|
Posted by Roger Abell [MVP] on June 26, 2007, 2:45 am
Please log in for more thread options
>
>>
>>>
>>>> Users group often includes Authenticated Users (which means any user
>>>> or computer account that authenticated to gain a login type session) as
>>>> Al inidcated, and also often includes INTERACTIVE (which means
>>>> any account login session based on the local login user right).
>>>
>>> Yes, that was also the case for me.
>>>
>>>> So the account may have been indirectly a member of Administrators.
>>>
>>> I think you mean "of users"...
>>>
>>
>> Yes, good catch, thank you.
>
> Somehow I am not as good at catching my own mistakes ;-)
>
>>>> When you added a grant on the directory for Administrators Full Contol,
>>>> if the deny for Users was still in effect (you said you blocked
>>>> inheritance)
>>>> then the explict grant added would have overridden the inherited deny
>>>> for Administrators members.
>>>
>>> Are you sure of that?
>>
>> Yes. see below
>>
>>> I had thought that the effective permissions on an object are there as
>>> surely by indirect membership in related security groups as is the case
>>> for direct membership. If user U is in group A that is allowed access to
>>> a resource, and also in group D that is denied, then the deny wins and
>>> user U has no access. If this were not the case then there would be no
>>> point in having a deny access possibility, as the only way to deny
>>> access would be to not grant it in the first place. If the user is taken
>>> out of group D, added to group DD, and group DD is added to group D, he
>>> should still not be able to access the resource.
>>>
>>> If, as you say his direct membership in a group that is allowed access
>>> were to override his indirect membership in a group denied access, then
>>> we have a case where group nesting does not work as expected.
>>>
>>> And what would happen if he were removed from A, added to AA, with AA
>>> being added as a member of A - indirect membership in an allowed group
>>> and a denied group? Will it then be a case of determining the most
>>> direct membership?
>>>
>>
>> It is not a matter of direct membership compared to indirect (ex. via
>> Authenticated Users in Users). Rather it is a matter of the Deny being
>> set on the parent, and the Allow on the child. Hence the Deny would
>> be inherited onto the child, which has an explict grant. When there is
>> a conflict, explict grant overrules inherited deny. That is what I was
>> saying
>>>> if the deny for Users was still in effect (you said you blocked
>>>> inheritance)
>>>> then the explict grant added would have overridden the inherited deny
>>>> for Administrators members
>
> Thanks. I guess I didn't read as carefully as I should have...
>
As we both know, such is all too easy to do.
Now, if the OP would follow-up we might find out why they
had the situation which, as far as I can tell, is still unexplained,
even though their solution makes sense.
Roger
> >>
>> Roger
>>
>>
>>>>
>>>>>I got this working: 1) uncheck "Allow inheritable permissions from
>>>>>parent to propagate to this object." under Advanced and choosing to
>>>>>remove all permissions from that directory structure, 2) Add Full
>>>>>Control to Administrators.
>>>>>
>>>>> But I am still mystified as to why the first approach did not work...
>>>>>
>>>>> Larry
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap