Say I would like to only allow domain admins write permissions to a folder, and disallow everyone else.
If I set write permissions for domain admins, but then read-only for 'authenticated users', which takes precedence?
Does the domain admins write permission trump the authenticated users read-only permission? Or will the domain admins be unable to write because domain admins are included in authenticated users?
Thank you
Domain Admins will be able to read and write, and Authenticated Users will be able to read.
In the Windows ACL model, neither has higher precedence than the other – instead the sum of all matching "Allow" permissions is used. So if you grant X to Authenticated Users but Y+Z to Domain Admins, the user is effectively granted X+Y+Z.
However, Deny entries have higher precedence than any "Allow" entry. (Again, the sum of all matching "Deny" entries will be denied.)
This applies equally to NTFS files, AD entries, and most other securable objects. For AD specifically, the algorithm is documented at MS-ADTS.