Re: How to set this Folder security
- From: "M. Burnett" <mb@xxxxxxxx>
- Date: Fri, 6 Oct 2006 03:34:12 +0000
If you do not want Group A to be able to delete the Magic folder, you have to make sure they cannot delete subfolders and files in the QA folder AND you need to take away (or deny) their right to delete the Magic folder itself. Furthermore, you should then give Group A the permission, on Magic, to delete subfolders and files.
Some things to note here:
- Denying Delete folders and subfolders on the QA dir will not, in itself, prevent them from deleting the Magic folder. You need to deny delete on that folder as well.
- Denying Delete on the Magic folder will not, in itself, prevent them from deleting that folder.
- Denying Delete folders and subfolders on the QA dir will not prevent them from deleting any other folders in the QA dir where they have the permissions to delete them.
As Roger stated, you can remove the inheritance from parent folders, or you can just add what you need on the folder itself, since permissions set directly on an object will normally take precedence over inherited permissions. However, when I start getting creative with file permissions, I prefer not to inherit from the parent.
Mark Burnett
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message news:OJDYupO6GHA.4404@xxxxxxxxxxxxxxxxxxxx:
Since on the QA parent folder of Magic you have explicitly
stated that GroupA can delete folders within QA you need
to "override" that. There are two ways. First, my preferred,
is to go into the NTFS permissions on Magic and in the
Advanced view uncheck the spec for it to inherit permissions.
You would probably want to select Copy of permissions, and
then edit these so that the GroupA grant is like that you had
granted on QA. The other route would be to leave Magic
inheriting permissions but to add a new ACE that Denies
GroupA Delete for This folder only.
I prefer the first way as use of Deny can become complicated
all too fast, especially if the Deny gets inherited onto substructure
and/or files.
"cisconoobie via WinServerKB.com" <u26219@uwe> wrote in message
news:6755825a42dcf@xxxxxx
>I have a folder named QA that is inheriting the following permissions:
>
> Domain Admins - Full
> Authenticated Users - Read & Execute
>
> I manually add Group A for read, execute and special permission ( I
enable
> delete subfolders and files) I make sure Delete is unchecked.
>
> Now I create "Magic" folder inside QA and I want to make sure Group A
has
> Delete priviledges for subfolders and files of Magic but I dont want
group
> A
> from deleting the "Magic" Folder.
>
> How do I do that?
>
> --
> Message posted via WinServerKB.com
>
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/20061
0/1
>
.
- Follow-Ups:
- Re: How to set this Folder security
- From: cisconoobie via WinServerKB.com
- Re: How to set this Folder security
- References:
- Re: How to set this Folder security
- From: Roger Abell [MVP]
- Re: How to set this Folder security
- Prev by Date: Re: NTFS Permissions for public share
- Next by Date: Re: Can I push EFS to client folders?
- Previous by thread: Re: How to set this Folder security
- Next by thread: Re: How to set this Folder security
- Index(es):
Relevant Pages
|
