@Ragarath
>Why should a user setting override a group setting?
Because that's the sensible thing to do. Fine-grained control should have precedence over large-scale. Deny access to everyone but to the known authorized persons. That's just common sense.
>If the user your talking about needs access why are you putting the user in a group that denies access?
Because when you have hundreds of users, accessing tens of ressources, but with specific rights, you just can't create a group for every one of them. You create a few tens of groups, maybe, for the general population, but sometimes you need exceptions. What do you do, remove the "exceptional" users from all their groups and create a special group for each of them? And do the same thing, the opposite way, each time one of your "special" users lose or gain credentials?
>Try thinking of a group as a user that can change ownership without having to change the permissions
Well that's exactly what a NTFS group is, a rigid multifaced anonymous meta-user closed to finer-grain control, and that's why it sucks.
>rather than thinking that it is a looser set of permissions.
??? tightness has nothing to do with it. It's just plain clumsy.
>This also raises the question why your adding specific user permissions to objects rather than groups [...].
Maybe because when john-doe-067845 (previously in group "users") genuinely needs -temporary- access to /secret/ressource/files/john-doe-067845/, but nothing else, I'm not necessarily willing to open the directory to all and sundry?
Microsoft: IE9's web privacy hole? A feature, not a bug
