Windows 2000 modify / delete permissions
Hi, I've been looking for an answer for this issue for months now to no avail. Maybe someone here can help. Windows 2000 server - Shared Data directory with share permissions wide open to all users (all sub directories locked down with NTFS permissions).
Hi,
I've been looking for an answer for this issue for months now to no avail. Maybe someone here can help.
Windows 2000 server -
Shared Data directory with share permissions wide open to all users (all sub directories locked down with NTFS permissions).
Engineering subdirectory - Not allowing inheritance. Engineering DLG (domain local group) had modify permissions, but a regulatory requirement dictated that users in this group could not delete ANY files or folders. Since modify permissions natively allows the delete permission (but not the delete subfolders & files), I unchecked the delete permission within the "Advanced" properties of the Access Control Settings. After doing this and going back to the previous screen (security properties), the modify permission is unchecked and only Read, Write, Read & Execute, and List Folder Contents are checked.
At the surface, this would seem fine; however, now users cannot even save files to this directory (but they should be able to based on the Write persmission). While saving, a bogus error is output, and an empty file with the chosen name is saved with no data in it. Unfortuantely, this is repeatable within every PC and server in my environment. Alternatively, if I explictily "Deny" delete permissions (within the Advanced properties of the Access Control Settings) it maintains the "modify" attribute, but users can still delete files and folders.
All servers and PC's are up to current service packs and hotfixes, and there are no share vs. NTFS permission conflicts or NTFS vs. NTFS permission conflicts (i.e. least restrictive vs. most restrictive, etc...).
Any thoughts?
I've been looking for an answer for this issue for months now to no avail. Maybe someone here can help.
Windows 2000 server -
Shared Data directory with share permissions wide open to all users (all sub directories locked down with NTFS permissions).
Engineering subdirectory - Not allowing inheritance. Engineering DLG (domain local group) had modify permissions, but a regulatory requirement dictated that users in this group could not delete ANY files or folders. Since modify permissions natively allows the delete permission (but not the delete subfolders & files), I unchecked the delete permission within the "Advanced" properties of the Access Control Settings. After doing this and going back to the previous screen (security properties), the modify permission is unchecked and only Read, Write, Read & Execute, and List Folder Contents are checked.
At the surface, this would seem fine; however, now users cannot even save files to this directory (but they should be able to based on the Write persmission). While saving, a bogus error is output, and an empty file with the chosen name is saved with no data in it. Unfortuantely, this is repeatable within every PC and server in my environment. Alternatively, if I explictily "Deny" delete permissions (within the Advanced properties of the Access Control Settings) it maintains the "modify" attribute, but users can still delete files and folders.
All servers and PC's are up to current service packs and hotfixes, and there are no share vs. NTFS permission conflicts or NTFS vs. NTFS permission conflicts (i.e. least restrictive vs. most restrictive, etc...).
Any thoughts?
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
The problem with this is that there could be three hundred "files" at any one time. Additionally, it there are new files being generated in this directory every day which would mean constant monitoring and editing permissions etc...
I just figure that this is some kind "feature" I'm overlooking, or possibly a known issue that someone else has run into.
Thanks...
I just figure that this is some kind "feature" I'm overlooking, or possibly a known issue that someone else has run into.
Thanks...
Hi,
I just wanted to let you know that I am leaving for the day, but I intend to take my laptop home, and re-read your thread in it's entirety. What your saying makes sense, but there is a lot of information and I have to have time to mull it over (in a more peaceful environment than work ;-)
Thanks for your help, I will write back tonight / tomorrow AM.
Thanks!
I just wanted to let you know that I am leaving for the day, but I intend to take my laptop home, and re-read your thread in it's entirety. What your saying makes sense, but there is a lot of information and I have to have time to mull it over (in a more peaceful environment than work ;-)
Thanks for your help, I will write back tonight / tomorrow AM.
Thanks!
I've created a folder and set it up so that it did not inherit rights, then I removed all rights and added only my user account to the security tab.
Under Advanced Rights, I have the following allowed:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Read Permissions
I then reset permissions on all child objects and enabled propagation of inheritable permissions.
I can't recreate the issue you are experiencing here. Is there something I've missed perhaps?
Under Advanced Rights, I have the following allowed:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Read Permissions
I then reset permissions on all child objects and enabled propagation of inheritable permissions.
I can't recreate the issue you are experiencing here. Is there something I've missed perhaps?
