Re: Office 2007 NTFS Permissions problem

Comptroller <Comptrol...@xxxxxxxxxxxxxxxx> wrote...
....
For example, if a user with the permissions "Read & Execute", "Read"
and "Write" tries to save a Word or Excel 2003 file after making
changes, everything is fine. However, if he uses Office 2007, he
gets an "Access is Denied" error when trying to save the changes.
Now, if I give him "Modify" access to the file, he is again able to
save the changes.

Obviously, from a security viewpoint, this is a problem and a major
step backwards.
....

You don't understand what's going on or how file saving works in
Office 2003. Word and Excel 2003 save working COPIES of open files on
diesk. The copies remain OPEN while they're open in Word/Excel. When a
user saves the file, Word/Excel 2003 writes the copy of the file to
disk, AND IF SUCCESSFUL deletes the original and renames the copy with
the original filename.

In Word/Office 2007 it may be the case that Word/Excel 2007 CLOSE the
copies then try to reopen them when the user tries to save the file.
That would require modify permission because the file wasn't already
open when trying to save. THIS IS A GUESS.

However, if users can ERASE files, then there's NO EFFECTIVE
DIFFERENCE between giving them read+write+erase permissions or read
+write+modify+erase permissions. Note that if users didn't have erase
permission they'd have received many error messages when saving files
in Word/Excel 2003.

While there are low-level differences between MODIFYING a file in
place (opening existing files for write access) vs WRITING a new
version of the file, erasing the old version, then renaming the new
version with the old version's filename (never need to open the old
version after it's been read into memory), the end result is EXACTLY
the same.

Separate modify permission comes from the old days when some users
could create NEW files but neither erase or modify any existing files.
Some transaction systems depended on this. However, it ONLY makes
sense in highly specialized processing scenarios, NOT (as in, NEVER)
normal user working directories in which users are creating, revising
and deleting files all the time.

.

Relevant Pages

  • Excel 2007 with delete deny cant save
    ... I have a big problem with Excel 2007. ... I have a shared folder on our file server where users can modify the excel ... files within, but can't delete them, I have set delete deny on permission. ...
    (microsoft.public.excel)
  • Re: Applying NTFS Folder Permissions
    ... 2nd paragraph indicates that "Modify" in the first paragraph should have ... which the HR group has been granted the Read permission and the 4th Floor ... Giorgio is attempting to access a folder for which the HR ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Restricting Domain Admins
    ... > Change the security on the adminSDHolder container so that domain admins ... > Modify Permissions ... >>> Removed Modify permission ... >>> Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Exchange 2003 Event 8270 and Event 8022
    ... I have seen this article and the permission to ... Modify Permissions Allow ... but not the other child domain. ... Enterprise Servers, CHILDDOMAIN\Pre-Windows 2000 Compatible Access ...
    (microsoft.public.exchange.admin)
  • Re: Restricting Domain Admins
    ... Modify Permissions ... the settings I have changed stop domain admins from ... >> Removed Modify permission ... >> Removed modify owner permission ...
    (microsoft.public.windows.server.security)