5.5. Task 5.5: Implementing a Deny Group

It may be important to be able to lock a collection of users out of certain sensitive content. This can be accomplished by building the chain of granting rights and permissions: User Account (A) gets added to the Global Group (G), the Global Group gets added to the Domain Local Group (DL), and Permissions (P) get granted to the Domain Local Group, AGDLP. In this case, you'll be granting the NTFS Deny Full Control permission to the Domain Local Group (DLG).

The Deny permission is all-powerful and overrules any collection of Allow permissions.

5.5.1. Scenario

You are responsible for the security of your information systems. You have a new folder with sensitive content that should not be viewed by the Widget ...

Get Security Administrator Street Smarts: A Real World Guide to CompTIA Security+™ Skills, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.