Confusion with NTFS Permissions

I work with a bunch of very green entry level help desk folks, and sometimes they get requests to change permissions on files/folders. This causes lots of problems because they apparently don’t understand NTFS permissions, and subsequently break things by improperly applying Full Control or Deny permissions on objects in a directory tree.

Since there seems to be a lot of confusion over when to use Deny permissions in an NTFS ACL, I’m going to try to clarify it once and for all:

Deny permissions ALWAYS override allow permissions, except in very limited, explicitly defined circumstances. Additionally, do not use Full Control. Users do not need full control over anything but their My Documents folder.

Basically:
ALLOW permissions allow a user to access something
NON-SET permissions prevent a user from accessing something
DENY permissions forcefully reject attempts to access something.

NTFS ACLs take a long time to evaluate, and the more entries, the more time. Use groups as often as possible, and avoid assigning individual users permissions on all folders, aside from their own, whenever possible. Keep ACLs as small as possible, with as few ACEs as you can manage. An ACL with 5 group ACEs is a lot easier to understand, manage, and troubleshoot than an ACL with 50 user ACEs.

For all the following examples we will assume the following:

  1. RWX means: Read/Write/Execute/Modify
  2. Andrew, Barb, Carl and Deborah are users at XYZ Corp
  3. All four are part of the XYZusers group
  4. Deborah is part of the XYZLevel1Admin group
  5. Andrew and Barb are part of the Sales group
  6. Carl is a member of the Management group
  7. We are going to be talking about folders shared from SRV1
  8. All folders have the default system permissions on them
  9. Unless indicated otherwise, all folders are set to propagate permissions to child objects (children inherit parent object permissions)

If you set D:\Data to have allow Full Control for the XYZLevel1Admin group, the following is true:

  • Deborah can access all folders under D:\Data

If you change D:\Data L1\Admin to have allow RWX for the XYZLevel1Admin group instead of full control, the following is true:

  • Andrew, Barb and Carl are blocked from accessing the directory as they have no defined permissions on it.
  • Deborah can access the folder, as she is part of the XYZLevel1Admin group

If you then go and add deny RWX to the XYZUsers group the following is true:

  • Andrew, Barb and Carl are blocked from accessing the directory as they have no defined permissions on it.
  • Andrew, Barb, Carl and Deborah are blocked from accessing the directory because they’re in the XYZUsers group and there is a deny permission on it, even though theXYZLevel1Admin group has the allow RWX ACE on D:Data.

If you set D:\Data\Management to have allow RWX for the Management group, and no other permissions, the following is true:

  • Carl can access the folder as the Management group has been given allow RWX on this folder
  • Deborah can access the folder as it is part of D:Data and the XYZLevel1Admin group has full control over child objects.
  • Andrew and Barb cannot access it, as they have no defined permissions

If you set D:\Data\Sales to have Allow RWX for the XYZUsers group, the following is true:

  • Andrew, Barb and Carl can read, write and execute files in that directory because they are part of XYZUsers
  • Deborah has full control over all files in that directory since it is part of D:\Data and theXYZLevel1Admin group has full control over child objects

If you add Deny Write for the Management group, the following is true:

  • Andrew and Barb can read, write and execute files in that directory because they are part of XYZUsers which has Allow RWX on that folder
  • Carl can read files in that directory, but cannot create, edit, rename, or delete them because he is a part of the Management group
  • Deborah has full control over it because she is part of the XYZLevel1Admin group which has full control over child objects.

If you add allow RWX for the XYZUsers group to D:\Data\Public, the following is true:

  • Andrew, Barb and Carl can edit read/write/execute files because they are part ofXYZUsers
  • Deborah has full control over it because she is part of the XYZLevel1Admin group, which has full control over child objects.

If you add Deny Read for the Sales group, the following is true:

  • Andrew, Barb and carl can edit, rename, create and delete files because they are part of the XYZUsers group
  • Andrew and Barb cannot read files because they are in the Sales group
    Carl can read files because he is not in the Sales group
  • Deborah has full control over it because she is part of the XYZLevel1Admin group which has full control over child objects.

If you add allow RWX for Sales, Management and XYZLevel1Admin to D:\Data\FreeForAll, the following is true:

  • Andrew and Barb can read, write and execute files in that directory because they are part of Sales which has Allow RWX on that folder
  • Carl can access the folder as the Management group has been given allow RWX on this folder
  • Deborah has full control over it because she is part of the XYZLevel1Admin group which has full control over child objects.

If you then add Deny RWX for the XYZUsers group, the following is true:

  • Andrew, Barb, Carl and Deborah will not be able to access that folder, in spite of all of their above listed permissions. The Deny permission overrides them.

The ONLY time that Deny permissions do not override an allow permission is when there is an explicit allow set on an object that has an inherited deny.

If you’re not sure what that means, then work under the assumption that Deny permissions always override allow permissions, even when the person has other permissions defined to allow them access.