Re: Unexpected security restriction for a user in both a user and administrative group.
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 24 Apr 2008 19:53:13 -0700
"ScottS" <scotts002@xxxxxxxxxxx> wrote in message
news:105d8423-ae31-447c-a382-f3ea4020c3e7@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Simple question: is there a document that describes how Windows folder
and file security works for a user that is in both a low-security
group and a high-security group?
I've had unexpected results when I've accidentally grouped myself into
both the local "Users" and local "Administrators" groups. The
limitations of the "Users" group are sometimes enforced even though
I'm in the "Administrators" group.
--ScottS
The answer might reside in why you said limitations of Users.
The rules are fairly simple. A principle gets the sum of all
that is granted to it in any way, direct or via groups and their
nesting. However, if there are any denies these reduce the
granted unless the grant is closer in the inheritance chain
than the deny. Ex. Admins have Full but Users are denied
write and these are set at the same place, then a member of
both has everything except write. If there is a grant at a lower
directory the reestablishes the write for the account then the
earlier inherited deny is nullified.
Roger
.
- Follow-Ups:
- References:
- Prev by Date: Unexpected security restriction for a user in both a user and administrative group.
- Next by Date: Re: Is there malware on my Server?
- Previous by thread: Unexpected security restriction for a user in both a user and administrative group.
- Next by thread: Re: Unexpected security restriction for a user in both a user and administrative group.
- Index(es):
