Re: Is there anyway I can stop users moving folders to other folders?

From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 05/03/04


Date: Mon, 03 May 2004 16:17:05 GMT

Thanks for the detailed info - very helpful. From what I can see the user
would be getting he permission by being a member of the everyone group which
would give him read/list/execute which should not be enough permissions to
move a folder just with that group membership. It seems to me that a while
back there was a similar issue a user was having. Try going to the
root/drive folder of that drive and make sure that everyone and users have
no more than read/list/execute permissions at that level and be sure to
check the advanced page. Also make sure that everyone/users do not have
excessive permissions in the advanced permission entries of the folder you
show permissions for. --- Steve

"Pab" <pablo@---if-you-are-not-a-spammer-take-this-out---pabs2003.plus.com>
wrote in message news:epnc90l5e30c7a82hrltpd2ib8vivkbt6h@4ax.com...
> Hi there Steve,
>
> The person whose access I'm trying to restrict is a member of group
> Users. Users does not have any rights to change anything in the
> directory in question. Only Administrators has that right. My user
> is not a member of Administrators, only of the group Users. Users, as
> I say, does not have any rights to change anything in that directory.
>
> So,
>
> - Users is not linked to any other group
>
> - my specific user is ONLY a member of that group, Users
>
> - Users does NOT have any special rights or privileges in that
> directory whatsoever
>
> - the OWNER of the directory is group Administators, not Users
>
> Specifically,
>
> When I do Properties in Explorer and do Security in that directory I
> get :-
>
> ADMINISTRATORS :- Permissions Allow Deny
> ------------------
> Full Control YES no
> Modify YES no
> Read & Execute YES no
> List Folder Contents YES no
> Read YES no
> Write YES no
>
> EVERYONE :- Permissions Allow Deny
> ------------------
> Full Control no no
> Modify no no
> Read & Execute YES no
> List Folder Contents YES no
> Read YES no
> Write no no
>
> SYSTEM :- Permissions Allow Deny
> ------------------
> Full Control no no
> Modify no no
> Read & Execute YES no
> List Folder Contents YES no
> Read YES no
> Write no no
>
> If I press "Advanced .." and go to the Owner tab I get...
>
> Current owner for this item:
> "Administrators (PC2\Administrators)"
>
> - for that directory.
>
> Notice the USERS group is not even in the list. As a member of USERS,
> however, you can drag-and-drop any directory within this directory out
> to any other directory you wish by draggin-and-dropping it. This is
> how my friend lost his file. (as long you have write access to it)
>
> As I said, USERS doe not seem to be inheriting any rights from another
> group and the ownership the directory does not belong USERS, so why is
> it possible to move out a directory?
>
> Many thanks Security !!
>
> Bye for now,
>
> Pablo.
>
> On Sat, 01 May 2004 15:43:15 GMT, "Steven L Umbach"
> <n9rou@nospam-comcast.net> did in fact proclaim:
>
> >If you have read permissions to a file, then you can copy it to another
folder where
> >you are allowed to write but not move it. Move is essentially a
read/write/delete
> >operation while copy is just read/write. You need to check that the user
is not a
> >member of another group that has delete/modify/full permissions for the
folder in
> >including the advanced permissions page. If the user is the owner of that
file, then
> >he will have the ntfs permissions of the creator/owner also. You can go
to
> >advanced/owner to see who is the current owner of file. --- Steve
> >
> >
> >
> >"Pab"
<pablo@---if-you-are-not-a-spammer-take-this-out---pabs2003.plus.com> wrote
in
> >message news:ktb790ps8ivl36cbcrfmik5a13a9q701gt@4ax.com...
> >> Hi All,
> >>
> >> I couple of days ago one of my users had moved one of his folders to
> >> another part of the hard disk and came to me when he couldn't now open
> >> his file to the files going missing. It had all happened because he
> >> must have mistakenly dragged and dropped one of his folders onto
> >> another folder and had not realised it. Then he couldn't open one of
> >> his files the next time he logged on. I have been trying to restrict
> >> the changes that he could make by making the hard drive NTFS
> >> (previously it was FAT32) and setting permissions for parts of the
> >> hard disk to be read-only, but then even with permissions set to read
> >> only they can still move folders around willy-nilly, hence
> >> potentially causing more damage to their heiarchy.
> >>
> >> i.e. say i have
> >>
> >> Folder A
> >>
> >> and inside that I have
> >>
> >> Folder B.
> >>
> >> I set folder A's permissions to be read-only. So I can't write any
> >> thing in Folder A. I can only read what's there. Hence, anything
> >> contained in Folder A i supposedly read-only.
> >>
> >> But when I try to move
> >>
> >> Folder B
> >>
> >> onto a different folder, say
> >>
> >> Folder C
> >>
> >> The OS will quite happily let me, provided that Folder C is
> >> write-enabled. i.e. provided that the destination folder is
> >> write-enabled, I can permanently take out anything out of anoother
> >> folder.
> >>
> >> This can't be right can it?
> >>
> >> Many thanks.
> >>
> >> Take care all.
> >>
> >> Pab.
> >>
> >>
> >>
> >
>