How IT works NTFS Permissions
|Grandparent Allow||Read & Excecute, List Folder Contents, Read|
The DACL lists permissions by the object first, followed by the object’s parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:
- If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
- If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
- If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.
Richard Civil runs Civil Consulting and Training, and is Senior Technical Trainer at New Horizons in Beaverton, OR. He also holds MCT, MCSE, MCP+I, SCPI, and IC3 certifications. Learn more about Richard at www.rcivil.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.