Re: "access denied" for members of Administrators, stand-alone server


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OZCBcp0tHHA.3588@xxxxxxxxxxxxxxxxxxxxxxx

"Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%23bBN9DrtHHA.4424@xxxxxxxxxxxxxxxxxxxxxxx

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:u3GcAsJtHHA.4424@xxxxxxxxxxxxxxxxxxxxxxx
Users group often includes Authenticated Users (which means any user
or computer account that authenticated to gain a login type session) as
Al inidcated, and also often includes INTERACTIVE (which means
any account login session based on the local login user right).

Yes, that was also the case for me.

So the account may have been indirectly a member of Administrators.

I think you mean "of users"...


Yes, good catch, thank you.

Somehow I am not as good at catching my own mistakes ;-)

When you added a grant on the directory for Administrators Full Contol,
if the deny for Users was still in effect (you said you blocked
inheritance)
then the explict grant added would have overridden the inherited deny
for Administrators members.

Are you sure of that?

Yes. see below

I had thought that the effective permissions on an object are there as
surely by indirect membership in related security groups as is the case
for direct membership. If user U is in group A that is allowed access to
a resource, and also in group D that is denied, then the deny wins and
user U has no access. If this were not the case then there would be no
point in having a deny access possibility, as the only way to deny access
would be to not grant it in the first place. If the user is taken out of
group D, added to group DD, and group DD is added to group D, he should
still not be able to access the resource.

If, as you say his direct membership in a group that is allowed access
were to override his indirect membership in a group denied access, then
we have a case where group nesting does not work as expected.

And what would happen if he were removed from A, added to AA, with AA
being added as a member of A - indirect membership in an allowed group
and a denied group? Will it then be a case of determining the most direct
membership?


It is not a matter of direct membership compared to indirect (ex. via
Authenticated Users in Users). Rather it is a matter of the Deny being
set on the parent, and the Allow on the child. Hence the Deny would
be inherited onto the child, which has an explict grant. When there is
a conflict, explict grant overrules inherited deny. That is what I was
saying

Thanks. I guess I didn't read as carefully as I should have...

/Al

if the deny for Users was still in effect (you said you blocked
inheritance)
then the explict grant added would have overridden the inherited deny
for Administrators members

Roger



"Larry" <nobody@xxxxxxxx> wrote in message
news:137lu2cd1vtvt78@xxxxxxxxxxxxxxxxxxxxx
I got this working: 1) uncheck "Allow inheritable permissions from
parent to propagate to this object." under Advanced and choosing to
remove all permissions from that directory structure, 2) Add Full
Control to Administrators.

But I am still mystified as to why the first approach did not work...

Larry









.

Relevant Pages

  • Re: "access denied" for members of Administrators, stand-alone server
    ... then the explict grant added would have overridden the inherited deny ... surely by indirect membership in related security groups as is the case ... as you say his direct membership in a group that is allowed access ... explict grant overrules inherited deny. ...
    (microsoft.public.windows.server.security)
  • Re: "access denied" for members of Administrators, stand-alone server
    ... then the explict grant added would have overridden the inherited deny ... surely by indirect membership in related security groups as is the case ... as you say his direct membership in a group that is allowed access ... explict grant overrules inherited deny. ...
    (microsoft.public.windows.server.security)
  • Re: "access denied" for members of Administrators, stand-alone server
    ... any account login session based on the local login user right). ... then the explict grant added would have overridden the inherited deny ... as is the case for direct membership. ... as you say his direct membership in a group that is allowed access were ...
    (microsoft.public.windows.server.security)
  • Re: Need help for setting proper security rights
    ... I have been deploying a software using direct membership ... Am I using these security settings correctly? ... this group can only see these 2 software packages from their ...
    (microsoft.public.sms.admin)
  • Re: BN Commercial Manager position
    ... I would attribute the growing interest of commercial companies directly ... of course you could deny this!! ... criticism on URN, ... of BN membership figures? ...
    (uk.rec.naturist)