Re: Folder permissions - deny users, allow administrator

"dima" <dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:59DC8E88-15F6-4318-871A-33D2F11419A6@xxxxxxxxxxxxxxxx
Hi Roger, thanks for replying.

No, members of Users are not to have the same permissions for "working"
and
"completed". As I said, both "working" and "completed" inherit from
"root_folder", except "completed" has an extra explicit Deny permission on
top of what's inherited. The purpose of this deny permission is to
explicitly
deny everything but read access to Users members in "completed".


OK, but I was hoping for a positive statement of what they should have.
So, it appears that Users should have ability to define new things in
Working and to modifiy them, but that they should have only read/list
on those once they are in Completed.

I'm aware that Creator/Owner permissions kick in as soon a member of Users
creates a folder in "working", and then moves it to "completed". This is
why
I put the Deny permission in place on "completed" - to explicitly override
that. In fact, with it being the only explicit Deny permission, it should
override all Allow permissions of each folder in "completed" - and it
does.

Not really. It does not work that way.
An inherited deny will only override conflicting grants that are
set at the same or a higher level in the directory tree. It will not
override a grant set at a lower level (closer to the object under
consideration). Hence, the Creator/Owner grant causes a explict
grant to Username on the object they create, and this grant moves
with the object when it is moved to Completed, and this grant then
overrides the inherited deny.

However, instead of affecting just members of the Users group, this Deny
permission also affects members of the Administrators group, for no
apparent
reason. That is, members of the Administrators group are also denied
everything except read access to the "completed" folder - even though the
permission is set only for the Users group.


Your members of Administrators are obviously considered to
effectively be members of Users
At a cmd prompt, if you issue
net localgroup administrators
what is the result ?
As stated in reply of other thread, your Users group likely has
either Authenticated Users or Interactive in it. If you remove
these you need to be careful about what they are accomplishing
so that you replace what of that is needed with some other
memberships. However, if you approach this without use of
Deny, which I would recommend, then Administrators being
effective members of Users becomes a non-issue for this issue.

I want to be able to have a folder in "working" with full access to Users,
and then have an Administrator to move it to "completed", and by doing so,
automatically make the folder as read-only to Users. I want Administrators
to
retain full control over both folders at all times.


Here is what I would suggest.
On Working set
Administrators Full
Users Modify
and nothing else and nothing inherited from parent of Working.
On Completed set
Administrators Full
Users Read/List
and nothing else and nothing inherited from parent of Completed.

With those permissions there will be no explict permissions on
objects withing either Working or Completed. Hence a move
from Working to Completed will result in the moved object then
having only the permissions inherited from Completed.

If there are any permissions set directly on the moved object
those will move with it. That is (part of) what is giving you
problems.

Roger

Thanks again for the help.

--
dima

"Roger Abell [MVP]" wrote:

So are Users members to have the same permissions on
things in Working as in Completed?
You not not state.

Your issue is in part that there is a special grant to Users
that lets them create new things, at which point the grant
to Creator/Owner kicks in an grants that account Full.

Given that Working and Completed are on the same partition
you should copy from Completed to Working, not move.
A move within a partition for Windows up through W2k3
takes along permissions that are explicitly granted on the
moved.

Tell us what you want Working to allow to Users and then
we can get you going.

Roger


.

Relevant Pages

  • Re: Grant, Revoke, Deny
    ... Permissions are cumulative and DENY takes precedence. ... checked for sysadmin role members. ... GRANT SELECT ON YourTable TO Apps ...
    (microsoft.public.sqlserver.security)
  • Re: Permissions problems
    ... Yes administrators can be members of the users group and certainly will be ... Instead of deny permission just ... remove those permissions that you do not want the groups to have. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Overlapping Permissions
    ... Do any users or groups have deny set on the ... Permissions are cumulative but deny will take precedence. ... >There is another group, ProductManagers, who are also members of the above ... and added the ProductManagers to it. ...
    (microsoft.public.sqlserver.security)
  • Re: Overlapping Permissions
    ... that database? ... And members of the ProductMgmt role can select, ... Do any users or groups have deny set on the ... >> Permissions are cumulative but deny will take precedence. ...
    (microsoft.public.sqlserver.security)
  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)