Click here to get back home

NTFS woes
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
NTFS woes Rik G. 01-22-2008
|--> Re: NTFS woes Special Access01-22-2008
---> Re: NTFS woes Roger Abell [MV...01-22-2008
Posted by Rik G. on January 22, 2008, 8:14 pm
Please log in for more thread options
 I've given a user full control over a folder, its sub folders and files.
I want to prevent the user from deleting one particular file in that
folder. He should only be able to read it.

When I create an explicit Deny Delete permission for that file, the user can
still delete the file. I thought that Deny permissions always took
precedence over Allow permissions?

What's going on? Can this be done with NTFS at all?

Regards

R.




Posted by Special Access on January 22, 2008, 9:11 pm
Please log in for more thread options
>I've given a user full control over a folder, its sub folders and files.
>I want to prevent the user from deleting one particular file in that
>folder. He should only be able to read it.
>
>When I create an explicit Deny Delete permission for that file, the user can
>still delete the file. I thought that Deny permissions always took
>precedence over Allow permissions?
>
>What's going on? Can this be done with NTFS at all?
>
>Regards
>
>R.
>
>

You might try giving the user 'modify' rather than 'full control' over
the folder. With 'full control', the user can take ownership of any
file and change the permissions. With modify, maybe (I haven't tested
this) the user won't be able to delete that particular file.

Mike

Posted by Roger Abell [MVP] on January 22, 2008, 10:34 pm
Please log in for more thread options
Deny does not always overrule a grant.
An explicit deny overrules and explicit or inherited grant.
However, an inherited deny does not overrule an explicit
grant and it may or may not overrule an inherited grant (it
depends on the full context of inheritance).
That said, are you setting the full control on the folder and
the deny on the file? If so, what you may have going on
here is the "hidden delete" grant that is part of a grant of
Full on a folder. This "hidden delete" is part of requirements
for Posix compliance and is something of a pain. It imparts
ability to delete anything in the folder even though there is
no permissions on those things to delete them.
Consider granting on the folder Modify plus permission to
change permissions (which then would be Full minus the
permission to take ownership and minus the "hidden delete")

Roger

> I've given a user full control over a folder, its sub folders and files.
> I want to prevent the user from deleting one particular file in that
> folder. He should only be able to read it.
>
> When I create an explicit Deny Delete permission for that file, the user
> can
> still delete the file. I thought that Deny permissions always took
> precedence over Allow permissions?
>
> What's going on? Can this be done with NTFS at all?
>
> Regards
>
> R.
>
>
>



Posted by Rik G. on January 23, 2008, 10:15 am
Please log in for more thread options
The context is like this: folder with Share permissions set to Full Control
for Everyone. In that folder the user's folder with NTFS permissions set to
Full Control for that user. In the user's folder one file that I don't want
him to be able to delete. (like a "sticky" in a bulletin board)

Only when I uncheck Delete Subfolders and Files is the user not able to
delete the file. But then he is no longer able to delete other files he
creates...

To me it sounds totally illogical that the explicit Deny on that one file
does not overrule the Delete Subfolders and Files permission, or even the
Full Control permission, in the parent folder.

So I suppose preventing one file from being deleted, regardless of other
permissions, cannot be done?

R.



> Deny does not always overrule a grant.
> An explicit deny overrules and explicit or inherited grant.
> However, an inherited deny does not overrule an explicit
> grant and it may or may not overrule an inherited grant (it
> depends on the full context of inheritance).
> That said, are you setting the full control on the folder and
> the deny on the file? If so, what you may have going on
> here is the "hidden delete" grant that is part of a grant of
> Full on a folder. This "hidden delete" is part of requirements
> for Posix compliance and is something of a pain. It imparts
> ability to delete anything in the folder even though there is
> no permissions on those things to delete them.
> Consider granting on the folder Modify plus permission to
> change permissions (which then would be Full minus the
> permission to take ownership and minus the "hidden delete")
>
> Roger
>
> > I've given a user full control over a folder, its sub folders and files.
> > I want to prevent the user from deleting one particular file in that
> > folder. He should only be able to read it.
> >
> > When I create an explicit Deny Delete permission for that file, the user
> > can
> > still delete the file. I thought that Deny permissions always took
> > precedence over Allow permissions?
> >
> > What's going on? Can this be done with NTFS at all?
> >
> > Regards
> >
> > R.
> >
> >
> >
>
>



Posted by Rik G. on January 23, 2008, 11:00 am
Please log in for more thread options
OK OK, after some experimentation it now works.

On the parent folder I already had unchecked Take Ownership, Change
Permissions and Delete.

I had unchecked Delete because I don't want the user to be able to delete
his folder, of course.
I checked Allow for Delete Subfolders and Files, because that is what I want
the user to be able to do (except for that one file).
Much to my surprise, with these setting the user can still delete a file for
which an explicit Deny Delete is set.

I followed up your suggestion to check Allow Modify and noticed that that
set a check for Allow Delete and unchecked Allow for Delete Subfolders and
Files in the Advanced permissions...!

Now the explicit Deny Delete on that one file works!

Still, to me that seems *totally illogical* to what the permissions "Delete"
and "Delete Subfolders and Files" promise.

Maybe someone can shed a light on the rationale behind these permissions?

Regards

R.



> Deny does not always overrule a grant.
> An explicit deny overrules and explicit or inherited grant.
> However, an inherited deny does not overrule an explicit
> grant and it may or may not overrule an inherited grant (it
> depends on the full context of inheritance).
> That said, are you setting the full control on the folder and
> the deny on the file? If so, what you may have going on
> here is the "hidden delete" grant that is part of a grant of
> Full on a folder. This "hidden delete" is part of requirements
> for Posix compliance and is something of a pain. It imparts
> ability to delete anything in the folder even though there is
> no permissions on those things to delete them.
> Consider granting on the folder Modify plus permission to
> change permissions (which then would be Full minus the
> permission to take ownership and minus the "hidden delete")
>
> Roger
>
> > I've given a user full control over a folder, its sub folders and files.
> > I want to prevent the user from deleting one particular file in that
> > folder. He should only be able to read it.
> >
> > When I create an explicit Deny Delete permission for that file, the user
> > can
> > still delete the file. I thought that Deny permissions always took
> > precedence over Allow permissions?
> >
> > What's going on? Can this be done with NTFS at all?
> >
> > Regards
> >
> > R.
> >
> >
> >
>
>



Similar ThreadsPosted
HELP: Upgrading member server to a DC woes :S December 20, 2006, 8:37 am
NTFS Lockdown December 5, 2005, 1:37 pm
NTFS Permissions February 20, 2006, 7:11 pm
NTFS Permission April 21, 2006, 10:04 am
NTFS Permissions August 16, 2006, 4:44 am
NTFS Audit December 23, 2006, 11:32 pm
NTFS Permissions and subfolders December 14, 2005, 2:06 pm
NTFS , folder permissions ! Need Help January 4, 2006, 11:51 am
NTFS permission problem March 31, 2006, 11:36 am
Share Permission vs NTFS July 18, 2006, 2:02 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap