Human Resources -- Allow Full Control
Domain Users -- Deny Full Control
Tom is a member of Human Resources; however, he cannot access the folder. How can you grant Tom access to the folder?
First, remember that deny wins over allow. If one permission grants me access, and another takes it away, the take-it-away wins. The permissions are given to us based on either of them being directly assigned to us, or because of our membership in groups that are given permissions. So Tom, who is member of Human Resources, is also a member of Domain Users -- the allow permission is negated by the deny. And, nope, you can't remove him from Domain Users. All users with a domain account are just naturally members of this group.
There is a solution though. Windows also works this way: if you are not given permission, you have no permission. That is, unless domain users are given access to the folder, they have no rights there. There is an implicit denial. So IT should remove the Domain Users group from the ACL (access control list) and leave in Human Resources. Tom will be able to access the folder, as will other members in the group, but no others will. This is very simple to test. IT should set it up, test it and then go take a lesson in basic Windows security features.
This was first published in January 2003