Macmod
commented
2 weeks ago Considering that Microsoft's docs state that Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs, I believe we can just prepend Deny ACEs upon creation and keep the current behavior of appending Allow ACEs.
Apparently the order of ACEs isn't automatically inferred by Active Directory and if you create a "Deny" ACE below an "Allow" ACE it's created as-is, making the ACL out of order. If you then view the Security tab manually in the AD, it prompts the admin to "Re-order" the ACL.