Folder permissions - deny users, allow administrator

Folder permissions - deny users, allow administrator
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Folder permissions - deny users, allow administrator dima 11-16-2007
Posted by =?Utf-8?B?ZGltYQ==?= on November 16, 2007, 12:38 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi there,

I am trying to create folder with permissions, such that, all current and
future contents of the folder will allow for read-only access to all members
of the Users group, and allow full control to the Administrators group.

Here's a simplified version of my setup (running on Windows 2003 Server):

root_folder
completed
folder 1
folder 2
folder 3
...
working
folder 4
folder 5
folder 6
...

"root_folder" is shared, with full control given to Everyone. Security
permissions on the folder itself are full control for Administrators,
Creator/Owner, and Users (folder, subfolders, and files). Both "completed"
and "working" are set to inherit from "root_folder". In addition, "completed"
has an extra permission, set to deny everything except read access to Users.
What I find is that, this deny permission also applies to the Administrator
account, which is in no way a member of the Users group.

I want to be able to move any folder from "working" into "completed"
(regardless of who the folder owner/creator is), and by doing so,
automatically make the folder read-only to members of the Users group. From
what I know about NTFS permissions, this basically forces me to use explicit
Deny permissions. If I simply remove the Users group from the permission
entries of "completed", then any folder created by a member of the Users
group will still be under full control of that user, even after being moved
to "completed". I also do not want to re-apply all child permissions every
time I move a folder into "completed".

I hope I made sense. I would appreciate any help anyone can give me.

Thanks in advance.

--
dima

Posted by =?Utf-8?B?ZGltYQ==?= on November 16, 2007, 12:46 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Apologies for the incorrect formatting. Here's what the folder tree looks like:

root_folder
----completed
--------folder 1
--------folder 2
--------folder 3
--------...
----working
--------folder 4
--------folder 5
--------folder 6
--------...

Thanks,

--
dima

Posted by Roger Abell [MVP] on November 16, 2007, 5:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
So are Users members to have the same permissions on
things in Working as in Completed?
You not not state.

Your issue is in part that there is a special grant to Users
that lets them create new things, at which point the grant
to Creator/Owner kicks in an grants that account Full.

Given that Working and Completed are on the same partition
you should copy from Completed to Working, not move.
A move within a partition for Windows up through W2k3
takes along permissions that are explicitly granted on the
moved.

Tell us what you want Working to allow to Users and then
we can get you going.

Roger
> Hi there,
>
> I am trying to create folder with permissions, such that, all current and
> future contents of the folder will allow for read-only access to all
> members
> of the Users group, and allow full control to the Administrators group.
>
> Here's a simplified version of my setup (running on Windows 2003 Server):
>
> root_folder
> completed
> folder 1
> folder 2
> folder 3
> ...
> working
> folder 4
> folder 5
> folder 6
> ...
>
> "root_folder" is shared, with full control given to Everyone. Security
> permissions on the folder itself are full control for Administrators,
> Creator/Owner, and Users (folder, subfolders, and files). Both "completed"
> and "working" are set to inherit from "root_folder". In addition,
> "completed"
> has an extra permission, set to deny everything except read access to
> Users.
> What I find is that, this deny permission also applies to the
> Administrator
> account, which is in no way a member of the Users group.
>
> I want to be able to move any folder from "working" into "completed"
> (regardless of who the folder owner/creator is), and by doing so,
> automatically make the folder read-only to members of the Users group.
> From
> what I know about NTFS permissions, this basically forces me to use
> explicit
> Deny permissions. If I simply remove the Users group from the permission
> entries of "completed", then any folder created by a member of the Users
> group will still be under full control of that user, even after being
> moved
> to "completed". I also do not want to re-apply all child permissions every
> time I move a folder into "completed".
>
> I hope I made sense. I would appreciate any help anyone can give me.
>
> Thanks in advance.
>
> --
> dima



Posted by =?Utf-8?B?ZGltYQ==?= on November 19, 2007, 10:38 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Roger, thanks for replying.

No, members of Users are not to have the same permissions for "working" and
"completed". As I said, both "working" and "completed" inherit from
"root_folder", except "completed" has an extra explicit Deny permission on
top of what's inherited. The purpose of this deny permission is to explicitly
deny everything but read access to Users members in "completed".

I'm aware that Creator/Owner permissions kick in as soon a member of Users
creates a folder in "working", and then moves it to "completed". This is why
I put the Deny permission in place on "completed" - to explicitly override
that. In fact, with it being the only explicit Deny permission, it should
override all Allow permissions of each folder in "completed" - and it does.
However, instead of affecting just members of the Users group, this Deny
permission also affects members of the Administrators group, for no apparent
reason. That is, members of the Administrators group are also denied
everything except read access to the "completed" folder - even though the
permission is set only for the Users group.

I want to be able to have a folder in "working" with full access to Users,
and then have an Administrator to move it to "completed", and by doing so,
automatically make the folder as read-only to Users. I want Administrators to
retain full control over both folders at all times.

Thanks again for the help.

--
dima

"Roger Abell [MVP]" wrote:

> So are Users members to have the same permissions on
> things in Working as in Completed?
> You not not state.
>
> Your issue is in part that there is a special grant to Users
> that lets them create new things, at which point the grant
> to Creator/Owner kicks in an grants that account Full.
>
> Given that Working and Completed are on the same partition
> you should copy from Completed to Working, not move.
> A move within a partition for Windows up through W2k3
> takes along permissions that are explicitly granted on the
> moved.
>
> Tell us what you want Working to allow to Users and then
> we can get you going.
>
> Roger

Posted by =?Utf-8?B?ZGltYQ==?= on November 19, 2007, 10:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I'm aware that Creator/Owner permissions kick in as soon a member
> of Users creates a folder in "working", and then moves it to "completed".

The last part should read: and that folder is then moved to "completed".

--
dima

"dima" wrote:

> Hi Roger, thanks for replying.
>
> No, members of Users are not to have the same permissions for "working" and
> "completed". As I said, both "working" and "completed" inherit from
> "root_folder", except "completed" has an extra explicit Deny permission on
> top of what's inherited. The purpose of this deny permission is to explicitly
> deny everything but read access to Users members in "completed".
>
> I'm aware that Creator/Owner permissions kick in as soon a member of Users
> creates a folder in "working", and then moves it to "completed". This is why
> I put the Deny permission in place on "completed" - to explicitly override
> that. In fact, with it being the only explicit Deny permission, it should
> override all Allow permissions of each folder in "completed" - and it does.
> However, instead of affecting just members of the Users group, this Deny
> permission also affects members of the Administrators group, for no apparent
> reason. That is, members of the Administrators group are also denied
> everything except read access to the "completed" folder - even though the
> permission is set only for the Users group.
>
> I want to be able to have a folder in "working" with full access to Users,
> and then have an Administrator to move it to "completed", and by doing so,
> automatically make the folder as read-only to Users. I want Administrators to
> retain full control over both folders at all times.
>
> Thanks again for the help.
>
> --
> dima
>
> "Roger Abell [MVP]" wrote:
>
> > So are Users members to have the same permissions on
> > things in Working as in Completed?
> > You not not state.
> >
> > Your issue is in part that there is a special grant to Users
> > that lets them create new things, at which point the grant
> > to Creator/Owner kicks in an grants that account Full.
> >
> > Given that Working and Completed are on the same partition
> > you should copy from Completed to Working, not move.
> > A move within a partition for Windows up through W2k3
> > takes along permissions that are explicitly granted on the
> > moved.
> >
> > Tell us what you want Working to allow to Users and then
> > we can get you going.
> >
> > Roger

Similar ThreadsPosted
Locked out of Computer - "Deny logon locally = Administrator" July 2, 2007, 1:14 am
Can change owner of folder when deny in place February 28, 2006, 5:19 am
deny delete folders/files from a shared folder on the network September 19, 2006, 6:56 am
Assign permissions to create other users to Users account November 9, 2006, 4:05 am
Folder permissions April 26, 2007, 9:28 am
Folder permissions October 25, 2007, 6:26 pm
Folder permissions November 5, 2007, 8:17 am
Folder Permissions September 6, 2008, 2:54 pm
Permissions on created folder July 28, 2005, 12:37 pm
Remove all permissions from folder February 13, 2006, 5:25 am

The site map in XML format XML site map

Contact Us | Privacy Policy