Re: Deny _WRITE_ access to a file

From: Al Dunbar [MS-MVP] (alan-no-drub-spam_at_hotmail.com)
Date: 03/01/05

• Next message: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
• Previous message: Jordan Samulaitis: "Re: IPSec Policy"
• Next in thread: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
• Maybe reply: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
• Maybe reply: Roger Abell: "Re: Deny _WRITE_ access to a file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 28 Feb 2005 21:11:06 -0700

"Javier J" <no.mail@please.no> wrote in message
news:cvc321lamb3mjim61lkfadd8f72kcdhc39@4ax.com...
> Hi all!
>
> I want to make sure that a group of users can't WRITE a set of files
> that they have to be able to READ. The files belonging to that set
> might change over time, so I want to make it part of a logon script.
>
> The problem is, I can use CACLS / XCACLS to DENY ALL access to the
> file. or to GRANT read, write, etc privileges to the files.. But I
> can't use them (or, probaby, I don't know how to do it) to just deny
> write permissions for a given group.

As a logon script, your code will run in the context of the user. If he has
sufficient privileges to DENY himself write access, he has sufficient
privileges to REVOKE this denial.

Similarly, if he has ONLY READ/WRITE, but not FULL, then the script will
fail to modify the permissions.

> Is there some util that I might use, or do I have to resort to VBS to
> accomplish what I need to do? IF that's the case, HOW do I do it
> (sadly, whie I'm quite adept at batch scripting, VBS is not my forte).

Doing permissions at the granular level from VBScript can be quite a chore.
I would recommend that, using a privileged account, you permit the folders
(and existing file) such that normal users can only read, and cannot write.
New files created there will then inherit the same permissions/restrictions
automatically.

/Al

---

• Next message: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
• Previous message: Jordan Samulaitis: "Re: IPSec Policy"
• Next in thread: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
• Maybe reply: Al Dunbar [MS-MVP]: "Re: Deny _WRITE_ access to a file"
• Maybe reply: Roger Abell: "Re: Deny _WRITE_ access to a file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Deny _WRITE_ access to a file ... or to GRANT read, write, etc privileges to the files.. ... > can't use them to just deny ... > write permissions for a given group. ... As a logon script, your code will run in the context of the user. ... (microsoft.public.security) Re: Deny _WRITE_ access to a file ... or to GRANT read, write, etc privileges to the files.. ... > can't use them to just deny ... > write permissions for a given group. ... As a logon script, your code will run in the context of the user. ... (microsoft.public.win2000.security) Re: Deny _WRITE_ access to a file ... or to GRANT read, write, etc privileges to the files.. ... > can't use them to just deny ... > write permissions for a given group. ... As a logon script, your code will run in the context of the user. ... (microsoft.public.windows.server.scripting) Re: cdrecord local root exploit ... Notice the restricted permissions on /usr/libexec/screen (it's made ... we wanted to give screen both privileges (of group chkpwd ... To make this fit in with packages (yes, ... There's simply no reason to do that: a non-root pseudo-user won't be ... (Bugtraq) Re: group ownership of /dev files ... person changes each time someone new logs in and logs out. ... and efficient way to change the access to those resources is ... to change the permissions on the device file to that of a user who ... No additional privileges can be gained in that manner. ... (Debian-User)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)