Re: NTFS Deny not Working STRANGE
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/01/05
- Next message: Roger Abell [MVP]: "Re: NTFS Deny not Working STRANGE"
- Previous message: Matt: "Re: Norton Corporate 10.* tweaking , Might be a more appropiate newsroup to post to."
- Maybe in reply to: Steven L Umbach: "Re: NTFS Deny not Working STRANGE"
- Next in thread: Roger Abell [MVP]: "Re: NTFS Deny not Working STRANGE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 1 Oct 2005 07:15:22 -0700
As Steve indicated, the problem is likely in your statement
> The deny is supposed to override everything else but
> for some reason it is not working.
An ACL is composed of ACEs which are supposed to be ordered:
Explicit deny(s)
Explicit grant(s)
Inherited deny(s)
Inherited grant(s)
Think of the list as being walked in that order, and the processing
stopping as soon as it is known that the principal will or will not
have the requested permissions - and the semantics is that if
there is an explicit grant of what is requested, then it does not
matter is the same is denied by inheritance.
So, it is not that deny overrides everything else, but that deny
overrides the same type of grant.
-- Roger Abell Microsoft MVP (Windows Server : Security) MCDBA, MCSE W2k3+W2k+Nt4 "Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote in message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com... > To anyone who can help, > > I am having the strangest problem with a Windows 2003 Server. > Long story short we have to let some software developers TS into one of > our > servers but the server also has company data on it that we don't want them > to > access. The data is on a separate partition from anything else. My > answer > was thus: > 1. Create Domain Local Security Group > 2. Deny Full Access at the root of the partition to the Group > 3. Add users to the group. > > Normally I would expect this to work but it does not. The deny is > supposed > to override everything else but for some reason it is not working. > > Here the strangeness continues: > If I Logon as the user and double click on the partition it says "No > Access" > as expected but I can then do a D:\Some Folder on it and it all works > fine. > They can then open documents and explore as they like. > > I have gone into Advanced and reset permissions on files and folders. I > have gone into effective permissions and when I choose the group it says > no > permission, when I choose one of the users it says Full Control. I have > removed and re-added the group to the user. The user has no special user > rights - we made a special group that had TS access but no ability to > shutdown/restart etc. so they are not system administrators. > > The server is Windows 2003 SP1 and the only thing special about it is that > we have loaded the patch to hide folders via shares that users have no > permissions to. > > I can't seem to find anyone else with the same problem so I am at a loss > to > fix it? I can specifically deny it for that specific user and it works > but > this will create us a lot of maintenance in the long run. > > Does anyone have any ideas? > > Sincerely, > Elizabeth
- Next message: Roger Abell [MVP]: "Re: NTFS Deny not Working STRANGE"
- Previous message: Matt: "Re: Norton Corporate 10.* tweaking , Might be a more appropiate newsroup to post to."
- Maybe in reply to: Steven L Umbach: "Re: NTFS Deny not Working STRANGE"
- Next in thread: Roger Abell [MVP]: "Re: NTFS Deny not Working STRANGE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
