How is it possible to receive Access Denied errors even after assigning the right permissions?

I've been working on a server migration recently, and cleaning up permissions issues on some cloned Windows 2008 servers. I routinely use procmon to narrow down permissions issues and fix them, then resume testing.

Something that boggles my mind is when I assign the proper permissions, and then run the test again, and still receive the same "ACCESS DENIED" error in procmon for the same exact user that I just assigned Full Control on for that directory or registry key that fails.

How is this technically possible? Other than not having the proper ACL set, why would ACCESS DENIED be returned?

In this specific headache, I have an Active Directory account that we use to run our services that need to be able to span multiple servers, and it consistently receives ACCESS DENIED errors on HKEY_CLASSES_ROOT\Wow6432Node\CLSID. I have tripled checked that this user has Full Control access on this key, yet it still happens.

For what it's worth, here are the details from procmon:

Date & Time:    8/9/2011 5:13:27 PM
Event Class:    Registry
Operation:      RegOpenKey
Result:         ACCESS DENIED
Path:           HKCR\Wow6432Node\CLSID
TID:            5084
Duration:       0.0000073
Desired Access: Read

Description:    Event Alarm Service
Company:        Dorian Software Creations, Inc.
Name:           EvtAlarm.exe
Version:        6.0.0.148
Path:           C:\Program Files (x86)\Event Alarm\EvtAlarm.exe
Command Line:   "C:\Program Files (x86)\Event Alarm\EvtAlarm.exe"
PID:            5232
Parent PID:     616
Session ID:     0
User:           OUR\SpecialUser
Auth ID:        00000000:09af42e2
Architecture:   32-bit
Virtualized:    False
Integrity:      High
Started:        8/9/2011 5:13:27 PM
Ended:          8/9/2011 5:13:39 PM

---

Edit: Thanks everyone for the feedback. I have solved our underlying problem, although my question still stands as I don't feel what I did is truly an explanation, therefore I am not going to post this as an official answer. Following advice from the company that makes the software in question, I added the service account in question to the local Administrators group, and now it is able to start successfully, and the ACCESS DENIED errors are gone. It still makes no sense to me, as the permissions (including effective permissions) showed that this service account should have had the right to access the registry key that was being denied...

good point you may just need restart the service.

@Wes: I don't think that's right. When a user logs on, their security token specifically identifies them. Resource access based on username (SID) should work without needing to regenerate a new security token. On the other hand, user access based on group membership requires a logoff and logon to generate a new security token to reflect the group membership changes.

@Joeqwerty Yeah, that's what I was thinking too. I was going off of some anecdotal evidence that I've experienced where I thought access based permissions still weren't working until some time had passed. Cargo Cult Administration at its finest. =)

@Wes: <Personal Note> BTW, glad to see you. Hope all is well. </End Personal Note>

On another note: An explicit allow will over-ride an inherited deny.

Hmmm... I thought an inherited deny overrode everything. Clearly my permissions skills are musty. =)

Nope, an explicit permission over-rides an inherited permission... in every case if I'm not mistaken.