NTFS Permissions Question

blastingfonda_at_gmail.com
Date: 02/03/05 

Date: 3 Feb 2005 15:07:05 -0800

I've Googled and searched all over Microsoft's site for an answer to
this question and I'm completely stumped. Hopefully I can find an
answer here...

Everywhere I've read (Win 2k3 server documentation on Microsoft's web
site, the Microsoft Press books, etc.), if a user is granted Modify
permission, he cannot delete files or subfolders unless explicitly
granted the Delete permission. However, the Full Control permission
does include the Delete Subfolders and Files special permission.

To see how this played out, I created a new user, TestUser, and created
two new folders in a NTFS partition on a Win2k3 box as the Admin -
Modify and FullControl. Each has a subfolder labeled Test with a file.
TestUser has Modify rights on the Modify folder and Full Control rights
to the FullControl folder. TestUser is not a member of the
Administrators or any other group and no other users or groups have
rights to these folders.

When I log in as TestUser, I can delete the Test subfolder in the
Modify folder. Why is this happening? Well, when I look at the ACL on
the Test folder, I notice TestUser's Modify permission is inherited
from the Modify folder -- and of course that includes the ability to
Delete.

So what happens when I flip off the inheritance checkbox? TestUser can
no longer delete the subfolder - which is good. However, I then
unchecked the inheritance checkboxes in the FullControl folder as well
and logged on as TestUser. TestUser CAN'T delete subfolders when
inheritance is flipped off, even though he has the Delete Subfolders
and Files permission at the folder level. Once again, everywhere I've
read states that a user with that permission should be able to delete
subfolders regardless of a lack of explicit permissions.

Try this scenario yourself to see what I'm experiencing... (who knows,
it may just be a glitch on my config...)

Needless to say I wouldn't give a rat's ass about this in real world
situations and would simply assign Deny permissions in cases where I
didn't want to give people access, but on the MCSE tests there are a
ton of questions on permissions and inheritance that don't really
correspond to real world scenarios, but may deny someone from getting a
useless piece of paper that companies nonetheless put value in if they
get those questions wrong.

Any help on this would be appreciated...

   - bf -

Relevant Pages

  • Re: NTFS Permissions Question
    ... Answer is, modify includes delete, but not delete subfolders and files. ... subfolder(s) when delete is not inherited from the parent folder. ... with just the permission you need. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Cant move files.
    ... those files, direct subfolders, and their directories. ... Kits\Tools" folder. ... it is still giving me permission ... My computer has two hard drives, they are set as the C: and F:. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: NTFS Permissions Question
    ... > they have modify on the parent folder they have delete on the parent, ... > flows thru inheritance to the subfolders and files. ... > subfolder(s) when delete is not inherited from the parent folder. ... with just the permission you ...
    (microsoft.public.cert.exam.mcse)
  • Re: IIS Services Stop if Virtual Root Deleted on Disk
    ... choose not to apply the change to subfolders and files. ... should the user create new files or subfolders in this folder ... been assigned the Delete permission, as long as he/she is the ... ownership of the root folder (otherwise the user will be able to delete ...
    (NT-Bugtraq)
  • RE: Redirected Folders wont allow offline folders (article 288991
    ... Creator Owner full controll permission. ... Create a subfolder TestUser under Test288991and give user account abc ... Full Controll permission on this folder only ... I reset the OS back to the original install default security setting, ...
    (microsoft.public.windows.server.general)