Re: NTFS permissions?



William Stokes wrote:

I read from 2003R2 server help that NTFS permissions are cumulative. So does this mean that if user has a read access to a file via Domain Users Group (to which he is a member) and Full Controll because of Creator Owner rights (which he is) the result is that this user has full controll to the file?

Yes and no. NTFS permissions are cumulative as you describe. However CREATOR OWNER doesn't count directly towards a user's permissions, it is only used in inheritance.

So if the permissions on the file say

Domain Users:R
CREATOR OWNER:F

the user will have read access. If the permissions were inherited from a directory, CREATOR OWNER should have been automatically replaced by the username, so it would look like

Domain Users:R
username:F

and the user would have full acccess.

I've been testing this scenario and it happens that the user seems to have full controll while viewing Effective Access tab in the file properties but he cannot rename the file.

You should also note that you need write access to the folder as well as the file in order to rename a file.

Harry.
.



Relevant Pages

  • Re: XP Pro, IE 6.1: XEnroll "keyset does not exist"
    ... folder I see: ... Administrators: Full Controll ... So I tried to change the permissions of my C:\ drive to: ... also sometimes get it to work without the creator owner group. ...
    (microsoft.public.platformsdk.security)
  • Re: Keyset does not exist
    ... Default permissions for the MachineKeys folders ... folder I see: ... Administrators: Full Controll ... Creator Owner: Full Controll ...
    (microsoft.public.platformsdk.security)
  • Re: Permission to Copy Files to Server Folder But Not Edit Them
    ... not need creator owner permissions dues to the user either already having ... needed permissions for his user account or via group membership. ... Group Policy to remove the security tab from folder/file properties for ... Select folder only in the apply onto box and hit OK. ...
    (microsoft.public.security)
  • Re: Allow saves and reads but not edits
    ... I had to give Domain Users List and Read ... > are seeing in the NTFS permissions editor. ... > and due to temp files the Creator Owner Modify ...
    (microsoft.public.win2000.security)
  • Re: Allow saves and reads but not edits
    ... I had to give Domain Users List and Read ... >> are seeing in the NTFS permissions editor. ... >> and due to temp files the Creator Owner Modify ...
    (microsoft.public.win2000.security)