Access restriction

This topic contains 8 replies, has 6 voices, and was last updated by Avatar cherrychua 3 years, 10 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • Avatar
    plocienm
    Member
    #166385

    Hi.
    Is there any way to grant access to a file to user that is in a group that has no access to that file?
    Windows Server 2012 R2.

    Avatar
    Ossian
    Moderator
    #191248

    Yes – as long as the group is not denied, an allow for a user will beat the implicit deny for the rest of the world

    Note better practice is to create a new group and give permission to the group, even if it just has one member

    Avatar
    cherrychua
    Member
    #391370

    Access to this file for this group is denied. So there is no way to grant access to file for a user from this group?
    Maybe using PowerShell?

    Avatar
    Ossian
    Moderator
    #191249

    Is this an Explicit Deny (deny column ticked in permissions) or an Implicit (no tick in Allow Column)?

    If Explicit, that beats all allows – and therefore should almost never be used

    Avatar
    cherrychua
    Member
    #391371

    Explicit Deny…
    Any idea how to beat it? Or is it impossible?
    Task is to grant a single user access to a file that is in a group that has Explicit Deny to that file.

    Avatar
    universal
    Member
    #388829

    By design, that’s not possible.

    Negative permissions always take precedence over “Allow” permissions, which is why negative permissions should be used sparingly, if at all.

    Avatar
    Ossian
    Moderator
    #191250

    Do you really need the explicit deny?
    If the group is denied because of an inherited allow permission, just break inheritance and remove the allow – the implicit deny will kick in and then you can allow the user access

    I have to say, I can probably count the number of times I have had to use an explicit deny without removing my mittens :twisted: Whenever I have seen them used, it means a poorly thought out permission model

    Avatar
    joeqwerty
    Moderator
    #304536
    Ser Olmy;n505791 wrote:
    By design, that’s not possible.

    Negative permissions always take precedence over “Allow” permissions, which is why negative permissions should be used sparingly, if at all.

    That’s not technically correct. An explicit Allow overrides and inherited Deny. Here’s a link to permissions precedence. – http://www.ntfs.com/ntfs-permissions-precedence.htm

    Avatar
    danielp
    Participant
    #172719
    joeqwerty;n505802 wrote:
    That’s not technically correct. An explicit Allow overrides and inherited Deny. Here’s a link to permissions precedence. – http://www.ntfs.com/ntfs-permissions-precedence.htm

    Correct. No many people know that…:smile:

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.