Re: Folder and Sub-folder permissions
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 5 Sep 2007 21:11:22 -0700
Two observations off the top.
First, I would recommend that you do not use Deny.
Save that as a last (very, very last) resort.
Second, you will not be able to effect the precise specification
you have outlined, mostly because after an account has created
something new in subfolder1 they will be able to obtain more
than specified on what they created.
You will not get what you are after by only making NTFS grants
on e:\dept1
Let us say you have two groups, Dept1Mgrs and Dept1Users
On e:\Dept1 grant
Modify to Dept1Mgrs for This folder, subfolders and files
Read, or perhaps Read/Execute to Dept1Users also set for
This folder, subfolders and files
e:\Dept1 should be set to not inherit, but e:\Dept1\subfolder1
and e:\Dept1\subfolder2 should inherit (from e:\Dept1)
On each of e:\Dept1\subfolder1 and e:\Dept1\subfolder2
add a Modify grant to Dept1Users for Subfolders and files
Now, one last thing is needed to enable Dept1Users to
make new things, so again on e:\Dept1\subfolder1 and
e:\Dept1\subfolder2 grant to Dept1Users
This takes the form of two special grant
1) Create Folders/Append Data for This folder and subfolders
2) Create Files/Write Data also for This folder and subfolders
<markfcook@xxxxxxxxx> wrote in message
news:1189026067.012611.248560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
i've been asked to cleanup one of our departmental drives...
I have a folder with the following structure
E:\Dept1
E:\Dept1\subfolder1
E:\Dept1\subfolder2
The owner has requested that i grant access to his department so that
only he can create or modify folders in E:\Dept1. However, in the sub-
folders (subfolder1, subfolder2), he wants his department to have all
rights short of ownership and access control. My question is, how do
i do this?
I've tried read-only permissions for "This Folder Only" on E:\Dept1
and granting essentially what is Modify via the "Subfolders and files"
on the folder. at least that's what i think i'm doing with the
following:
currently the settings are
Folder : E:\Dept1
Scope : This Folder Only
Allow the following:
Traverse Folder/Execute File
List folder/Read data
Read Attributes
Read extended attributes
Read permissions
Deny the following:
Create files/Write data
Create folders/Append Data
Write attributes
Write extended attributes
Delete Subfolders and Files
Delete
Folder : E:\Dept1
Scope : Subfolders and files
Allow the following:
Traverse Folder/Execute File
List folder/Read data
Read Attributes
Read extended attributes
Create files/Write data
Create folders/Append Data
Write attributes
Write extended attributes
Delete Subfolders and Files
Delete
Read permissions
the resulting permissions then deny the user from creating new
subfolders, but because of the settings for "Subfolders and Files"
they can still delete things like E:\Dept1\Subfolder1 for example...
maybe i'm missing something obvious, but i cant figure out how to
accomplish the requirements short of setting permissions on each
individual subfolder, which i'm loathe to do....
any help is appreciated...
mark
.
- Follow-Ups:
- Re: Folder and Sub-folder permissions
- From: markfcook
- Re: Folder and Sub-folder permissions
- References:
- Folder and Sub-folder permissions
- From: markfcook
- Folder and Sub-folder permissions
- Prev by Date: Folder and Sub-folder permissions
- Next by Date: Re: schannel error 36870 (extended 0x80090016)
- Previous by thread: Folder and Sub-folder permissions
- Next by thread: Re: Folder and Sub-folder permissions
- Index(es):
Relevant Pages
|
