Click here to get back home

Create Folders permission
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Create Folders permission Jack 06-17-2006
Posted by Jack on June 17, 2006, 12:50 pm
Please log in for more thread options
 I have shared folder on Windows 2003, when I check Domain Users
permission is only Read & Execute, Read, List Folder Contents. Then I
check in advanced and edit Domain Users permission - Create Folders and

Create Files are unchecked, but when I go to efective permission and
select Domain Users there Create Folders and Create Files are checked.

I don't know what is going on. Domain Users is not a part of any other
user group. Other shared folder on Windows 2000 work fine with the same

configuration.


What could be wrong? How to block domain users to create folders?


Posted by Steven L Umbach on June 17, 2006, 1:05 pm
Please log in for more thread options
 Check to see if domain users group is in any "local" group on that server
other then users. If it is in local administrators or power users for
instance that could explain why the permissions are more than you expect.
Also logon as a user that is just in the domain users group, and not an
owner of the folder to see if you can actually crate folders or not. When
testing out access keep in mind that the owner of a folder/file will usually
have full control permissions to the folder file and if you change a users
group membership that user will need to logoff and logon again to update
their security token with the new group membership. --- Steve


>I have shared folder on Windows 2003, when I check Domain Users
> permission is only Read & Execute, Read, List Folder Contents. Then I
> check in advanced and edit Domain Users permission - Create Folders and
>
> Create Files are unchecked, but when I go to efective permission and
> select Domain Users there Create Folders and Create Files are checked.
>
> I don't know what is going on. Domain Users is not a part of any other
> user group. Other shared folder on Windows 2000 work fine with the same
>
> configuration.
>
>
> What could be wrong? How to block domain users to create folders?
>



Posted by Roger Abell [MVP] on June 17, 2006, 2:29 pm
Please log in for more thread options
>I have shared folder on Windows 2003, when I check Domain Users
> permission is only Read & Execute, Read, List Folder Contents. Then I

This is evidently in the generic NTFS (not under Advanced button) dialog.
Is there a gray tone to the Special box ?

> check in advanced and edit Domain Users permission - Create Folders and
>
> Create Files are unchecked, but when I go to efective permission and
> select Domain Users there Create Folders and Create Files are checked.
>
If effective shows that then it is due to there being a grant somewhere
directly to Domain Users group. Are those boxes grayish - indicating
this is being inherited from a parent folder ?

> I don't know what is going on. Domain Users is not a part of any other
> user group. Other shared folder on Windows 2000 work fine with the same
> configuration.
>

If it were embedded that would not matter for this, as the effective are
showing the effective grants made directly to that group, not all of the
potentially existing indirect ones.

>
> What could be wrong? How to block domain users to create folders?
>
Probably nothing, and all is likely as it should be, given the grants
that exist on the object or its containing object. You just need to
determine at what point that grant is being made and adjust the
grants to your needs.



Posted by Jack on June 22, 2006, 1:24 pm
Please log in for more thread options

Roger Abell [MVP] wrote:
> >I have shared folder on Windows 2003, when I check Domain Users
> > permission is only Read & Execute, Read, List Folder Contents. Then I
>
> This is evidently in the generic NTFS (not under Advanced button) dialog.
> Is there a gray tone to the Special box ?
>
> > check in advanced and edit Domain Users permission - Create Folders and
> >
> > Create Files are unchecked, but when I go to efective permission and
> > select Domain Users there Create Folders and Create Files are checked.
> >
> If effective shows that then it is due to there being a grant somewhere
> directly to Domain Users group. Are those boxes grayish - indicating
> this is being inherited from a parent folder ?
>
> > I don't know what is going on. Domain Users is not a part of any other
> > user group. Other shared folder on Windows 2000 work fine with the same
> > configuration.
> >
>
> If it were embedded that would not matter for this, as the effective are
> showing the effective grants made directly to that group, not all of the
> potentially existing indirect ones.
>
> >
> > What could be wrong? How to block domain users to create folders?
> >
> Probably nothing, and all is likely as it should be, given the grants
> that exist on the object or its containing object. You just need to
> determine at what point that grant is being made and adjust the
> grants to your needs.


I just create new share folder(share permission :full control to
everyone),
security - domain users:Read & Execute, List Folders and Contents, Read
- (any grayish checked box).
User is not a part of any local groups, groups by gpresult command:

User security groups:

Domain Users
Everyone
Builtin\users
NT Authority\Interactive
NT Authority\Authenticated Users
LOCAL

Efective permission this time show Create Folders and Files unchecked,
but still I can create folders and files in this share. Another
Server Windows 2000 (member of the same domain) has the same share
permission and security and you cannot create any folders or files in
share

Is there are some configuration in Windows 2003 File Server that as
default every users who can read can also append data. Because
changing files or delete show correctly Access Denied, just server let
you append data


Share is created by administrator so user is not owner etc.... share
permission are:
Administrators(servername\administrators) full control
Creator Owner none
System full control
Users(server name\users) read & execute
Domain Users read & execute


Posted by Jack on June 22, 2006, 2:17 pm
Please log in for more thread options

Roger Abell [MVP] wrote:
> >I have shared folder on Windows 2003, when I check Domain Users
> > permission is only Read & Execute, Read, List Folder Contents. Then I
>
> This is evidently in the generic NTFS (not under Advanced button) dialog.
> Is there a gray tone to the Special box ?
>
> > check in advanced and edit Domain Users permission - Create Folders and
> >
> > Create Files are unchecked, but when I go to efective permission and
> > select Domain Users there Create Folders and Create Files are checked.
> >
> If effective shows that then it is due to there being a grant somewhere
> directly to Domain Users group. Are those boxes grayish - indicating
> this is being inherited from a parent folder ?
>
> > I don't know what is going on. Domain Users is not a part of any other
> > user group. Other shared folder on Windows 2000 work fine with the same
> > configuration.
> >
>
> If it were embedded that would not matter for this, as the effective are
> showing the effective grants made directly to that group, not all of the
> potentially existing indirect ones.
>
> >
> > What could be wrong? How to block domain users to create folders?
> >
> Probably nothing, and all is likely as it should be, given the grants
> that exist on the object or its containing object. You just need to
> determine at what point that grant is being made and adjust the
> grants to your needs.


I just create new share folder(share permission :full control to
everyone),
security - domain users:Read & Execute, List Folders and Contents, Read
- (any grayish checked box).
User is not a part of any local groups, groups by gpresult command:

User security groups:

Domain Users
Everyone
Builtin\users
NT Authority\Interactive
NT Authority\Authenticated Users
LOCAL

Efective permission this time show Create Folders and Files unchecked,
but still I can create folders and files in this share. Another
Server Windows 2000 (member of the same domain) has the same share
permission and security and you cannot create any folders or files in
share

Is there are some configuration in Windows 2003 File Server that as
default every users who can read can also append data. Because
changing files or delete show correctly Access Denied, just server let
you append data


Share is created by administrator so user is not owner etc.... share
permission are:
Administrators(servername\administrators) full control
Creator Owner none
System full control
Users(server name\users) read & execute
Domain Users read & execute


Similar ThreadsPosted
Limiting the ability to create folders in network filing structure November 16, 2005, 12:56 pm
Create a domain account with full access to all files and folders? October 24, 2006, 11:03 am
Effective permission - folders April 18, 2006, 7:54 pm
Special Permission for folders and files January 12, 2006, 12:04 pm
deny create folder but allow create files June 16, 2005, 12:08 pm
How to create a baseline w/ SCW October 26, 2007, 2:23 pm
Create Your Own Monthly Income October 27, 2005, 4:30 pm
Re: permision to create port on dc June 17, 2006, 11:45 am
How do you create certificate in pkcs12 format? March 10, 2006, 8:31 am
How to create a user with access to one server only. April 30, 2007, 6:48 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap