Announcement

Collapse
No announcement yet.

Access restriction

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access restriction

    Hi.
    Is there any way to grant access to a file to user that is in a group that has no access to that file?
    Windows Server 2012 R2.

  • #2
    Yes - as long as the group is not denied, an allow for a user will beat the implicit deny for the rest of the world

    Note better practice is to create a new group and give permission to the group, even if it just has one member
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Access to this file for this group is denied. So there is no way to grant access to file for a user from this group?
      Maybe using PowerShell?
      Last edited by plocienm; 23rd May 2016, 14:12.

      Comment


      • #4
        Is this an Explicit Deny (deny column ticked in permissions) or an Implicit (no tick in Allow Column)?

        If Explicit, that beats all allows - and therefore should almost never be used
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Explicit Deny...
          Any idea how to beat it? Or is it impossible?
          Task is to grant a single user access to a file that is in a group that has Explicit Deny to that file.
          Last edited by plocienm; 23rd May 2016, 22:03.

          Comment


          • #6
            By design, that's not possible.

            Negative permissions always take precedence over "Allow" permissions, which is why negative permissions should be used sparingly, if at all.

            Comment


            • #7
              Do you really need the explicit deny?
              If the group is denied because of an inherited allow permission, just break inheritance and remove the allow - the implicit deny will kick in and then you can allow the user access

              I have to say, I can probably count the number of times I have had to use an explicit deny without removing my mittens Whenever I have seen them used, it means a poorly thought out permission model
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Originally posted by Ser Olmy View Post
                By design, that's not possible.

                Negative permissions always take precedence over "Allow" permissions, which is why negative permissions should be used sparingly, if at all.
                That's not technically correct. An explicit Allow overrides and inherited Deny. Here's a link to permissions precedence. - http://www.ntfs.com/ntfs-permissions-precedence.htm

                Comment


                • #9
                  Originally posted by joeqwerty View Post

                  That's not technically correct. An explicit Allow overrides and inherited Deny. Here's a link to permissions precedence. - http://www.ntfs.com/ntfs-permissions-precedence.htm

                  Correct. No many people know that...
                  Cheers,

                  Daniel Petri
                  Microsoft Most Valuable Professional - Active Directory Directory Services
                  MCSA/E, MCTS, MCITP, MCT

                  Comment

                  Working...
                  X