|
Posted by Roger Abell [MVP] on July 9, 2007, 9:55 pm
Please log in for more thread options
Here is the issue.
You have a storage structure with varying permissions.
That means there are points within the structure where
different principals are added in the permissions either
without blocking inheritance of permissions from the
parent directory, or with blocking and instead explicitly
setting new inheritable permissions, or perhaps you use
no inheritance in the structure at all and just set explicit
permissions on every folder (and perhaps also file).
If you block inheritance nowhere, then just adding the
Deny at the topmost folder would do it to some extent
(if later an explicit grant included granting to the principal
that the inherited Deny targets, then the Deny would be
nullified).
Now, from what you illustrated, it seems you are blocking
inheritance at some points. So, you would need to set a
Deny at each point that forms a new inheritance root, and
you would also need to make sure that there are no explicitly
added grants below the new inheritiance roots that add a grant
back for the denied principal.
Use of xcacls with the /e and /t switches will do this but will
also do more (it will add it everywhere, not just the new
inheritance points or where a added grant conflicts).
That is to say, you can do it with xcacls but that will do more
than you need and will result in more of a mess to clean up
later when you want to remove the deny.
Roger
> I'd like to add a security group to my Windows 2003 domain which is
> denied file permissions on all but one of my network's shared
> folders. I already have quite a large directory structure setup with
> varying permissions on the subfolders and these permissions need to be
> preserved. For example:
>
> Main Shared Folder (all domain users)
> Accounting (accountant only)
> Database (DB admin only)
> Grants (all domain users)
> Human Resources (HR director only)
> Photos and Logos (all domain users)
>
> I've experimented and found that if I add the 'deny permission' on the
> root of 'Main Shared Folder' and use "Replace permission entries on
> all child objects with entries shown here that apply to child objects"
> then all of the permissions on the subfolders are replaced with the
> permissions set on the root. This effectively erases the permissions
> set on the subfolders and replaces them with the new permissions. For
> example, the Accounting folder would end up with Domain Users and the
> new Volunteer Security Group with permissions, but the accountant
> would left out.
>
> Is there a way to add the 'deny permission' to all subfolders without
> removing the permissions unique to each subfolder?
>
> Thanks in advance for any help,
> Kevin Hartgerink
>
| 
XML Sitemap