Click here to get back home

NTFS Permission
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
NTFS Permission Martin 04-21-2006
---> Re: NTFS Permission Roger Abell [MV...04-21-2006
Posted by Martin on April 21, 2006, 10:04 am
Please log in for more thread options
 Hi

I'm using Windows 2000 Server with AD (mixed Mode)
The user is registred on the server as domain user.
The user is loged in an other domain with the same init and password
The user is not administrator on his local computer and the other
domain.
The user has access on the files over a mapped drive with his init and
password.

Why the user can delete a file if the permission of the file is set
"Delete denied"?

Regards
Martin


Posted by Roger Abell [MVP] on April 21, 2006, 12:02 pm
Please log in for more thread options
 There can be a couple of reasons.

First, which domain is which, from where the user accesses
the share, etc. are all immaterial here. Rather what is important
is that the user can access the share (hence the domains all have
agreed the user is allowed), and what settings exist on the share
and on the storage relative to the account used and the groups
that account is in.

Now, delete.
It can depend on how the permissions are set on the storage.
An explicit (not inherited) grant will overrule an inherited deny.
So, say the Deny is on the parent of the containing folder, but
there is a grant to RemoteDomainUsers set on the actual
containing folder where RemoteDomainUsers is a group that
includes the test account.
Also, there is an old Posix compliance requirement that a
contained item must be deletable if full permissions exist on
the containing item that might be coming into play.
Finally, you say there is a deny of delete, but it is not clear
whether that deny exists on the file being deleted (i.e. it may
exist on the containing folder but not be set to inherit onto
contained files; or, the file may have been moved into the
folder from elsewhere within the same partition).

So, it is not possible to answer your question with only the
information provided as we do not know the precise settings
on the folder, etc..

> Hi
>
> I'm using Windows 2000 Server with AD (mixed Mode)
> The user is registred on the server as domain user.
> The user is loged in an other domain with the same init and password
> The user is not administrator on his local computer and the other
> domain.
> The user has access on the files over a mapped drive with his init and
> password.
>
> Why the user can delete a file if the permission of the file is set
> "Delete denied"?
>
> Regards
> Martin
>



Posted by Martin on April 24, 2006, 4:34 am
Please log in for more thread options
The user has an account on the domain A as a domain user.
His PC is in the Domain A.
His nootebook is not in the domain A but he has the same init and the
same password.
The user has access with his notebook on the files over a share with
his init and password. The share is set manually with the explorer.

The file inherits the permission from the folder (Administrators:Full;
Domain users Full)
The Owner of the file is another user.
The file permission for the user are set to read, read / execute.

Now I set as Administrator "Delete denied" for the user.

The user can delete the File!

Regards
Martin


Posted by Roger Abell [MVP] on April 24, 2006, 9:25 am
Please log in for more thread options
Martin

You say you have set a Deny Delete for "the user".
Evidently that means the account of the user in Domain A?
Are these domains within one forest? Are these trusting if
not within one forest?
Have you set any auditing on the files in order to see what
account is actually being used during the delete ?

Roger

> The user has an account on the domain A as a domain user.
> His PC is in the Domain A.
> His nootebook is not in the domain A but he has the same init and the
> same password.
> The user has access with his notebook on the files over a share with
> his init and password. The share is set manually with the explorer.
>
> The file inherits the permission from the folder (Administrators:Full;
> Domain users Full)
> The Owner of the file is another user.
> The file permission for the user are set to read, read / execute.
>
> Now I set as Administrator "Delete denied" for the user.
>
> The user can delete the File!
>
> Regards
> Martin
>



Similar ThreadsPosted
NTFS permission problem March 31, 2006, 11:36 am
Share Permission vs NTFS July 18, 2006, 2:02 pm
NTFS permission problem November 30, 2006, 3:57 pm
ntfs special permission question September 1, 2006, 1:50 pm
Share folder and NTFS permission April 10, 2008, 6:47 pm
NTFS Rname VS. Delete Permission April 23, 2008, 1:36 am
Spontaneous permission changes-How?Why? September 23, 2005, 2:06 pm
Permission Issue September 28, 2005, 10:55 am
Adobe permission January 4, 2006, 2:03 pm
File Permission June 14, 2008, 5:36 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap