Re: Is there anyway I can stop users moving folders to other folders?

From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 05/03/04


Date: Mon, 03 May 2004 16:17:05 GMT

Thanks for the detailed info - very helpful. From what I can see the user
would be getting he permission by being a member of the everyone group which
would give him read/list/execute which should not be enough permissions to
move a folder just with that group membership. It seems to me that a while
back there was a similar issue a user was having. Try going to the
root/drive folder of that drive and make sure that everyone and users have
no more than read/list/execute permissions at that level and be sure to
check the advanced page. Also make sure that everyone/users do not have
excessive permissions in the advanced permission entries of the folder you
show permissions for. --- Steve

"Pab" <pablo@---if-you-are-not-a-spammer-take-this-out---pabs2003.plus.com>
wrote in message news:epnc90l5e30c7a82hrltpd2ib8vivkbt6h@4ax.com...
> Hi there Steve,
>
> The person whose access I'm trying to restrict is a member of group
> Users. Users does not have any rights to change anything in the
> directory in question. Only Administrators has that right. My user
> is not a member of Administrators, only of the group Users. Users, as
> I say, does not have any rights to change anything in that directory.
>
> So,
>
> - Users is not linked to any other group
>
> - my specific user is ONLY a member of that group, Users
>
> - Users does NOT have any special rights or privileges in that
> directory whatsoever
>
> - the OWNER of the directory is group Administators, not Users
>
> Specifically,
>
> When I do Properties in Explorer and do Security in that directory I
> get :-
>
> ADMINISTRATORS :- Permissions Allow Deny
> ------------------
> Full Control YES no
> Modify YES no
> Read & Execute YES no
> List Folder Contents YES no
> Read YES no
> Write YES no
>
> EVERYONE :- Permissions Allow Deny
> ------------------
> Full Control no no
> Modify no no
> Read & Execute YES no
> List Folder Contents YES no
> Read YES no
> Write no no
>
> SYSTEM :- Permissions Allow Deny
> ------------------
> Full Control no no
> Modify no no
> Read & Execute YES no
> List Folder Contents YES no
> Read YES no
> Write no no
>
> If I press "Advanced .." and go to the Owner tab I get...
>
> Current owner for this item:
> "Administrators (PC2\Administrators)"
>
> - for that directory.
>
> Notice the USERS group is not even in the list. As a member of USERS,
> however, you can drag-and-drop any directory within this directory out
> to any other directory you wish by draggin-and-dropping it. This is
> how my friend lost his file. (as long you have write access to it)
>
> As I said, USERS doe not seem to be inheriting any rights from another
> group and the ownership the directory does not belong USERS, so why is
> it possible to move out a directory?
>
> Many thanks Security !!
>
> Bye for now,
>
> Pablo.
>
> On Sat, 01 May 2004 15:43:15 GMT, "Steven L Umbach"
> <n9rou@nospam-comcast.net> did in fact proclaim:
>
> >If you have read permissions to a file, then you can copy it to another
folder where
> >you are allowed to write but not move it. Move is essentially a
read/write/delete
> >operation while copy is just read/write. You need to check that the user
is not a
> >member of another group that has delete/modify/full permissions for the
folder in
> >including the advanced permissions page. If the user is the owner of that
file, then
> >he will have the ntfs permissions of the creator/owner also. You can go
to
> >advanced/owner to see who is the current owner of file. --- Steve
> >
> >
> >
> >"Pab"
<pablo@---if-you-are-not-a-spammer-take-this-out---pabs2003.plus.com> wrote
in
> >message news:ktb790ps8ivl36cbcrfmik5a13a9q701gt@4ax.com...
> >> Hi All,
> >>
> >> I couple of days ago one of my users had moved one of his folders to
> >> another part of the hard disk and came to me when he couldn't now open
> >> his file to the files going missing. It had all happened because he
> >> must have mistakenly dragged and dropped one of his folders onto
> >> another folder and had not realised it. Then he couldn't open one of
> >> his files the next time he logged on. I have been trying to restrict
> >> the changes that he could make by making the hard drive NTFS
> >> (previously it was FAT32) and setting permissions for parts of the
> >> hard disk to be read-only, but then even with permissions set to read
> >> only they can still move folders around willy-nilly, hence
> >> potentially causing more damage to their heiarchy.
> >>
> >> i.e. say i have
> >>
> >> Folder A
> >>
> >> and inside that I have
> >>
> >> Folder B.
> >>
> >> I set folder A's permissions to be read-only. So I can't write any
> >> thing in Folder A. I can only read what's there. Hence, anything
> >> contained in Folder A i supposedly read-only.
> >>
> >> But when I try to move
> >>
> >> Folder B
> >>
> >> onto a different folder, say
> >>
> >> Folder C
> >>
> >> The OS will quite happily let me, provided that Folder C is
> >> write-enabled. i.e. provided that the destination folder is
> >> write-enabled, I can permanently take out anything out of anoother
> >> folder.
> >>
> >> This can't be right can it?
> >>
> >> Many thanks.
> >>
> >> Take care all.
> >>
> >> Pab.
> >>
> >>
> >>
> >
>



Relevant Pages

  • Re: Associate Groups With Folders
    ... assume a user is a member of a ... assigned permissions, and what types of permissions these are. ... for every folder to which you will be assigning permissions different ... code indicating the type of access, i.e. "Application xyz program files-R", ...
    (microsoft.public.scripting.wsh)
  • Re: Strange Active Directory Behavior (Authentication and Permissions)
    ... One child domain is working perfectly fine, ... on a member server in the siteb.root.domain space. ... we can go to the member server and set permissions on the folder so that ... but also at the file and folder permissions levels ...
    (microsoft.public.win2000.active_directory)
  • Re: Changing groups
    ... pleaderb, sue, frank, ed are members of group projectb ... Everyone is a member of group user. ... depending on the file's permissions they can read and write the ... I do this all the time, using Samba. ...
    (Debian-User)
  • Re: Outside Users RDP into WS2008???
    ... Name it DL-Consultants ... Assign permissions on a resource to domain local group '. ... add any user account belonging to your consultants to become member of G-Consultants group. ... End disconnected session: ...
    (microsoft.public.windows.server.general)
  • Re: Server Reports empty
    ... > permissions of the folder: ... > - Local Service Read & Execute, List Folder Contents, and Read permissions ... > - Network Service Read & Execute, List Folder Contents, and Read ...
    (microsoft.public.windows.server.sbs)