Re: NTFS Permissions
From: Ricardo M. Urbano - W2K/NT4 MVP (rmu1_at_columbiaSPAM.SUCKSedu)
Date: 03/10/04
- Next message: Xylos: "Re: Domain Admin Account locked"
- Previous message: anonymous_at_discussions.microsoft.com: "Sync clock from server to pc's"
- In reply to: Peter Birkle: "NTFS Permissions"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Mar 2004 15:50:46 -0500
Peter Birkle wrote:
>
> I want to be able to secure my network file shares through NTFS permissions so that users cannot accidently delete subfolders or the root foler of their file share but have come across an interesting problem.
>
> I have set domain administrator group to have full rights to a test folder. No problems with this.
> Then I have a test group called test1 with a bunch of users in the test group and I apply this group to have modify permissions on the test folder. Looking at the advanced properties I can see the granular permissions.
>
> The explicit permission Delete Sub Folders and Files is unticked and is applied for this folder, subfolders and files yet users who belong to the tes1 group can still delete all subfolders. I don't mind if they delete files but whole sub folders is a real concern.
>
> Has anyone seen a similar problem before.
>
> I have also tried apply only to folders and files but this is very restrictive meaning that users cannot create their own folders and they cannot rename new folders etc not very practical.
>
> All I want is for my users not to be able to delete sub folders and the root folders.
>
> Any help is much Appreciated
> Peter Birkle
Peter, what you are seeing is inheritence. If a user has delete
permissions on a folder and the permissions apply to this folder and
subfolders, if the subfolder's permissions haven't been explicitly
modified, it will inherit the delete permission from the parent, even if
the parent doesn't explicitly grant delete permissions to the subfolder.
To prevent users from deleting folders, the best compromise I have come
up w/ is as follows:
1) Grant the users Read, Write, and Execute perms on the given folder,
subfolders, and files
2) Grant the users delete perms on files only
3) grant CREATOR/OWNER delete perms on subfolders only.
This will allow any user to create a folder (for some reason, you need
delete perms on a folder to rename it), but by default, all other users
will only have read, write, and execute perms to that folder.
hth
-- Ricardo M. Urbano Microsoft Windows 2000/NT MVP
- Next message: Xylos: "Re: Domain Admin Account locked"
- Previous message: anonymous_at_discussions.microsoft.com: "Sync clock from server to pc's"
- In reply to: Peter Birkle: "NTFS Permissions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
