I have been trying to figure this one out since about an hour. I enabled basic authentication on a directory. I removed anonymous. So, basically, when accessing something in that directory, the basic authentication is shown. I enter a valid username and password from the domain and it validates. However, I did not even give the access to that directory to the user, and after a valid login, we can proceed. I checked the directory permissions. Everything in there is locked. This is only administrators, system and things like that. So, what gives any user doing a login to proceed?