5.5. Task 5.5: Implementing a Deny Group
It may be important to be able to lock a collection of users out of certain sensitive content. This can be accomplished by building the chain of granting rights and permissions: User Account (A) gets added to the Global Group (G), the Global Group gets added to the Domain Local Group (DL), and Permissions (P) get granted to the Domain Local Group, AGDLP. In this case, you'll be granting the NTFS Deny Full Control permission to the Domain Local Group (DLG).
The Deny permission is all-powerful and overrules any collection of Allow permissions.
You are responsible for the security of your information systems. You have a new folder with sensitive content that should not be viewed by the Widget ...