Using Window Authentication via Active Directory Groups, if an Active Directory user exists in two different Active Directory Groups with different permissions to a database, which Active Directory group does it use to set the permissions?
- The most restrictive
- The least restrictive
- Cumulative of the two
- Random
Setting this up in a test environment is proving difficult, because I am not a domain administrator, and we have no test domain. Plus we have seen results both ways. Just wondering if anybody knows the answer.
Best Answer
Rights applicable to the login are summed then applied from least restrictive to most restrictive on a per object basis. DENY'd rights take precedence over GRANT'd rights.
Taken from the MSDN SQL Server page on Database Engine Permissions: