Re: Folder permissions - deny users, allow administrator

I'm aware that Creator/Owner permissions kick in as soon a member
of Users creates a folder in "working", and then moves it to "completed".

The last part should read: and that folder is then moved to "completed".

--
dima

"dima" wrote:

Hi Roger, thanks for replying.

No, members of Users are not to have the same permissions for "working" and
"completed". As I said, both "working" and "completed" inherit from
"root_folder", except "completed" has an extra explicit Deny permission on
top of what's inherited. The purpose of this deny permission is to explicitly
deny everything but read access to Users members in "completed".

I'm aware that Creator/Owner permissions kick in as soon a member of Users
creates a folder in "working", and then moves it to "completed". This is why
I put the Deny permission in place on "completed" - to explicitly override
that. In fact, with it being the only explicit Deny permission, it should
override all Allow permissions of each folder in "completed" - and it does.
However, instead of affecting just members of the Users group, this Deny
permission also affects members of the Administrators group, for no apparent
reason. That is, members of the Administrators group are also denied
everything except read access to the "completed" folder - even though the
permission is set only for the Users group.

I want to be able to have a folder in "working" with full access to Users,
and then have an Administrator to move it to "completed", and by doing so,
automatically make the folder as read-only to Users. I want Administrators to
retain full control over both folders at all times.

Thanks again for the help.

--
dima

"Roger Abell [MVP]" wrote:

So are Users members to have the same permissions on
things in Working as in Completed?
You not not state.

Your issue is in part that there is a special grant to Users
that lets them create new things, at which point the grant
to Creator/Owner kicks in an grants that account Full.

Given that Working and Completed are on the same partition
you should copy from Completed to Working, not move.
A move within a partition for Windows up through W2k3
takes along permissions that are explicitly granted on the
moved.

Tell us what you want Working to allow to Users and then
we can get you going.

Roger
.

Relevant Pages

  • Distribution List not showing available contacts
    ... I have permission (set as owner) to open another user's ... upper right corner of the Select Members window, ... folder; I see John's contacts right there on my screen. ...
    (microsoft.public.outlook.contacts)
  • Deny Delete on Folder Not Working?
    ... access the folder across the network via a test user who is a member ... of 'Domain Users', I can still delete the folder. ... I have tried adding the Deny permission for 'Domain Users', ... Can anyone suggest why the Deny permission isn't working? ...
    (microsoft.public.windows.server.security)
  • Re: Deny Delete on Folder Not Working?
    ... It does work so I suggest you experiment a bit on a test folder. ... of 'Domain Users', I can still delete the folder. ... I have tried adding the Deny permission for 'Domain Users', ... Can anyone suggest why the Deny permission isn't working? ...
    (microsoft.public.windows.server.security)
  • Re: Folder permissions - deny users, allow administrator
    ... members of Users are not to have the same permissions for "working" ... I put the Deny permission in place on "completed" - to explicitly override ... everything except read access to the "completed" folder - even though the ...
    (microsoft.public.security)
  • Re: Enable file and folder sharing for the Users Group
    ... I want to give permission for the members of the Users group to "Creating a share". ... Because they don't have this permission by default, so they can't share any folder. ...
    (microsoft.public.win2000.networking)