August 7, 2013 at 8:05 am
This is probably a basic question but I've not thought about it much until now. If a user has a domain login to a server with one set of rights and is part of an AD group login that has a second set of rights do the rights get merged or does one login take precedence over the other?
Regards,
Erin
August 7, 2013 at 9:20 am
As far as I know both are taken into account, with denies taking priority over grants.
I had this happen accidentally once when I was testing the effects of removing the BUILTIN\Administrators group from a server. I had set the group to deny logins, and as a result user accounts with sysadmin permissions that were also a local admins on the machine (and therefor in the BUILTIN\Administrator group) could no longer log in.
August 7, 2013 at 9:46 am
Yes, both are "merged" and as the other poster mentioned denies take precedence.
CEWII
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply