Re: NTFS Permissions Question

blastingfonda_at_gmail.com
Date: 02/04/05 

Date: 3 Feb 2005 20:02:35 -0800

Adam Leinss wrote:

> You seem to be saying two completely different things here about what

> the modify permission allows you to do. I believe the permissions
are
> additive and work like this:
>
> Modify rights only: can modify files or folders, but not delete them
>
> Delete rights only: since you cannot modify files or folders, you can

> not delete them (deletion would be a modification would it not?)
>
> Modify + Delete rights: you can both modify and delete files
>
> Adam

Wrong - Modify includes Delete.

Rights that are activated when you apply the Modify right on a folder:
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete
Read Permissions
Synchronize

Rights that aren't activated when you select Modify:
Delete Subfolders and Files
Change Permissions
Take Ownership

...all of which you can do when Full Control is applied.

This is obtained from Microsoft Win2k3 Server Docs:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/acl_folder_permissions.asp

Now check out the entries for Delete and Delete Subfolders and Files:

Delete: Allows or denies deleting the file or folder. If you do not
have Delete permission on a file or folder, you can still delete it if
you have been granted Delete Subfolders and Files on the parent folder.

Delete Subfolders and Files: Allows or denies deleting subfolders and
files, even if the Delete permission has not been granted on the
subfolder or file. (Applies to folders.)

This is obstained here:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_SEconceptsImpLocScen.asp

However what's happening is both Modify and Full Control (which has the
delete Subfolders and Files permission) behave exactly the same. Both
delete subfolders if inheritance on the child folder is checked, both
are unable to delete subfolders if inheritance on the child folder is
unchecked.

Try it yourself.

Relevant Pages

  • Re: NTFS Permissions Question
    ... Answer is, modify includes delete, but not delete subfolders and files. ... subfolder(s) when delete is not inherited from the parent folder. ... with just the permission you need. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Network access not working
    ... Maybe the account doing the robocopy does not have sufficient rights. ... are your root folder permissions the same on both sides of the copy? ... The first was that is did not copy the security information for private at ... subfolders were copied but it did not copy any files. ...
    (microsoft.public.windows.server.security)
  • Re: How to restrict access to just Files, not Folders
    ... permissions with the least frustration and re-attempts. ... set a grant of Modify for Users ... >> permitted to traverse any subfolders. ... Traverse Folder / List access - This folder, ...
    (microsoft.public.win2000.security)
  • Re: NTFS Permissions Question
    ... > they have modify on the parent folder they have delete on the parent, ... > flows thru inheritance to the subfolders and files. ... > subfolder(s) when delete is not inherited from the parent folder. ... with just the permission you ...
    (microsoft.public.cert.exam.mcse)
  • Re: special permissions on folder dont work
    ... One for Files only granting Modify (it was only ... ACE should be for This folder and subfolders, ... Users in the second group can still ...
    (microsoft.public.windows.server.security)