Re: Folder permissions - deny users, allow administrator

So are Users members to have the same permissions on
things in Working as in Completed?
You not not state.

Your issue is in part that there is a special grant to Users
that lets them create new things, at which point the grant
to Creator/Owner kicks in an grants that account Full.

Given that Working and Completed are on the same partition
you should copy from Completed to Working, not move.
A move within a partition for Windows up through W2k3
takes along permissions that are explicitly granted on the
moved.

Tell us what you want Working to allow to Users and then
we can get you going.

Roger
"dima" <dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2717A9D-A29F-4402-ADE0-E8A493E94092@xxxxxxxxxxxxxxxx
Hi there,

I am trying to create folder with permissions, such that, all current and
future contents of the folder will allow for read-only access to all
members
of the Users group, and allow full control to the Administrators group.

Here's a simplified version of my setup (running on Windows 2003 Server):

root_folder
completed
folder 1
folder 2
folder 3
...
working
folder 4
folder 5
folder 6
...

"root_folder" is shared, with full control given to Everyone. Security
permissions on the folder itself are full control for Administrators,
Creator/Owner, and Users (folder, subfolders, and files). Both "completed"
and "working" are set to inherit from "root_folder". In addition,
"completed"
has an extra permission, set to deny everything except read access to
Users.
What I find is that, this deny permission also applies to the
Administrator
account, which is in no way a member of the Users group.

I want to be able to move any folder from "working" into "completed"
(regardless of who the folder owner/creator is), and by doing so,
automatically make the folder read-only to members of the Users group.
From
what I know about NTFS permissions, this basically forces me to use
explicit
Deny permissions. If I simply remove the Users group from the permission
entries of "completed", then any folder created by a member of the Users
group will still be under full control of that user, even after being
moved
to "completed". I also do not want to re-apply all child permissions every
time I move a folder into "completed".

I hope I made sense. I would appreciate any help anyone can give me.

Thanks in advance.

--
dima


.

Relevant Pages

  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • RE: no OWA
    ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
    (microsoft.public.windows.server.sbs)
  • Re: Default NTFS permissions too liberal on newly created volumes
    ... A rule of thumb that I use is when making a new folder off the root of the drive, to be used as a share, I remove the inheritance ... > read-only permissions via a certain group. ... > I looked at the other servers that we've built and all have the same all-too-liberal permission settings for the USERS group. ...
    (microsoft.public.windows.server.security)