Q

How do I resolve this conflicting permissions scenario?

The human resources department is having a problem accessing a folder. HR wants only members of the HR group to access this folder. Someone in the HR department tried to create the folder and assigned the following permissions:
Human Resources -- Allow Full Control
Domain Users -- Deny Full Control

Tom is a member of Human Resources; however, he cannot access the folder. How can you grant Tom access to the folder?

I agree -- this sounds like the infamous "a train leaves the station going 120 miles an hour. Another train leavens another station..." but this solution is much less difficult. You just need to know some basic Windows facts.

First, remember that deny wins over allow. If one permission grants me access, and another takes it away, the take-it-away wins. The permissions are given to us based on either of them being directly assigned to us, or because of our membership in groups that are given permissions. So Tom, who is member of Human Resources, is also a member of Domain Users -- the allow permission is negated by the deny. And, nope, you can't remove him from Domain Users. All users with a domain account are just naturally members of this group.

There is a solution though. Windows also works this way: if you are not given permission, you have no permission. That is, unless domain users are given access to the folder, they have no rights there. There is an implicit denial. So IT should remove the Domain Users group from the ACL (access control list) and leave in Human Resources. Tom will be able to access the folder, as will other members in the group, but no others will. This is very simple to test. IT should set it up, test it and then go take a lesson in basic Windows security features.

This was first published in January 2003
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close