Re: NTFS woes

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Thu, 24 Jan 2008 06:05:13 -0700

I still think, with only seeing via your words, that you are running
into the hidden delete, which has always caused confusion and is
a total red herring in the scheme on NTFS permissions that throws
the logic of them out the window. What is worse is that the NTFS
advanced permission dialog has somewhat different behaviors in
different Windows versions as to just what one ends up with when
starting with a grant of Full and subtracting (unchecking) part of it
in the general (not advanced, but perhaps there also) view.
The way to do things that does give something of a reliable result
is to start without a Full grant and then add what you do want (like
a modify) and then go to the Advanced view and adjust if needed.

From your words, at some of the stages it sounds like the explict

deny on the file should have taken control over the grants from
the parent dir (but did not). That only makes sense to me if it is
the hidden delete, which would have effect of saying "ok, so the
principal has no delete priv (without regard to fact that parent
gives it and it gets taken away by deny) but this Posix compliance
thing says they can delete anything in the folder so let's do it."

Roger

"Rik G." <q@xxxx> wrote in message
news:479764b4$0$27617$bf4948fe@xxxxxxxxxxxxxxxx

OK OK, after some experimentation it now works.

On the parent folder I already had unchecked Take Ownership, Change
Permissions and Delete.

I had unchecked Delete because I don't want the user to be able to delete
his folder, of course.
I checked Allow for Delete Subfolders and Files, because that is what I
want
the user to be able to do (except for that one file).
Much to my surprise, with these setting the user can still delete a file
for
which an explicit Deny Delete is set.

I followed up your suggestion to check Allow Modify and noticed that that
set a check for Allow Delete and unchecked Allow for Delete Subfolders and
Files in the Advanced permissions...!

Now the explicit Deny Delete on that one file works!

Still, to me that seems *totally illogical* to what the permissions
"Delete"
and "Delete Subfolders and Files" promise.

Maybe someone can shed a light on the rationale behind these permissions?

Regards

R.

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eDlxQDXXIHA.4272@xxxxxxxxxxxxxxxxxxxxxxx

Deny does not always overrule a grant.
An explicit deny overrules and explicit or inherited grant.
However, an inherited deny does not overrule an explicit
grant and it may or may not overrule an inherited grant (it
depends on the full context of inheritance).
That said, are you setting the full control on the folder and
the deny on the file? If so, what you may have going on
here is the "hidden delete" grant that is part of a grant of
Full on a folder. This "hidden delete" is part of requirements
for Posix compliance and is something of a pain. It imparts
ability to delete anything in the folder even though there is
no permissions on those things to delete them.
Consider granting on the folder Modify plus permission to
change permissions (which then would be Full minus the
permission to take ownership and minus the "hidden delete")

Roger

"Rik G." <q@xxxx> wrote in message
news:479694f1$0$31874$bf4948fe@xxxxxxxxxxxxxxxx

I've given a user full control over a folder, its sub folders and
files.
I want to prevent the user from deleting one particular file in that
folder. He should only be able to read it.

When I create an explicit Deny Delete permission for that file, the
user
can
still delete the file. I thought that Deny permissions always took
precedence over Allow permissions?

What's going on? Can this be done with NTFS at all?

Regards

R.

Follow-Ups:
- Re: NTFS woes
  - From: Rik G.

References:
- NTFS woes
  - From: Rik G.
- Re: NTFS woes
  - From: Roger Abell [MVP]
- Re: NTFS woes
  - From: Rik G.

Prev by Date: Assign manage printer rights via group policy? (2003r2)
Next by Date: "Log on as a Service" permissions
Previous by thread: Re: NTFS woes
Next by thread: Re: NTFS woes
Index(es):
- Date
- Thread

Relevant Pages

Re: folder permissions
... groups and something about deny over rides allow. ... groups assigned to this one folder and the same user has diff priv's ... permissions, everyone has full control. ...
(microsoft.public.windows.server.general)
Re: folder permissions
... I will have this other folder I am trying to restrict permissions ... say) and "superceed" any NTFS permissions. ... groups and something about deny over rides allow. ... permissions, everyone has full control. ...
(microsoft.public.windows.server.general)
Re: folder permissions
... and how the folder structure you require needs to be configured. ... groups and something about deny over rides allow. ... permissions, everyone has full control. ...
(microsoft.public.windows.server.general)
Re: can I use GPO for remote folder management?
... > that group to have the permissions you want him able ... > to grant to others. ... Folder and subfolders. ... >> we have one stand alone 2003 server. ...
(microsoft.public.win2000.group_policy)
Re: file permissions
... The original tools have a rudimentary Deny, ... I grant everything that I can to This folder, subfolders and file on the ...
(microsoft.public.windowsxp.security_admin)