Re: file permissions

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/20/04 

Date: Thu, 19 Feb 2004 20:00:35 -0700

Well, you have me thinking now, as the NT4 toolset is a stretch
back in time . . . The original tools have a rudimentary Deny,
but the updated ACLing dialog, which became available if you
installed the optional security configuration editor that was released
as a part of SP 4 (and was later updated in service packs) provides
most of the Advanced view you are used to seeing in up-level versions,
wherein you can be more specific about the deny that is set.

The reason, AIUI, that this is not so simple as it seems it should be is
that to add files and rename them rather full access is needed to read,
write, execute, and delete on the directory structure; so granting just
what you are after conflicts some with giving the needed access below.

I grant everything that I can to This folder, subfolders and file on the
parent directory, then often need to use a grant of list on This folder
and subfolders only (to keep the execute from being allowed to files),
and of read, or modify, etc to Files only or sometimes to Subfolders
and Files.

In your case, add read or read execute, and then also grant a Write
that you reduce to Files or to Subfolders and Files.
You very possibly need to play some to get this done and will end
up needing to first define the Write for Files, and then the Read for
This folder, subfolders, and files. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Scott Micale" <smicale@hartvillehardware.com> wrote in message
news:e6tbzhu9DHA.2368@TK2MSFTNGP11.phx.gbl...
> Yes I have tried from the 2003 server to grant the group Modify, Read &
> Exec., List Folder Contents, Read, Write and then if you hit the advanced
> button you can set the deny options and I chose Delete Subfolders & Files,
> and Delete.  That does not seem to work either.  I am just baffled by this
> and would have to think that there has to be other people out there that
> want to be able to do the same thing I am trying to accomplish.  You spoke
> of other tools earlier.  Where can I get these tools?
>
> Your last question mentioned denying delete for files on a NT space.
Where
> is there a deny option in NT 4?
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:exxX5qq9DHA.2316@TK2MSFTNGP11.phx.gbl...
> > The NTFS permissions tools in NT are a little limited
> > compared to later generations, and you would be best
> > off using then on the NT rather than later generations'
> > tools via a drive mapping.  I think most of the issues
> > have been corrected, but at one time using uplevel tools
> > for the ACLing of NT 4 owned NTFS space could lead
> > to ACL corruption.
> > Have you tried granting to the group and then denying
> > delete for files ??
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > "Scott Micale" <smicale@hartvillehardware.com> wrote in message
> > news:epQYc%23l9DHA.2856@TK2MSFTNGP10.phx.gbl...
> > > I have a share that I have created for my users and I want to put
> > > permissions on the sub folders so that the user can:
> > >
> > > Do anything in a subfolder except delete files and folders.  I am
> > struggling
> > > to get this setup and it should not be that hard.  The share resides
on
> a
> > > NT4 BDC, but I am setting the permissions from a 2003 DC.  Can someone
> > give
> > > me the best options?
> > >
> > > Thanks!
> > >
> > >
> >
> >
>
>