Re: NTFS Deny not Working STRANGE

From: Elizabeth Strachan (ElizabethStrachan_at_discussions.microsoft.com)
Date: 10/05/05 

Date: Tue, 4 Oct 2005 16:13:04 -0700

First off - thanks for all the good input. I have done and studied every MS
exam text since NT4 and never did I once realise that an explicit allow
overrides an inherited deny. I always thought that a deny killed everything.

Secondly - I checked the explicit/inherited dilemma and at the folder level
and below where the data is there is only inherited permissions for both the
allow and deny so it should not be a problem?

I would rather not be giving these guys direct access to the server but it
is out of my hands because they are writing an app that plugs into the line
of business application. This customer is a small business so they do not
have spare servers kicking around.

I too am a firm believer in never using deny permissions and just not
allowing but in this particular instance I felt it would be far, far easier
just to deny access to a certain partition because we wanted them to have
access to everything else. I guess I was wrong and I will now probably need
to spend hours reconfiguring the permissions to make it work how we want.

"Roger Abell [MVP]" wrote:

> I forgot to add . . .
> For this reason, and the all to easily confusing situations that can
> arise, I highly recommend analyzing storage for a restructure that
> avoids use of deny whereever possible.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote in
> message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com...
> > To anyone who can help,
> >
> > I am having the strangest problem with a Windows 2003 Server.
> > Long story short we have to let some software developers TS into one of
> > our
> > servers but the server also has company data on it that we don't want them
> > to
> > access. The data is on a separate partition from anything else. My
> > answer
> > was thus:
> > 1. Create Domain Local Security Group
> > 2. Deny Full Access at the root of the partition to the Group
> > 3. Add users to the group.
> >
> > Normally I would expect this to work but it does not. The deny is
> > supposed
> > to override everything else but for some reason it is not working.
> >
> > Here the strangeness continues:
> > If I Logon as the user and double click on the partition it says "No
> > Access"
> > as expected but I can then do a D:\Some Folder on it and it all works
> > fine.
> > They can then open documents and explore as they like.
> >
> > I have gone into Advanced and reset permissions on files and folders. I
> > have gone into effective permissions and when I choose the group it says
> > no
> > permission, when I choose one of the users it says Full Control. I have
> > removed and re-added the group to the user. The user has no special user
> > rights - we made a special group that had TS access but no ability to
> > shutdown/restart etc. so they are not system administrators.
> >
> > The server is Windows 2003 SP1 and the only thing special about it is that
> > we have loaded the patch to hide folders via shares that users have no
> > permissions to.
> >
> > I can't seem to find anyone else with the same problem so I am at a loss
> > to
> > fix it? I can specifically deny it for that specific user and it works
> > but
> > this will create us a lot of maintenance in the long run.
> >
> > Does anyone have any ideas?
> >
> > Sincerely,
> > Elizabeth
>
>
>

Relevant Pages

  • Re: NTFS Security Question.
    ... A subordinate object DOES not inherit the PARENT perms (in ... will assume "Nebulous" permissions that refer to the LINK ... The trick is to PROPOGATE to all FILES (not Folders and Files - that would ... Since Windows 2000 deny NTFS permission does not work ...
    (microsoft.public.windowsxp.security_admin)
  • Re: NTFS Deny not Working STRANGE
    ... developers remote into a computer that has company data on it. ... would want to have that data on a separate server that they can not possibly ... > will override an inherited deny for ntfs permissions so you may want to ... Even though deny ...
    (microsoft.public.windows.server.security)
  • Re: Cannot Delete A Public Folder
    ... Permissions with a Deny. ... I don't see send as and Receive as as listed perms on my public folder ... >> Folders. ...
    (microsoft.public.exchange.admin)
  • Re: NTFS Deny not Working STRANGE
    ... For this reason, and the all to easily confusing situations that can ... Microsoft MVP (Windows Server: Security) ... Deny Full Access at the root of the partition to the Group ... > I have gone into Advanced and reset permissions on files and folders. ...
    (microsoft.public.windows.server.security)
  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)