June 15, 2012 at 5:07 am
If a user has their own Windows login against a database and they are also a member of an AD group with different permissions, which takes priority?
June 15, 2012 at 5:16 am
Wont matter, as AD groups are linked to the users domain account.
The Group is just a collection of the Domain Users.
At the end, the highest will apply.
If the group has READ ONLY, but the user himself has DBO, he will be DBO.
This wont be the case if there are explicit DENY properties against the user or the Security Group.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This thing is addressing problems that dont exist. Its solution-ism at its worst. We are dumbing down machines that are inherently superior. - Gilfoyle
June 18, 2012 at 3:24 am
Thanks.
June 18, 2012 at 4:01 am
The issue has been that the user has their own AD login with db_owner but they are also a member of an AD group which has db_denydatawriter. So when he tries to update a table, permission is denied. So this is because of the explicit db_denydatawriter role membership of the AD group taking priority over db_owner of his individual AD login.
June 18, 2012 at 4:41 am
Like I said, DENY will overwrite his granted rights.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This thing is addressing problems that dont exist. Its solution-ism at its worst. We are dumbing down machines that are inherently superior. - Gilfoyle
June 18, 2012 at 5:05 am
Deny always overrides grant. Only exception is a sysadmin, to which nothing can be denied.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply