Re: How do I do this without using Deny ACE's?
- From: DaveMo <david.mowers@xxxxxxxxx>
- Date: Mon, 9 Feb 2009 13:22:18 -0800 (PST)
On Feb 8, 10:31 am, "news.microsoft.com" <jeffv at jrvsystems dot com>
wrote:
Here's what I want to achieve on a WS2003 machine--
\AdminCreatedlFolder (the root of a share)
\AdminCreatedFolder1
\UserCreatedFolder1
\UserCreatedFolder2
\AdminCreatedFolder2
\UserCreatedFolder1
\UserCreatedFolder2
I want only admins to be able create folders at the AdminCreatedFolder*
level. These folders are navigable by users but can't be created, deleted or
modified by them.
Users can create and delete folders at the UserCreatedFolder* level and
below.
I also don't want users to be able to create files within
AdminCreatedFolder*; just folders. But within UserCreatedFolder*, they can
create files or folders.
I've figured out a way to do this with "Advanced" Deny ACEs, but I'd like to
avoid that as a best practice. The Deny ACE's have also caused some obscure
problems with some software that checks permissions up the tree.
Seems like it should be very simple but it's something I've not been able to
figure out. Users can create folders at the same level as
AdminCreatedFolder1 and AdminCreatedFolder2 no matter what I try in the
Advanced permissions dialog.
Is this just not do-able?
TIA
--
Jeff Vandervoort
JRVsystemshttp://www.jrvsystems.com
I was able to configure this fairly easily. First, make sure that you
have a user who should have no rights and then test to make sure they
don't have any rights. If you are playing with a test system it's easy
to drive yourself crazy because the user you are attempting to try
this with is a member of the domain or local administrators group.
Speaking from experience, here.
To verify the user has no access, with an administrator account delete
all the permissions from the folder, call it c:\AdminFolder, except
for administrator and system. You'll have to break permission
inheritance on the advanced tab to do this.
Now add just a single user (you can use a group later) and only give
them "List Folder Contents" privilege to AdminFolder.
Now, use runas and open a cmd window as your test user. You should be
able to cd to AdminFolder and list the contents - which might be
nothing at this point.
Now, go back to the Security Permissions page as the admin and for
AdminFolder, click advanced, click on the single user, click edit, and
click "Create Folder" under Allow. Click apply.
Back to the command window running as your test user, you should be
able to create a folder and delete the folder.
If you cd into that folder, you should be able to do anything because
the system automatically gives full control to the user who created
the folder.
You seemed to want another level of folders in your scenario, but I
don't think it changes the settings I just described.
HTH,
Dave
.
- Follow-Ups:
- Re: How do I do this without using Deny ACE's?
- From: news.microsoft.com
- Re: How do I do this without using Deny ACE's?
- References:
- How do I do this without using Deny ACE's?
- From: news.microsoft.com
- How do I do this without using Deny ACE's?
- Prev by Date: Re: Unautorized scheduled executions on server: please help
- Next by Date: Re: Service Packs overwriting Security Updates...
- Previous by thread: Re: How do I do this without using Deny ACE's?
- Next by thread: Re: How do I do this without using Deny ACE's?
- Index(es):
Relevant Pages
|
