allow or deny permissions for every object in Active
permissions take precedence over any other level of
permission that is otherwise set for a user or group, even
full control. If a specific user is denied access and is
allowed full control from six other groups that user belongs
to, they will still be denied access. If a specific group is
denied access but all of those members are explicitly given
full control to their specific user accounts and through two
other group memberships, they will still be denied.
[NOTES FROM THE FIELD] – As with all things
Microsoft, there is an exception to this rule. An explicit
Allow permission on an object takes precedence over an
inherited Deny permission. That is, if you are denied access
to something through inheritance and an administrator grants
you a specific permission directly to a given object that
received its original permissions through inheritance, be it
deny or an original lesser setting, that specific setting on
the object takes precedence, even in the case of overriding
an inherited deny.
would also be the case at a lesser extreme as well. An
explicit Write setting trumps an inherited Read permission.
permission to perform an operation is not explicitly
assigned, it is implicitly denied. What this means is that
if you are not intentionally given any permissions to an
object, you are denied access to it by the fact that you
have not been assigned any access in the first place.
permission to perform an operation is implicitly assigned,
it can be explicitly denied. What this means is that if
permissions are set via inheritance or through group
membership, it can still be set to deny at a local object. If
a specific user is gaining access to an object through
inheritance, you can set a local deny for that user on the
object itself. If a specific user is gaining access to an
object through group membership and you want that group but
not that given user to have the access, you can deny the
user access locally at the object.
two different types of permissions that can be set, Standard
Permissions and Special Permissions.
Permissions are the ones that can be set on the main
property sheet of an object through the Security tab.
Control allows for a change in permissions and the ability to take ownership and
perform the tasks that are allowed by all other standard
for the viewing of objects and object attributes, the object
owner, and the Active Directory permissions.
allows for the ability to change attributes of an object.
Child Objects allows for the addition of any type of child
object in Active Directory.
Child Objects allows for the removal of any type of child
object in Active Directory.
While it is
possible to assign permissions directly to users, best
practices dictate that Administrators should only assign
permissions to groups for the easiest administration.
Well, that wraps up this section
of Learn Active Directory Design and Administration in 15
Minutes a Week covering the Windows 2000 Active Directory
Delegation of Authority – Assigning Permissions. I hope
you found it informative and will return for the next
If you have any questions, comments or
even constructive criticism, please feel free to drop me a
I want to write good, solid technical
articles that appeal to a large range of readers and skill
levels and I can only be sure of that through your feedback.
Until then, best of luck in your
studies and remember,
yet have to figure out why there are 5 syllables in the word