Score:0

Simple NTFS/permissions q

kz flag

Say I would like to only allow domain admins write permissions to a folder, and disallow everyone else.

If I set write permissions for domain admins, but then read-only for 'authenticated users', which takes precedence?

Does the domain admins write permission trump the authenticated users read-only permission? Or will the domain admins be unable to write because domain admins are included in authenticated users?

Thank you

Score:1
cn flag

Domain Admins will be able to read and write, and Authenticated Users will be able to read.

Score:0
fr flag

If I set write permissions for domain admins, but then read-only for 'authenticated users', which takes precedence?

Does the domain admins write permission trump the authenticated users read-only permission? Or will the domain admins be unable to write because domain admins are included in authenticated users?

In the Windows ACL model, neither has higher precedence than the other – instead the sum of all matching "Allow" permissions is used. So if you grant X to Authenticated Users but Y+Z to Domain Admins, the user is effectively granted X+Y+Z.

However, Deny entries have higher precedence than any "Allow" entry. (Again, the sum of all matching "Deny" entries will be denied.)

This applies equally to NTFS files, AD entries, and most other securable objects. For AD specifically, the algorithm is documented at MS-ADTS.

tsc_chazz avatar
vn flag
Minor clarification: when user1686 says "the user is effectively granted X+Y+Z", they mean "the domain admin user".
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.