Click here to get back home

How to set this Folder security
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to set this Folder security cisconoobie via WinServerKB.co 10-05-2006
Posted by cisconoobie via WinServerKB.co on October 5, 2006, 8:25 pm
Please log in for more thread options
 I have a folder named QA that is inheriting the following permissions:

Domain Admins - Full
Authenticated Users - Read & Execute

I manually add Group A for read, execute and special permission ( I enable
delete subfolders and files) I make sure Delete is unchecked.

Now I create "Magic" folder inside QA and I want to make sure Group A has
Delete priviledges for subfolders and files of Magic but I dont want group A
from deleting the "Magic" Folder.

How do I do that?

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200610/1


Posted by Roger Abell [MVP] on October 5, 2006, 9:54 pm
Please log in for more thread options
 Since on the QA parent folder of Magic you have explicitly
stated that GroupA can delete folders within QA you need
to "override" that. There are two ways. First, my preferred,
is to go into the NTFS permissions on Magic and in the
Advanced view uncheck the spec for it to inherit permissions.
You would probably want to select Copy of permissions, and
then edit these so that the GroupA grant is like that you had
granted on QA. The other route would be to leave Magic
inheriting permissions but to add a new ACE that Denies
GroupA Delete for This folder only.
I prefer the first way as use of Deny can become complicated
all too fast, especially if the Deny gets inherited onto substructure
and/or files.
>I have a folder named QA that is inheriting the following permissions:
>
> Domain Admins - Full
> Authenticated Users - Read & Execute
>
> I manually add Group A for read, execute and special permission ( I enable
> delete subfolders and files) I make sure Delete is unchecked.
>
> Now I create "Magic" folder inside QA and I want to make sure Group A has
> Delete priviledges for subfolders and files of Magic but I dont want group
> A
> from deleting the "Magic" Folder.
>
> How do I do that?
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200610/1
>



Posted by M. Burnett on October 5, 2006, 11:34 pm
Please log in for more thread options
If you do not want Group A to be able to delete the Magic folder, you
have to make sure they cannot delete subfolders and files in the QA
folder AND you need to take away (or deny) their right to delete the
Magic folder itself. Furthermore, you should then give Group A the
permission, on Magic, to delete subfolders and files.

Some things to note here:
- Denying Delete folders and subfolders on the QA dir will not, in
itself, prevent them from deleting the Magic folder. You need to deny
delete on that folder as well.
- Denying Delete on the Magic folder will not, in itself, prevent them
from deleting that folder.
- Denying Delete folders and subfolders on the QA dir will not prevent
them from deleting any other folders in the QA dir where they have the
permissions to delete them.

As Roger stated, you can remove the inheritance from parent folders, or
you can just add what you need on the folder itself, since permissions
set directly on an object will normally take precedence over inherited
permissions. However, when I start getting creative with file
permissions, I prefer not to inherit from the parent.


Mark Burnett






> Since on the QA parent folder of Magic you have explicitly
> stated that GroupA can delete folders within QA you need
> to "override" that. There are two ways. First, my preferred,
> is to go into the NTFS permissions on Magic and in the
> Advanced view uncheck the spec for it to inherit permissions.
> You would probably want to select Copy of permissions, and
> then edit these so that the GroupA grant is like that you had
> granted on QA. The other route would be to leave Magic
> inheriting permissions but to add a new ACE that Denies
> GroupA Delete for This folder only.
> I prefer the first way as use of Deny can become complicated
> all too fast, especially if the Deny gets inherited onto substructure
> and/or files.
>
> >I have a folder named QA that is inheriting the following permissions:
> >
> > Domain Admins - Full
> > Authenticated Users - Read & Execute
> >
> > I manually add Group A for read, execute and special permission ( I
> enable
> > delete subfolders and files) I make sure Delete is unchecked.
> >
> > Now I create "Magic" folder inside QA and I want to make sure Group A
> has
> > Delete priviledges for subfolders and files of Magic but I dont want
> group
> > A
> > from deleting the "Magic" Folder.
> >
> > How do I do that?
> >
> > --
> > Message posted via WinServerKB.com
> >
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/20061
> 0/1
> >


Posted by cisconoobie via WinServerKB.co on October 6, 2006, 2:10 pm
Please log in for more thread options
Ok so I'm still having problems

I removed the inheritance permission and added

GroupA Deny Delete on this folder only

This is what happens,

I login with a user account that is in Group A

I cannot delete any files or folders inside Magic but I can rename Magic or
delete it.

I'm really confused.

What do I need to do exactly to prevent users from deleting magic or renaming
it. I want Group A to have all other access for the subfolders.

M. Burnett wrote:
>If you do not want Group A to be able to delete the Magic folder, you
>have to make sure they cannot delete subfolders and files in the QA
>folder AND you need to take away (or deny) their right to delete the
>Magic folder itself. Furthermore, you should then give Group A the
>permission, on Magic, to delete subfolders and files.
>
>Some things to note here:
>- Denying Delete folders and subfolders on the QA dir will not, in
>itself, prevent them from deleting the Magic folder. You need to deny
>delete on that folder as well.
>- Denying Delete on the Magic folder will not, in itself, prevent them
>from deleting that folder.
>- Denying Delete folders and subfolders on the QA dir will not prevent
>them from deleting any other folders in the QA dir where they have the
>permissions to delete them.
>
>As Roger stated, you can remove the inheritance from parent folders, or
>you can just add what you need on the folder itself, since permissions
>set directly on an object will normally take precedence over inherited
>permissions. However, when I start getting creative with file
>permissions, I prefer not to inherit from the parent.
>
>Mark Burnett
>
>> Since on the QA parent folder of Magic you have explicitly
>> stated that GroupA can delete folders within QA you need
>[quoted text clipped - 33 lines]
>> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/20061
>> 0/1

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200610/1


Posted by Roger Abell [MVP] on October 7, 2006, 3:45 am
Please log in for more thread options

> Ok so I'm still having problems
>
> I removed the inheritance permission and added
>
> GroupA Deny Delete on this folder only
>
> This is what happens,
>
> I login with a user account that is in Group A
>
> I cannot delete any files or folders inside Magic but I can rename Magic
> or
> delete it.
>
> I'm really confused.
>
> What do I need to do exactly to prevent users from deleting magic or
> renaming
> it. I want Group A to have all other access for the subfolders.

See my post !
Roger

>
> M. Burnett wrote:
>>If you do not want Group A to be able to delete the Magic folder, you
>>have to make sure they cannot delete subfolders and files in the QA
>>folder AND you need to take away (or deny) their right to delete the
>>Magic folder itself. Furthermore, you should then give Group A the
>>permission, on Magic, to delete subfolders and files.
>>
>>Some things to note here:
>>- Denying Delete folders and subfolders on the QA dir will not, in
>>itself, prevent them from deleting the Magic folder. You need to deny
>>delete on that folder as well.
>>- Denying Delete on the Magic folder will not, in itself, prevent them
>>from deleting that folder.
>>- Denying Delete folders and subfolders on the QA dir will not prevent
>>them from deleting any other folders in the QA dir where they have the
>>permissions to delete them.
>>
>>As Roger stated, you can remove the inheritance from parent folders, or
>>you can just add what you need on the folder itself, since permissions
>>set directly on an object will normally take precedence over inherited
>>permissions. However, when I start getting creative with file
>>permissions, I prefer not to inherit from the parent.
>>
>>Mark Burnett
>>
>>> Since on the QA parent folder of Magic you have explicitly
>>> stated that GroupA can delete folders within QA you need
>>[quoted text clipped - 33 lines]
>>> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/20061
>>> 0/1
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200610/1
>



Similar ThreadsPosted
Folder Security November 17, 2006, 6:34 am
Folder redirection and security November 9, 2005, 10:45 am
Folder security question February 10, 2006, 11:58 am
Folder security problem April 6, 2006, 1:27 am
Security on Tasks Folder April 24, 2006, 11:23 am
Folder and Files Security October 3, 2006, 1:46 pm
Folder Security Issue November 1, 2007, 10:53 am
Strange folder security problem October 4, 2006, 3:45 pm
Sensitive Folder Security - Best Practice November 24, 2006, 9:50 am
Folder/Share security question January 7, 2008, 10:17 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap