Deny specific user

[zz12]

Hello. Is there a way to deny a specific domain user on folders and
subfolders on a w2k server active directory? Just wondering if it was
possible to leave the Everyone group access to a folder but somehow deny 1
specific user at the same time.

Thanks in advance.

 

[Paul Adare]

Hello. Is there a way to deny a specific domain user on folders and
subfolders on a w2k server active directory? Just wondering if it was
possible to leave the Everyone group access to a folder but somehow deny 1
specific user at the same time.

A DENY access control entry (ACE) takes precedence over an ALLOW ACE so
yes, you should be able to do what you're trying to do.

 

[Roger Abell [MVP]]

The filesystem folder ? or one seen viewing active directory ?

An explicit deny overrules any grant, which is effective for the object
itself.
But such a deny is only potentially effective on any sibling dependent
content if the object is a container like a directory. Where the deny is
only inherited, any grant to the principal that is nearer the object than
the inheritance point of the deny will overrule the deny.

So, there is a simple (for filesystem at least) way to do what you are
after, if anything inheriting permissions from where you place the deny has
nothing but those inherited permissions (or only differences knowing made).

Roger

 

[zz12]

If I go ahead and issue a Deny on a specific domain regular user to a one of
our server's 'c' drive this would basically deny access to this particular
server's entrie 'c' drive. Say later on I then uncheck the Deny permission
for this user in theory it would just affect this particular regular user in
where if we deleted this domain user then everything should be back to
original and not effect any other user's permissions on the server's 'c'
drive?

 

[Roger Abell [MVP]]

If I go ahead and issue a Deny on a specific domain regular user to a one
of our server's 'c' drive this would basically deny access to this
particular server's entrie 'c' drive.

No. That is not the case.
If C: is where the OS is installed, you will notice that there are
multiple directories under C: that do not inherit their permissions
from the root C:
Further, even if everything on C: did inherit from the root, and so
would inherit this deny you are thinking of adding, it will only
effect a deny as long as nothing later (lower in a directory path)
grants (directly or indirectly) to that user. If there is such a grant
placed closer to or on the object somewhere down under C: then
that user will have access (i.e. the deny is overridden).

Say later on I then uncheck the Deny permission for this user in theory it
would just affect this particular regular user in where if we deleted this
domain user then everything should be back to original and not effect any
other user's permissions on the server's 'c' drive?

Removing an ACE, such as this deny, does remove it, so if you uncheck
the deny in the ACE that names that user and denies to them, then it would
no longer exist as a deny. That ACE affects only the principal that it
names,
which you say would be that user.