If a user is allowed by the allow file and denied by the deny file (either directly or indirectly) the inconsistency must be resolved.
As a quick rule of thumb, precedence is given to the more specific user reference. The precedence is as follows: UPN listed, group listed, OU listed, and domain listed. If there’s a tie between users.allow and users.deny, users will be denied access. In the following table, the columns represent users.deny and the rows represent users.allow.
Table 1: Rules for System Access
Please see page 131 of the QAS_Solutions.pdf or page 62 of the AuthenticationServices_4.0_AdminGuide.pdf for additional information.