|
Posted by markfcook on September 6, 2007, 9:04 am
Please log in for more thread options Roger
thanks for the information.
mark
> Two observations off the top.
>
> First, I would recommend that you do not use Deny.
> Save that as a last (very, very last) resort.
>
> Second, you will not be able to effect the precise specification
> you have outlined, mostly because after an account has created
> something new in subfolder1 they will be able to obtain more
> than specified on what they created.
>
> You will not get what you are after by only making NTFS grants
> on e:\dept1
>
> Let us say you have two groups, Dept1Mgrs and Dept1Users
>
> On e:\Dept1 grant
> Modify to Dept1Mgrs for Thisfolder, subfolders and files
> Read, or perhaps Read/Execute to Dept1Users also set for
> Thisfolder, subfolders and files
>
> e:\Dept1 should be set to not inherit, but e:\Dept1\subfolder1
> and e:\Dept1\subfolder2 should inherit (from e:\Dept1)
>
> On each of e:\Dept1\subfolder1 and e:\Dept1\subfolder2
> add a Modify grant to Dept1Users for Subfolders and files
>
> Now, one last thing is needed to enable Dept1Users to
> make new things, so again on e:\Dept1\subfolder1 and
> e:\Dept1\subfolder2 grant to Dept1Users
> This takes the form of two special grant
> 1) Create Folders/Append Data for Thisfolderand subfolders
> 2) Create Files/Write Data also for Thisfolderand subfolders
>
>
>
> > i've been asked to cleanup one of our departmental drives...
>
> > I have afolderwith the following structure
> > E:\Dept1
> > E:\Dept1\subfolder1
> > E:\Dept1\subfolder2
>
> > The owner has requested that i grant access to his department so that
> > only he can create or modify folders in E:\Dept1. However, in the sub-
> > folders (subfolder1, subfolder2), he wants his department to have all
> > rights short of ownership and access control. My question is, how do
> > i do this?
>
> > I've tried read-only permissions for "ThisFolderOnly" on E:\Dept1
> > and granting essentially what is Modify via the "Subfolders and files"
> > on thefolder. at least that's what i think i'm doing with the
> > following:
>
> > currently the settings are
> >Folder: E:\Dept1
> > Scope : ThisFolderOnly
>
> > Allow the following:
> > TraverseFolder/Execute File
> > Listfolder/Read data
> > Read Attributes
> > Read extended attributes
> > Read permissions
>
> > Deny the following:
> > Create files/Write data
> > Create folders/Append Data
> > Write attributes
> > Write extended attributes
> > Delete Subfolders and Files
> > Delete
>
> >Folder: E:\Dept1
> > Scope : Subfolders and files
> > Allow the following:
> > TraverseFolder/Execute File
> > Listfolder/Read data
> > Read Attributes
> > Read extended attributes
> > Create files/Write data
> > Create folders/Append Data
> > Write attributes
> > Write extended attributes
> > Delete Subfolders and Files
> > Delete
> > Read permissions
>
> > the resulting permissions then deny the user from creating new
> > subfolders, but because of the settings for "Subfolders and Files"
> > they can still delete things like E:\Dept1\Subfolder1 for example...
>
> > maybe i'm missing something obvious, but i cant figure out how to
> > accomplish the requirements short of setting permissions on each
> > individualsubfolder, which i'm loathe to do....
>
> > any help is appreciated...
> > mark
| 
XML Sitemap