Re: Deny _WRITE_ access to a file
From: Javier J (no.mail_at_please.no)
Date: 03/10/05
- Next message: /.dz: "Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Previous message: Steven L Umbach: "Re: Newbie policy & security groups ?: SBS/Win 2003 AD"
- In reply to: Roger Abell: "Re: Deny _WRITE_ access to a file"
- Next in thread: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Mar 2005 19:47:50 +0100
On Tue, 1 Mar 2005 18:33:08 -0700, "Roger Abell" <mvpNOSpam@asu.edu>
wrote:
>"Javier J" <no.mail@please.no> wrote in message
>news:vpf921h1j3tgiliegad4u4kj7e7urhl72l@4ax.com...
>> Hi!!
>>
>> Thanks a lot for the response.
>>
>> First of all, regarding LOGON SCRIPT, the mistake is mine: What I was
>> trying to talk about was a STARTUP script (if I'm not mistaken, that
>> script runs as BUILTIN\SYSTEM).
>>
<...>
>> The problem is that the folder is set to be writeable by "Everyone".
>> I'd like to be able to "change" it so "no write" for the users of this
>> particular group. I can DENY access, but these users are part of
>> "Everyone", so even if "RestrictedG" has only READ acces, as they are
>> members of "Everyone"; they get to write there...
>>
>> Why am I exploring the "deny" route, instead of limiting the rights of
>> "Everyone".. because there are some cases where the normal users has
>> to be able to write, so "Everyone:W" is a valid permission.... as long
>> as I could do something like "RestrictedG":DENY WRITE....
>>
>> I know that permission is "settable" (is that a word?) as it can be
>> set usign (the "simple) NTFS Perms. tab... but to script it is what is
>> driving me crazy!!
>>
>> Thanks a lot. Any help _WILL_ Be more than welocome!!
>>
>> Javier J
>
>The xcacls.vbs will do what you are after, and, it will provide you
>with example of lines need to do it in your own script.
>
>Deny overrides Grant - where you discuss need for Everyone, but
>not the RestrictedG. The only thing is that you need to be very aware
>and careful about explicit vs inherited.
>Inherited or Explicit Deny overrides an Inherited Grant
>Explicit Deny overrides an Explicit Grant, but an Inherited
> Deny does not override an Explicit Grant.
Thanks a lot. At the moment, I've managed to overcome the problem by
isolating the folders where the needed .bat files are, and given
"read" to Everyone, so the scripts are readable by all, and the "log
to" folder .... well, I've used Deny for "RestrictedG", and I just
live w/o standard logging for that group (instead, I'm using eventlog
to log events to the system event log), but I'd like to be able to do
thinks in not such-a-radical approach.
JJ
- Next message: /.dz: "Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Previous message: Steven L Umbach: "Re: Newbie policy & security groups ?: SBS/Win 2003 AD"
- In reply to: Roger Abell: "Re: Deny _WRITE_ access to a file"
- Next in thread: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
