Re: Folder permissions - deny users, allow administrator

alternatively

on parent of Working and Completed set only
Administrators Full
Users Read/List
then on Working set additional
Users Modify

Note that upon a move the adjustment of inherited permissions
is not always reflected immediately, but it will be eventually.


"dima" <dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:59DC8E88-15F6-4318-871A-33D2F11419A6@xxxxxxxxxxxxxxxx
Hi Roger, thanks for replying.

No, members of Users are not to have the same permissions for "working"
and
"completed". As I said, both "working" and "completed" inherit from
"root_folder", except "completed" has an extra explicit Deny permission on
top of what's inherited. The purpose of this deny permission is to
explicitly
deny everything but read access to Users members in "completed".

I'm aware that Creator/Owner permissions kick in as soon a member of Users
creates a folder in "working", and then moves it to "completed". This is
why
I put the Deny permission in place on "completed" - to explicitly override
that. In fact, with it being the only explicit Deny permission, it should
override all Allow permissions of each folder in "completed" - and it
does.
However, instead of affecting just members of the Users group, this Deny
permission also affects members of the Administrators group, for no
apparent
reason. That is, members of the Administrators group are also denied
everything except read access to the "completed" folder - even though the
permission is set only for the Users group.

I want to be able to have a folder in "working" with full access to Users,
and then have an Administrator to move it to "completed", and by doing so,
automatically make the folder as read-only to Users. I want Administrators
to
retain full control over both folders at all times.

Thanks again for the help.

--
dima

"Roger Abell [MVP]" wrote:

So are Users members to have the same permissions on
things in Working as in Completed?
You not not state.

Your issue is in part that there is a special grant to Users
that lets them create new things, at which point the grant
to Creator/Owner kicks in an grants that account Full.

Given that Working and Completed are on the same partition
you should copy from Completed to Working, not move.
A move within a partition for Windows up through W2k3
takes along permissions that are explicitly granted on the
moved.

Tell us what you want Working to allow to Users and then
we can get you going.

Roger


.

Relevant Pages

  • Re: Folder permissions - deny users, allow administrator
    ... So are Users members to have the same permissions on ... future contents of the folder will allow for read-only access to all ... of the Users group, and allow full control to the Administrators group. ...
    (microsoft.public.security)
  • Re: Directory Permissions - What gives?
    ... Oh I forgot to mention Group C which is a copy of Group A minus the members ... If you had the parent folder shared at Everyone=FULL or even ... permissions again no matter what type of access you need to grant in the ... create a group C give ntfs share permisions to that group, ...
    (microsoft.public.windows.server.general)
  • Re: Groups Permissions; creating a new group & adding full access does not appear to work
    ... > I add this new group to the permissions of a folder with full access. ... the members of "FooUsers" still do not have full access!?!?!? ...
    (microsoft.public.win2000.active_directory)
  • [UNIX] Privilege Escalation Vulnerability on phpBB
    ... permissions), so although admin rights are needed to view the page, anyone ... Goto the board you wish to change the permissions for in the normal way ... Find the base directory location of the board for the script, ... This bulletin is sent to members of the SecuriTeam mailing list. ...
    (Securiteam)
  • Re: Windows permissions are ignored???
    ... folders/sessions and the security logs on the server with the share to check ... The exception is if deny permissions are used. ... an inherited deny permission if the allow permission was granted at a folder ...
    (microsoft.public.win2000.security)