|
Posted by Roger Abell [MVP] on February 5, 2007, 9:07 am
Please log in for more thread options
> If you have a directory that several users will share (e.g., a public TEMP
> directory), how can you configure security settings so that:
>
> 1 - any user can create a file and control reading/writing/deleting that
> file
> 2 - no user can read a file created by another user or by system
>
Depending on what your words mean in 1 this may or may not be
possible. The account that creates a file can control whether other
accounts (en mass or specifically one by one) can access the file,
but one cannot limit it to only controlling reading/writing/deleting
(it gets to control all of the permissions).
Take a fresh install of XP Pro.
As an admin create a new subfolder on the system's boot drive,
say, c:\test and then access the NTFS permissions dialog of c:\test.
You will see two grants to Adminstrators, one inherited and one
that is not inheritied (it resulted from the Creator Owner grant on
the parent c:\). Now, look at the two grants to the Users group,
both inherited from the parent. Remove the grant of Read and
Execute for This folder, subfolders and files that Users holds.
Now, log in as a non-admin and create something in c:\test.
Note that you would need to create it without navigating there
in Explorer as a non-admin no longer has privileges to do so.
(If by your 2 you only wanted to control access to the content of
the files, instead of removing the grant to Users of Read/Execute
one could replace it with a grant of List).
Roger
| 
XML Sitemap