Because of the fact that users have can have many different rights settings and objects can have many different permission settings, it is possible that conflicting permission settings might apply to a particular object and access method.
When this occurs, the system must engage in a process of resolving the various permissions to determine which ones should govern the access.
Here are some rules for resolving permissions conflicts:
- "Deny" permissions generally take precedence over "allow" permissions.
- Permissions applied directly to an object (explicit permissions) take precedence over permissions inherited from a parent (for example from a group).
- Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on.
- Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course.
Although Deny permissions generally take precedence over allow permissions, this is not always the case. An explicit "allow" permission can take precedence over an inherited "deny" permission.
The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:
- Explicit Deny
- Explicit Allow
- Inherited Deny
- Inherited Allow
File permissions override folder permissions, unless the Full Control permission has been granted to the folder.
- NTFS Permissions
- Setting Permissions
- File and Folder Basic Permissions
- File and Folder Advanced Permissions
- Effective Permissions
- Changing Ownership of Files and Folders
- Moving and Copying Protected Files
- Troubleshooting Access to Files and Shared Folders
- Permissions for Other Objects
- User Rights vs. NTFS Permissions
- Share Permissions vs. NTFS Permissions
- Explicit vs. Inherited Permissions
- Allow vs. Deny Permissions
- Permission Precedence
- Combining Shared Folder Permissions and NTFS Permissions
- Sharing and Adding Permissions
- Backing up and Restoring NTFS Permissions on a Specified Volume
- Off-line Access to Shared Folders (Caching)
- Metafile $Secure
- Appendix. Script to Backup or Restore NTFS Permissions