Re: NTFS woes

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Tue, 22 Jan 2008 20:34:04 -0700

Deny does not always overrule a grant.
An explicit deny overrules and explicit or inherited grant.
However, an inherited deny does not overrule an explicit
grant and it may or may not overrule an inherited grant (it
depends on the full context of inheritance).
That said, are you setting the full control on the folder and
the deny on the file? If so, what you may have going on
here is the "hidden delete" grant that is part of a grant of
Full on a folder. This "hidden delete" is part of requirements
for Posix compliance and is something of a pain. It imparts
ability to delete anything in the folder even though there is
no permissions on those things to delete them.
Consider granting on the folder Modify plus permission to
change permissions (which then would be Full minus the
permission to take ownership and minus the "hidden delete")

Roger

"Rik G." <q@xxxx> wrote in message
news:479694f1$0$31874$bf4948fe@xxxxxxxxxxxxxxxx

I've given a user full control over a folder, its sub folders and files.
I want to prevent the user from deleting one particular file in that
folder. He should only be able to read it.

When I create an explicit Deny Delete permission for that file, the user
can
still delete the file. I thought that Deny permissions always took
precedence over Allow permissions?

What's going on? Can this be done with NTFS at all?

Regards

R.

Follow-Ups:
- Re: NTFS woes
  - From: Rik G.
- Re: NTFS woes
  - From: Rik G.

References:
- NTFS woes
  - From: Rik G.

Prev by Date: NTFS woes
Next by Date: Re: NTFS woes
Previous by thread: NTFS woes
Next by thread: Re: NTFS woes
Index(es):
- Date
- Thread

Relevant Pages

Re: NTFS woes
... starting with a grant of Full and subtracting part of it ... gives it and it gets taken away by deny) but this Posix compliance ... On the parent folder I already had unchecked Take Ownership, ... Permissions and Delete. ...
(microsoft.public.windows.server.security)
Re: **Deny**
... usually done when permissions are inherited via role membership. ... GRANT and DENY have no affect on db_owner role members. ...
(microsoft.public.sqlserver.security)
Re: Security.
... NTFS Permissions the most restrictive applies. ... member of that group) and you deny yourself even if you grant yourself full ... Then add your acount back in and grant it Change rights. ... Then add the SYSTEM account and grant it full control (Not required to work ...
(microsoft.public.inetserver.iis.ftp)
Re: User Role Permissions
... You can use DCL statements to grant permissions to ... DENY is used only in special cases since a normal user/role will not have ... GRANT SELECT ON MyView TO MyRole ...
(microsoft.public.sqlserver.security)
Re: how to restrict users to search in their own Organizational Unit
... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
(microsoft.public.windows.server.active_directory)