I'm having a problem with user-specific permissions not overriding group permissions. I have a folder to which I've granted the Associates group Modify access. An intern, Alex, is a member of the Associates group and should have Associates-level access to everything on the network except for this particular folder, which contains sensitive information that interns shouldn't be able to modify. So I added an access control entry (ACE) to the folder specifying Read access for Alex. However, when I tested the permissions, I found that Alex can still modify files. Why isn't the user-specific permission working?
Windows treats user permissions and group permissions the same. When Windows evaluates your access to an object, it collects all the permissions assigned to your user account, if any, and all the permissions assigned to the groups to which you belong. Then it subtracts any permissions that are explicitly denied to your user account and groups. To fulfill your requirement, you should create a new group called AssociateInterns and deny that group Write Data, Append, Change Permissions, Take Ownership, Write Attributes, and Write Extended Attributes permissions. Remember, assigning permissions to user accounts is always poor practice because it complicates maintenance and increases the likelihood of access control errors.