Re: Permissions question
- From: Ben Smith <online_bensmi@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 21:17:39 -0800
In article <8B57EEC6-BDE3-4A7C-94AD-9610F0A170E9@xxxxxxxxxxxxx>,
Colin@xxxxxxxxxxxxxxxxxxxxxxxxx says...
> Ok, I understand that part. I'm still not rock solid about why it isn't
> visible through Secuity or Effective Permissions of that file object.
I am not sure how the UI calculates the effective permissions. Take a
look at the Test group's permission on the folder. You should see that
the permission is to the Folder and all objects in the folder, but the
explicit permission are only on folder objects, not file objects (which
would explain the results of the effective permissions tab.)
> I guess my question would be, how would you know that a user of Test Group
> could delete any files and folders under that directory just by looking at
> the security of one of those files or folders? What if you have a scenario
> where a file is buried under 100's of directories, the top one being owned by
> some specific user, how hard would it be to determine that that file could be
> deleted by the user owning the top dir? How do you see that this user has any
> control over this file without winding your way up all the directories and
> looking for permissions. There must be an easier way? Effective Permissions
> tab does not help, as this reports no delete permission but it is in fact
> allowed.
You point is well-taken. I will run some tests next week and file a bug
on it.
> "Ben Smith" wrote:
>
> > In article <FB75FBCF-DD69-43A4-A2D3-BAA961C15136@xxxxxxxxxxxxx>,
> > Colin@xxxxxxxxxxxxxxxxxxxxxxxxx says...
> > > I have this senario:
> > >
> > > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
> > > Access.
> > >
> > > Security permissions on folder:
> > > Administrators: Full Control
> > > CREATOR OWNER: Full Control
> > > SYSTEM: Full Control
> > > Test Group: Read, Create, Write, Append
> > >
> > > So when a user of Test Group creates a file or folder on the share they
> > > become Creator Owner and have full access to that file or folder. But they
> > > cannot delete files or folders created by other users.
> > >
> > > Test
> > > 1. Create a file in the folder as domain admin.
> > > 2. Map to the share as a user in Test Group and try delete the file. You get
> > > permission denied which is expected.
> > > 3. As the mapped user, create a folder in the share.
> > > 4. Now create a file in that created folder as domain admin.
> > > 5. Check permissions on the newly created file. Test Group or user has no
> > > delete permissions. Running Effective Permissions against the user also shows
> > > no delete permissions.
> > > 6. Try delete the file as the user, file is deleted!
> >
> > Right, this is the expected behavior.
> >
> > > I assume the file can be deleted because the user is the Creator Owner of
> > > the parent folder which propegated Full Access down to the file. But this
> > > does not show up on the file's security settings. Why is that?
> > >
> >
> > Because the permission the user is exercising is not on the file - it is
> > on an object in the folder he has full control over. I will admit, it is
> > a bit confusing.
> >
>
.
- References:
- Re: Permissions question
- From: Ben Smith
- Re: Permissions question
- Prev by Date: RE: 70-290 SUS or WSUS?
- Next by Date: Re: Any experience with WhizLabs 70-290? or general exam sim for MCSE?
- Previous by thread: Re: Permissions question
- Next by thread: Re: Permissions question
- Index(es):
Relevant Pages
|
