Re: NTFS woes

OK OK, after some experimentation it now works.

On the parent folder I already had unchecked Take Ownership, Change
Permissions and Delete.

I had unchecked Delete because I don't want the user to be able to delete
his folder, of course.
I checked Allow for Delete Subfolders and Files, because that is what I want
the user to be able to do (except for that one file).
Much to my surprise, with these setting the user can still delete a file for
which an explicit Deny Delete is set.

I followed up your suggestion to check Allow Modify and noticed that that
set a check for Allow Delete and unchecked Allow for Delete Subfolders and
Files in the Advanced permissions...!

Now the explicit Deny Delete on that one file works!

Still, to me that seems *totally illogical* to what the permissions "Delete"
and "Delete Subfolders and Files" promise.

Maybe someone can shed a light on the rationale behind these permissions?

Regards

R.



"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eDlxQDXXIHA.4272@xxxxxxxxxxxxxxxxxxxxxxx
Deny does not always overrule a grant.
An explicit deny overrules and explicit or inherited grant.
However, an inherited deny does not overrule an explicit
grant and it may or may not overrule an inherited grant (it
depends on the full context of inheritance).
That said, are you setting the full control on the folder and
the deny on the file? If so, what you may have going on
here is the "hidden delete" grant that is part of a grant of
Full on a folder. This "hidden delete" is part of requirements
for Posix compliance and is something of a pain. It imparts
ability to delete anything in the folder even though there is
no permissions on those things to delete them.
Consider granting on the folder Modify plus permission to
change permissions (which then would be Full minus the
permission to take ownership and minus the "hidden delete")

Roger

"Rik G." <q@xxxx> wrote in message
news:479694f1$0$31874$bf4948fe@xxxxxxxxxxxxxxxx
I've given a user full control over a folder, its sub folders and files.
I want to prevent the user from deleting one particular file in that
folder. He should only be able to read it.

When I create an explicit Deny Delete permission for that file, the user
can
still delete the file. I thought that Deny permissions always took
precedence over Allow permissions?

What's going on? Can this be done with NTFS at all?

Regards

R.







.

Relevant Pages

  • Re: NTFS woes
    ... check Allow Delete Subfolders and Files ... Explicit Deny Delete on file does not work!!! ... and Files is checked, explicit Allow Delete permissions do not work, also. ... starting with a grant of Full and subtracting part of it ...
    (microsoft.public.windows.server.security)
  • Re: NTFS woes
    ... check Allow Delete Subfolders and Files ... Explicit Deny Delete on file does not work (user can still delete ... and Files is checked, explicit Allow Delete permissions do not work, ... starting with a grant of Full and subtracting part of it ...
    (microsoft.public.windows.server.security)
  • Re: NTFS woes
    ... "In some cases with a grant of Full is reduced ... NTFS permissions dialog. ... check Allow Delete Subfolders and Files ... Explicit Deny Delete on file does not work (user can still delete ...
    (microsoft.public.windows.server.security)
  • Re: NTFS woes
    ... "In some cases with a grant of Full is reduced ... NTFS permissions dialog. ... check Allow Delete Subfolders and Files ... Explicit Deny Delete on file does not work (user can still delete ...
    (microsoft.public.windows.server.security)
  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
Quantcast