Sunday, May 18, 2014

Result of assigning "Deny All" to Domain Users Group in Web Application User Policy

I recently encountered a very unusual question which I had never really thought about before.

The crux of the question revolved around setting the "Deny All" permission in User Policy for the Web Application to the Domain Users group.  All users belong to the Domain Users group, so are there any overriding permissions for Farm Administrators, Site Collection Administrators or Site Owners?

Well, since I was not sure of this question myself, I decided to try it out and see what happened.

So, of course, I had to go into Central Administration and set this up:


  1. Click on Manage Web Applications from Central Administration
  2. Highlight the specific Web Application that I needed to change User Policy
  3. Click on the User Policy button
  4. Click on Add Users
  5. Click Next
  6. Type in <domain name>\domain users and check the check box for "Deny All"
  7. Click the Finish button






Well, as you can probably guess from the description of "Deny All", you can see that none of the users in the Domain Users group should have access (hence, no access).  Therefore, according to this, even the Farm Administrator will be denied access to any of the Site Collections.

Therefore, if the Farm Administrator is denied access, all other users should be denied access as well!!

So, to test this out, I tried logging in with the Farm Administrator account and this was the error message I received:


As you can guess, I tried out the other accounts in the Site Collection Administrator and Site Owner groups, but they all failed.

Therefore, if you set up an explicit "Deny" permission for a domain group such as Domain Users, ALL accounts will be denied permission EVEN the Farm Administrator account!!

No comments:

Post a Comment