Re: Directory / File Permissions

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Isaac Steinfeld" <isteinfeld@xxxxxxxxxxx>
Date: Fri, 10 Feb 2006 09:32:18 -0500

When a user is a member of a group, the user has the combined NTFS rights of
his personal permissions and his multiple group membership permissions,
unless there is an explicit deny on one level of his permissions. Thus, in
your case, the members of the Phone_Admin group should have Read/Write
permissions on the Phone folder. Unless, of course, if the Domain User group
is denied Write permissions on the folder, then all Domain Users are denied
Write permissions to the folder.

What you should do is simply remove the Domain Users group from the ACL. To
do this you will have to disable permission inheritance first.
To do that:
In the Security tab, click Advanced & uncheck the box to "Clear the Inherit
from parent the permission entries that apply to child objects. Include
these with entries explicitly defined here" . In the next screen, choose "
To copy the permission entries that were previously applied from the parent
to this object, click Copy."

No you can remove the Domain Users group from the ACL.

"Kitey" <Kitey@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E25B2F1-4219-4D0F-9E3C-8CF8517D5589@xxxxxxxxxxxxxxxx

I Have a directory on the Win2003 server shared called information that
everyone has access to and is mapped to R:\ under that is a subdirectory
called phones. At the moment everyone can read and write to that directory
because "Domain Users" group has full rights. I want to restrict the

rights

to read only for everybody execept for "Phone_Admin" group. Problem is If

change the NTFS permissions so that "Domain Users" is Read only and "Phone
Admin" is Read/Write etc. The members of the "Phone_Admin" group still

only

have read only access due to their membership of "Domain Users" taking
preference. I dont want to have to create another group with everyone

apart

from members of "Phone Admin" so how can I get around this?

Prev by Date: Ntbackup problem
Next by Date: Re: newbie user internet permissions
Previous by thread: Ntbackup problem
Next by thread: Re: Directory / File Permissions
Index(es):
- Date
- Thread

Relevant Pages

Re: Domain account iwth restricted rights
... That was probably added to account for the change above. ... The Domain Users causes the "Logon Locally" right to be present ... So you need both different permissions and different rights perhaps. ...
(microsoft.public.windows.server.active_directory)
Re: Changing groups
... pleaderb, sue, frank, ed are members of group projectb ... Everyone is a member of group user. ... depending on the file's permissions they can read and write the ... I do this all the time, using Samba. ...
(Debian-User)
Re: Outside Users RDP into WS2008???
... Name it DL-Consultants ... Assign permissions on a resource to domain local group '. ... add any user account belonging to your consultants to become member of G-Consultants group. ... End disconnected session: ...
(microsoft.public.windows.server.general)
Re: How to remove a user from a mail group (Tried to search...)
... If you're using Distribution Groups, these cannot show up in any ACLs ... If it is a Security Group, you'll need to figure out the what different ... resources the group could have permissions on. ... I go to "member of" tab. ...
(microsoft.public.exchange.admin)
Re: How to use a Group Distribution list inorder to send and received messages
... In the Permissions list, locate Send As, and then click to select the ... permission of the user account that is a member of one of administrative ... groups will be reset to match the ACL of the AdminSDHolder thread. ... Directory domain controller that holds the primary domain controller ...
(microsoft.public.exchange.admin)