Re: revoke change permissions?

From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 03/10/04 

Date: Wed, 10 Mar 2004 11:13:25 -0700

David,

You can't use the Effective Permissions as the end all of the configuration.
It is wrong in many cases, especially when you start to use complex group
structures.

It sounds like you are correct in setting up Deny to Change Permissions to
the group that should never have this ability. The only catch is to make
sure they don't have Ownership of the folder/file, since ownership gives
them the ability to do anything to the file.
Hopes this helps. 

-- 
Derek Melber
University of Phoenix Online
Faculty Candidate
dmelber@email.uophx.edu
"David Taylor 806@ hotmail.com>" <mcp916<removethisremovethistoo> wrote in
message news:%23DPpzZsBEHA.3256@TK2MSFTNGP09.phx.gbl...
> I have a shared folder on a Windows 2003 server, and a Domain Local group
to
> which I will add groups of users.
>
> The domain local group has been given full control minus Change
> Atributes/Extended Attributes, take ownership, and Change Permissions.  In
> addition, the Domain Local group has been assigned the Owner role.
>
> We do not want users playing with atributes or security settings.  The
> folder will hold files and folders created by and to be modified and
deleted
> by all members & group members of the new Domain Local group.
>
> When I view the Effective Permissions for the group, Change Permission is
> present.  I even tried denying it, removing the Creator/Owner, denying to
> creator owner and the group.
>
> Is there a proper way to make it so the users can access the files but not
> modify permissions?
>
> Thanks,
>
> David Taylor
>
>

Relevant Pages

  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: share folder permissions
    ... B Group -> Read only permissions over ALL the sub-folders and files ... List Folder Contents, Read, and Write. ... Usually we just add Domain Admins FC, and Authenticated Users, Change. ... Then whatever is set in the folder structure using NTFS will dicate their effective permissions. ...
    (microsoft.public.windows.server.networking)
  • RE: no OWA
    ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
    (microsoft.public.windows.server.sbs)