Information Technology Reference
In-Depth Information
Table 4-1
Group membership
Group
Members
Group1
Bill, Tom, Mary, Susan
Group2
Bill, Mary, Jane, Alex
Table 4-2
ACEs for an OU: Example 1
4
ACE
Permission
How assigned
Bill
Allow Read
Explicit
Tom
Allow Full control
Explicit
Group1
Allow Write
Inherited
Group2
Allow Create all child objects
Inherited
The effective permissions are as follows:
• Bill: Allow Read, Write, and Create all child objects
• Tom: Allow Full control
• Mary: Allow Write and Create all child objects
• Susan: Allow Write
• Jane and Alex: Allow Create all child objects
All the permissions assigned are Allow permissions, so you just add them together to arrive
at the effective permissions for each user. Tom is granted Full control, which encompasses all
other permissions. Take a look at another example with the same group memberships but using
the ACEs in Table 4-3.
Table 4-3
ACEs for an OU: Example 2
ACE
Permission
How assigned
Bill
Deny Delete all child objects
Inherited
Mary
Deny Full control
Inherited
Group1
Allow Full control
Inherited
Group2
Allow Create all child objects
Inherited
The effective permissions are as follows:
• Bill: Allow Full control, except for deleting all child objects
• Tom: Allow Full control
• Mary: Deny Full control
• Susan: Allow Full control
• Jane and Alex: Allow Create all child objects
The Deny permission overrides the Allow permission, so although Bill, as a member of
Group1, inherited Full control, the Deny Delete all child objects entry prevents him from delet-
ing objects in the OU. Mary inherited Full control because of her membership in Group1, but
the Deny Full control entry for her user account overrides the inherited permission. Look at the
next example with the same group memberships but using the ACEs in Table 4-4.
Search WWH ::
Custom Search