Skip to main content

NTFS Permission Precedence

Expert

Overview

Because of the fact that users can have many different rights settings, it is possible that conflicting permission settings might apply to a particular user's access.

When this occurs, the system must resolve the various permissions to determine which it should use to control the access.

Rules for Resolving Permissions Conflicts:

  1. "Deny" permissions usually take precedence over "Allow" permissions.
  2. Permissions applied directly to a user or object (explicit permissions) take precedence over permissions inherited from a parent (e.g., from a group).
  3. Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors.  So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on.
  4. Permissions from different user groups that are at the same level (as far as being directly-set or inherited, and of being "deny" or "allow") are cumulative. For example, if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course.

Although Deny permissions usually take precedence over Allow permissions, this is not always the case. An explicit "allow" permission can take precedence over an inherited "deny" permission.

The hierarchy of precedence for permissions:

  • Explicit Deny
  • Explicit Allow
  • Inherited Deny
  • Inherited Allow

Note: File permissions override folder permissions (unless the Full Control permission has been granted to the folder).

Related Articles

Was this article helpful?

We're sorry to hear that.