plocienmMemberMay 23, 2016 at 3:10 am #166385
Is there any way to grant access to a file to user that is in a group that has no access to that file?
Windows Server 2012 R2.May 23, 2016 at 5:38 am #191248
Yes – as long as the group is not denied, an allow for a user will beat the implicit deny for the rest of the world
Note better practice is to create a new group and give permission to the group, even if it just has one member
cherrychuaMemberMay 23, 2016 at 7:04 am #391370
Access to this file for this group is denied. So there is no way to grant access to file for a user from this group?
Maybe using PowerShell?May 23, 2016 at 7:38 am #191249
Is this an Explicit Deny (deny column ticked in permissions) or an Implicit (no tick in Allow Column)?
If Explicit, that beats all allows – and therefore should almost never be used
cherrychuaMemberMay 23, 2016 at 3:00 pm #391371
Any idea how to beat it? Or is it impossible?
Task is to grant a single user access to a file that is in a group that has Explicit Deny to that file.
universalMemberMay 23, 2016 at 3:19 pm #388829
By design, that’s not possible.
Negative permissions always take precedence over “Allow” permissions, which is why negative permissions should be used sparingly, if at all.May 24, 2016 at 12:33 am #191250
Do you really need the explicit deny?
If the group is denied because of an inherited allow permission, just break inheritance and remove the allow – the implicit deny will kick in and then you can allow the user access
I have to say, I can probably count the number of times I have had to use an explicit deny without removing my mittens :twisted: Whenever I have seen them used, it means a poorly thought out permission model
joeqwertyModeratorMay 24, 2016 at 9:56 am #304536Ser Olmy;n505791 wrote:By design, that’s not possible.
Negative permissions always take precedence over “Allow” permissions, which is why negative permissions should be used sparingly, if at all.
That’s not technically correct. An explicit Allow overrides and inherited Deny. Here’s a link to permissions precedence. – http://www.ntfs.com/ntfs-permissions-precedence.htm
danielpParticipantMay 24, 2016 at 1:40 pm #172719joeqwerty;n505802 wrote:That’s not technically correct. An explicit Allow overrides and inherited Deny. Here’s a link to permissions precedence. – http://www.ntfs.com/ntfs-permissions-precedence.htm
Correct. No many people know that…:smile:
You must be logged in to reply to this topic.