Problem solve Get help with specific problems with your technologies, process and projects.

How do I resolve this conflicting permissions scenario?

The human resources department is having a problem accessing a folder. HR wants only members of the HR group to access this folder. Someone in the HR department tried to create the folder and assigned the following permissions:
Human Resources -- Allow Full Control
Domain Users -- Deny Full Control

Tom is a member of Human Resources; however, he cannot access the folder. How can you grant Tom access to the folder?

I agree -- this sounds like the infamous "a train leaves the station going 120 miles an hour. Another train leavens another station..." but this solution is much less difficult. You just need to know some basic Windows facts.

First, remember that deny wins over allow. If one permission grants me access, and another takes it away, the take-it-away wins. The permissions are given to us based on either of them being directly assigned to us, or because of our membership in groups that are given permissions. So Tom, who is member of Human Resources, is also a member of Domain Users -- the allow permission is negated by the deny. And, nope, you can't remove him from Domain Users. All users with a domain account are just naturally members of this group.

There is a solution though. Windows also works this way: if you are not given permission, you have no permission. That is, unless domain users are given access to the folder, they have no rights there. There is an implicit denial. So IT should remove the Domain Users group from the ACL (access control list) and leave in Human Resources. Tom will be able to access the folder, as will other members in the group, but no others will. This is very simple to test. IT should set it up, test it and then go take a lesson in basic Windows security features.

This was last published in January 2003

Dig Deeper on User passwords and network permissions

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.