REPOST: Re: Access denied for Administrator on folder
From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 03/16/05
- Previous message: Don Wilwol: "Re: Adding Computers to the Domain (AD)"
- In reply to: Boris Bahes$: "Access denied for Administrator on folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Mar 2005 11:50:34 +0000
"Boris Bahes$" <boris.bahes@vk.htnet.hr> wrote in message
news:boris.bahes@vk.htnet.hr:
> Hi!
>
> I'm trying to understand Windows 2003 security on shared folders. So far I
> understand part on setting permissions on share. But part on setting NTFS
> permissions is tricky.
>
> Here is situation I have:
>
> Windows 2003 domain cotroller (native mode). I have created folder (using
> Administrator accaunt) and system assigned default NTFS permissions
> inherited from drive root (C). Beside other built-in groups, Administrators
> have full permissions on that folder ( C:\public).
>
> At this point everything is working fine. Any domain user can write, read,
> delete...etc...
>
> I wanted to deny access to Users (built-in group) group to that folder so
> I set permissions to "Full Control - Deny". After that action I as
> Administrator who have created that folder dont have access to it. Windows
> Explorer pops up message
> "C:\public is not accessible. Acces is denied" with OK button.
>
> Only way for me to see and act in that folder is to by "Properties -
> Security" add again Users group.
>
> Is there any connection between Users group and Administrator accaunt? I
> dont see Administrator as member of Users or Domain Users group.
>
Hello Boris,
Administrator is a member of the Domain Users group by default, and
this shouldn't be changed.
What you experience is that in the permissions a Deny is stronger than
a Allow, and you shouldn't use Deny for that reason is not really
necessary, and then on specific groups. Always remember that users only
have rights to access any resources if grant allow rights. In your
case, if you want the users not to have access, change the rights on
the folder that it does not contain users. You'll have to stop
inheritance and copy the parents rights, then remove users for that
folder.
-- Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner WebSite: http://www.windowsserverfaq.org
- Previous message: Don Wilwol: "Re: Adding Computers to the Domain (AD)"
- In reply to: Boris Bahes$: "Access denied for Administrator on folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
