Permissions logic question

Levy23

Reputable
Jun 7, 2014
22
0
4,520
I'm learning about NTFS permissions and I've realized that I can deny everything except full control on a folder or file. How does that work exactly in terms of logic? I've never understood why it denys from the level downwards instead of upwards (ie: deny someone write = deny everything above that instead of below). Why is it like that and how does that even work then if they still have the ability to go above that level?

Note: I haven't been able to really test any of this because all my allows are selected and grayed out so I don't know if that has something to add or do with it.
 
Solution
If you deny everything mean nobody can access that folder or file.
Think of it like a house: if you have the key to unlock the house (top level directory) to get in then you have access to all the rooms inside house. But if you deny key to everybody, nobody has access to whole house; however, you can give them access to each room inside (they can't access upward).
Hope that makes sense to you.

th3p00r

Respectable
Sep 7, 2016
445
0
1,960
If you deny everything mean nobody can access that folder or file.
Think of it like a house: if you have the key to unlock the house (top level directory) to get in then you have access to all the rooms inside house. But if you deny key to everybody, nobody has access to whole house; however, you can give them access to each room inside (they can't access upward).
Hope that makes sense to you.
 
Solution

Levy23

Reputable
Jun 7, 2014
22
0
4,520


But my confusions lies in how I can select all the denys up to FC but able to leave that blank. Again, I've only been able to fiddle with accounts where all the Allows are both checked and greyed out. But it makes no sense to deny everything except FC; wouldn't they be able to use it still then?