Re: "access denied" for members of Administrators, stand-alone server
- From: "Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx>
- Date: Sat, 23 Jun 2007 10:59:14 -0600
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:u3GcAsJtHHA.4424@xxxxxxxxxxxxxxxxxxxxxxx
Users group often includes Authenticated Users (which means any user
or computer account that authenticated to gain a login type session) as
Al inidcated, and also often includes INTERACTIVE (which means
any account login session based on the local login user right).
Yes, that was also the case for me.
So the account may have been indirectly a member of Administrators.
I think you mean "of users"...
When you added a grant on the directory for Administrators Full Contol,
if the deny for Users was still in effect (you said you blocked
inheritance)
then the explict grant added would have overridden the inherited deny
for Administrators members.
Are you sure of that? I had thought that the effective permissions on an
object are there as surely by indirect membership in related security groups
as is the case for direct membership. If user U is in group A that is
allowed access to a resource, and also in group D that is denied, then the
deny wins and user U has no access. If this were not the case then there
would be no point in having a deny access possibility, as the only way to
deny access would be to not grant it in the first place. If the user is
taken out of group D, added to group DD, and group DD is added to group D,
he should still not be able to access the resource.
If, as you say his direct membership in a group that is allowed access were
to override his indirect membership in a group denied access, then we have a
case where group nesting does not work as expected.
And what would happen if he were removed from A, added to AA, with AA being
added as a member of A - indirect membership in an allowed group and a
denied group? Will it then be a case of determining the most direct
membership?
/Al
Roger
"Larry" <nobody@xxxxxxxx> wrote in message
news:137lu2cd1vtvt78@xxxxxxxxxxxxxxxxxxxxx
I got this working: 1) uncheck "Allow inheritable permissions from parent
to propagate to this object." under Advanced and choosing to remove all
permissions from that directory structure, 2) Add Full Control to
Administrators.
But I am still mystified as to why the first approach did not work...
Larry
.
- Follow-Ups:
- Re: "access denied" for members of Administrators, stand-alone server
- From: Roger Abell [MVP]
- Re: "access denied" for members of Administrators, stand-alone server
- References:
- Prev by Date: How to prevent exploits
- Next by Date: sid mapping
- Previous by thread: Re: "access denied" for members of Administrators, stand-alone server
- Next by thread: Re: "access denied" for members of Administrators, stand-alone server
- Index(es):
Relevant Pages
|
