Permissions question

I have set it up that way and everything seems to work, except the person who
copied the file into the folder can still delete it. They don't want that
person to be able to delete it once he places the file in the folder.

The test files I have copied have been from a local hard drive on the
workstation, but the owner who copied it can delete the file from the sub
folder. Someone else in the group can not delete it.

Am I missing something, or is this just the way ownership works?

Thanks

Bill A.

"Manny Borges" wrote:

> On the parent folder :
>
> Grant generic read access to the a group you have made for this purpose.
> Go to special permissions and allow create files/write data. Deny create
> folder/append data and delete.
>
> Any files copied into this directory will inherit the permissions.
> Any file moved from within the same volume will not.
> Thats just how inheritence works.
>
> --
> Manny Borges
> MCSE NT4-2003 (+ Security)
> MCT, Certified Cheese Master
>
> There are 10 kinds of people in the world. Those who do understand binary
> and those who don't.
> "Bill A" <Bill A DeleteThis @discussions.microsoft.com> wrote in message
> news:4C9621B1-C0D6-4C90-80D9-C2D0E4900734@microsoft.com...
> >I have a request for a folder within a share on a Windows Server 2003 in a
> > Windows 2000 domain which contains 2 sub folders. The users want 2 groups
> > of
> > user permissions:
> >
> > 1 - Full Control over files in the sub folders. Obviously, no problem.
> >
> > 2 - Allow users to copy files in the sub folders. See the files that are
> > in
> > those sub folders. Deny modify or delete them once they have placed the
> > files in the sub folders.
> >
> > The folder exists in the root of a share that is a wide open share where
> > "All Employees" have full control over the share and they use this mapped
> > drive to share files with people in other offices. (We have 15 offices on
> > our
> > frame network)
> >
> > I have tried a number of ways to setup permissions on the second group,
> > but
> > have not been able to make it happen.
> >
> > Any suggestions on how to set permissions on the second group to give them
> > what they want.
> >
> > Thanks in advance for your help.
> >
>
>
>
 >> Stay informed about: Permissions question 

No that isn't how ownership works.
Ownership allows you to change the permissions on a file, but if an explicit
deny is stated in the parent folder that denys deleting subfiles those files
can not be deleted unless the owner changes the permissions.

I tested on my own systems, and if you did exactly what I wrote down then
the files should not be able to be deleted by anyone.

There is an old POSIX backdoor hole, and that is why you must go to the
parent folders special permssions and deny the delete child objects
permission.

--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
"Bill A" <BillA RemoveThis @discussions.microsoft.com> wrote in message
news:66FC6200-1B2A-494A-B751-C70A21A08C1A@microsoft.com...
>I have set it up that way and everything seems to work, except the person
>who
> copied the file into the folder can still delete it. They don't want that
> person to be able to delete it once he places the file in the folder.
>
> The test files I have copied have been from a local hard drive on the
> workstation, but the owner who copied it can delete the file from the sub
> folder. Someone else in the group can not delete it.
>
> Am I missing something, or is this just the way ownership works?
>
> Thanks
>
> Bill A.
>
> "Manny Borges" wrote:
>
>> On the parent folder :
>>
>> Grant generic read access to the a group you have made for this purpose.
>> Go to special permissions and allow create files/write data. Deny create
>> folder/append data and delete.
>>
>> Any files copied into this directory will inherit the permissions.
>> Any file moved from within the same volume will not.
>> Thats just how inheritence works.
>>
>> --
>> Manny Borges
>> MCSE NT4-2003 (+ Security)
>> MCT, Certified Cheese Master
>>
>> There are 10 kinds of people in the world. Those who do understand binary
>> and those who don't.
>> "Bill A" <Bill A RemoveThis @discussions.microsoft.com> wrote in message
>> news:4C9621B1-C0D6-4C90-80D9-C2D0E4900734@microsoft.com...
>> >I have a request for a folder within a share on a Windows Server 2003 in
>> >a
>> > Windows 2000 domain which contains 2 sub folders. The users want 2
>> > groups
>> > of
>> > user permissions:
>> >
>> > 1 - Full Control over files in the sub folders. Obviously, no problem.
>> >
>> > 2 - Allow users to copy files in the sub folders. See the files that
>> > are
>> > in
>> > those sub folders. Deny modify or delete them once they have placed
>> > the
>> > files in the sub folders.
>> >
>> > The folder exists in the root of a share that is a wide open share
>> > where
>> > "All Employees" have full control over the share and they use this
>> > mapped
>> > drive to share files with people in other offices. (We have 15 offices
>> > on
>> > our
>> > frame network)
>> >
>> > I have tried a number of ways to setup permissions on the second group,
>> > but
>> > have not been able to make it happen.
>> >
>> > Any suggestions on how to set permissions on the second group to give
>> > them
>> > what they want.
>> >
>> > Thanks in advance for your help.
>> >
>>
>>
>>
 >> Stay informed about: Permissions question 

Manny:

Thanks for the quick reply.

I found that I have CREATOR OWNER conencted to that folder.

If I don't allow "delete" and "delete subfolders and files" or totally
remove CREATOR OWNER from the parent folder then the person who created the
file can not delete it.

Do you have CREATOR OWNER permissions on that folder?

Bill A

"Manny Borges" wrote:

> No that isn't how ownership works.
> Ownership allows you to change the permissions on a file, but if an explicit
> deny is stated in the parent folder that denys deleting subfiles those files
> can not be deleted unless the owner changes the permissions.
>
> I tested on my own systems, and if you did exactly what I wrote down then
> the files should not be able to be deleted by anyone.
>
> There is an old POSIX backdoor hole, and that is why you must go to the
> parent folders special permssions and deny the delete child objects
> permission.
>
> --
> Manny Borges
> MCSE NT4-2003 (+ Security)
> MCT, Certified Cheese Master
>
> There are 10 kinds of people in the world. Those who do understand binary
> and those who don't.
> "Bill A" <BillA.TakeThisOut@discussions.microsoft.com> wrote in message
> news:66FC6200-1B2A-494A-B751-C70A21A08C1A@microsoft.com...
> >I have set it up that way and everything seems to work, except the person
> >who
> > copied the file into the folder can still delete it. They don't want that
> > person to be able to delete it once he places the file in the folder.
> >
> > The test files I have copied have been from a local hard drive on the
> > workstation, but the owner who copied it can delete the file from the sub
> > folder. Someone else in the group can not delete it.
> >
> > Am I missing something, or is this just the way ownership works?
> >
> > Thanks
> >
> > Bill A.
> >
> > "Manny Borges" wrote:
> >
> >> On the parent folder :
> >>
> >> Grant generic read access to the a group you have made for this purpose.
> >> Go to special permissions and allow create files/write data. Deny create
> >> folder/append data and delete.
> >>
> >> Any files copied into this directory will inherit the permissions.
> >> Any file moved from within the same volume will not.
> >> Thats just how inheritence works.
> >>
> >> --
> >> Manny Borges
> >> MCSE NT4-2003 (+ Security)
> >> MCT, Certified Cheese Master
> >>
> >> There are 10 kinds of people in the world. Those who do understand binary
> >> and those who don't.
> >> "Bill A" <Bill A.TakeThisOut@discussions.microsoft.com> wrote in message
> >> news:4C9621B1-C0D6-4C90-80D9-C2D0E4900734@microsoft.com...
> >> >I have a request for a folder within a share on a Windows Server 2003 in
> >> >a
> >> > Windows 2000 domain which contains 2 sub folders. The users want 2
> >> > groups
> >> > of
> >> > user permissions:
> >> >
> >> > 1 - Full Control over files in the sub folders. Obviously, no problem.
> >> >
> >> > 2 - Allow users to copy files in the sub folders. See the files that
> >> > are
> >> > in
> >> > those sub folders. Deny modify or delete them once they have placed
> >> > the
> >> > files in the sub folders.
> >> >
> >> > The folder exists in the root of a share that is a wide open share
> >> > where
> >> > "All Employees" have full control over the share and they use this
> >> > mapped
> >> > drive to share files with people in other offices. (We have 15 offices
> >> > on
> >> > our
> >> > frame network)
> >> >
> >> > I have tried a number of ways to setup permissions on the second group,
> >> > but
> >> > have not been able to make it happen.
> >> >
> >> > Any suggestions on how to set permissions on the second group to give
> >> > them
> >> > what they want.
> >> >
> >> > Thanks in advance for your help.
> >> >
> >>
> >>
> >>
>
>
>
 >> Stay informed about: Permissions question 

Ahh ! I see where the disconnect is.

Yes, remove creator owner and only list those explicit groups that will
access the folder.

I apologise, I always rip all the permissions off first and then build from
the ground up what is required.

--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
"Bill A" <BillA.DeleteThis@discussions.microsoft.com> wrote in message
news:B18E8F5D-9981-4CCB-B173-E2DBFFBD1738@microsoft.com...
> Manny:
>
> Thanks for the quick reply.
>
> I found that I have CREATOR OWNER conencted to that folder.
>
> If I don't allow "delete" and "delete subfolders and files" or totally
> remove CREATOR OWNER from the parent folder then the person who created
> the
> file can not delete it.
>
> Do you have CREATOR OWNER permissions on that folder?
>
> Bill A
>
> "Manny Borges" wrote:
>
>> No that isn't how ownership works.
>> Ownership allows you to change the permissions on a file, but if an
>> explicit
>> deny is stated in the parent folder that denys deleting subfiles those
>> files
>> can not be deleted unless the owner changes the permissions.
>>
>> I tested on my own systems, and if you did exactly what I wrote down then
>> the files should not be able to be deleted by anyone.
>>
>> There is an old POSIX backdoor hole, and that is why you must go to the
>> parent folders special permssions and deny the delete child objects
>> permission.
>>
>> --
>> Manny Borges
>> MCSE NT4-2003 (+ Security)
>> MCT, Certified Cheese Master
>>
>> There are 10 kinds of people in the world. Those who do understand binary
>> and those who don't.
>> "Bill A" <BillA.DeleteThis@discussions.microsoft.com> wrote in message
>> news:66FC6200-1B2A-494A-B751-C70A21A08C1A@microsoft.com...
>> >I have set it up that way and everything seems to work, except the
>> >person
>> >who
>> > copied the file into the folder can still delete it. They don't want
>> > that
>> > person to be able to delete it once he places the file in the folder.
>> >
>> > The test files I have copied have been from a local hard drive on the
>> > workstation, but the owner who copied it can delete the file from the
>> > sub
>> > folder. Someone else in the group can not delete it.
>> >
>> > Am I missing something, or is this just the way ownership works?
>> >
>> > Thanks
>> >
>> > Bill A.
>> >
>> > "Manny Borges" wrote:
>> >
>> >> On the parent folder :
>> >>
>> >> Grant generic read access to the a group you have made for this
>> >> purpose.
>> >> Go to special permissions and allow create files/write data. Deny
>> >> create
>> >> folder/append data and delete.
>> >>
>> >> Any files copied into this directory will inherit the permissions.
>> >> Any file moved from within the same volume will not.
>> >> Thats just how inheritence works.
>> >>
>> >> --
>> >> Manny Borges
>> >> MCSE NT4-2003 (+ Security)
>> >> MCT, Certified Cheese Master
>> >>
>> >> There are 10 kinds of people in the world. Those who do understand
>> >> binary
>> >> and those who don't.
>> >> "Bill A" <Bill A.DeleteThis@discussions.microsoft.com> wrote in message
>> >> news:4C9621B1-C0D6-4C90-80D9-C2D0E4900734@microsoft.com...
>> >> >I have a request for a folder within a share on a Windows Server 2003
>> >> >in
>> >> >a
>> >> > Windows 2000 domain which contains 2 sub folders. The users want 2
>> >> > groups
>> >> > of
>> >> > user permissions:
>> >> >
>> >> > 1 - Full Control over files in the sub folders. Obviously, no
>> >> > problem.
>> >> >
>> >> > 2 - Allow users to copy files in the sub folders. See the files
>> >> > that
>> >> > are
>> >> > in
>> >> > those sub folders. Deny modify or delete them once they have placed
>> >> > the
>> >> > files in the sub folders.
>> >> >
>> >> > The folder exists in the root of a share that is a wide open share
>> >> > where
>> >> > "All Employees" have full control over the share and they use this
>> >> > mapped
>> >> > drive to share files with people in other offices. (We have 15
>> >> > offices
>> >> > on
>> >> > our
>> >> > frame network)
>> >> >
>> >> > I have tried a number of ways to setup permissions on the second
>> >> > group,
>> >> > but
>> >> > have not been able to make it happen.
>> >> >
>> >> > Any suggestions on how to set permissions on the second group to
>> >> > give
>> >> > them
>> >> > what they want.
>> >> >
>> >> > Thanks in advance for your help.
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>
 >> Stay informed about: Permissions question 

My configuration is similar to Manny's, but I usually allow the person
who creates the file to delete it by setting CREATOR OWNER to have only
the delete permission on the parent folder, otherwise I get a behavior
where saving a file becomes application specific. It would work for MS
Word 2003, requires the user to save twice with Excel, denies writing
the file in Adobe/Macromedia products.

In any case, the temp files created by these applications don't get
deleted, which can over time be a waste of space and confusing to the
users, since they often land in the same folder where the file is
saved. So... CREATOR OWNER->Explicit delete.


/*Rado*/

Manny Borges Wrote:
> Ahh ! I see where the disconnect is.
>
> Yes, remove creator owner and only list those explicit groups that
> will
> access the folder.
>
> I apologise, I always rip all the permissions off first and then build
> from
> the ground up what is required.
>
> --
> Manny Borges
> MCSE NT4-2003 (+ Security)
> MCT, Certified Cheese Master
>
> There are 10 kinds of people in the world. Those who do understand
> binary
> and those who don't.
> "Bill A" <BillA RemoveThis @discussions.microsoft.com> wrote in message
> news:B18E8F5D-9981-4CCB-B173-E2DBFFBD1738@microsoft.com...
> > Manny:
> >
> > Thanks for the quick reply.
> >
> > I found that I have CREATOR OWNER conencted to that folder.
> >
> > If I don't allow "delete" and "delete subfolders and files" or
> totally
> > remove CREATOR OWNER from the parent folder then the person who
> created
> > the
> > file can not delete it.
> >
> > Do you have CREATOR OWNER permissions on that folder?
> >
> > Bill A
> >
> > "Manny Borges" wrote:
> >
> >> No that isn't how ownership works.
> >> Ownership allows you to change the permissions on a file, but if an
> >> explicit
> >> deny is stated in the parent folder that denys deleting subfiles
> those
> >> files
> >> can not be deleted unless the owner changes the permissions.
> >>
> >> I tested on my own systems, and if you did exactly what I wrote down
> then
> >> the files should not be able to be deleted by anyone.
> >>
> >> There is an old POSIX backdoor hole, and that is why you must go to
> the
> >> parent folders special permssions and deny the delete child objects
> >> permission.
> >>
> >> --
> >> Manny Borges
> >> MCSE NT4-2003 (+ Security)
> >> MCT, Certified Cheese Master
> >>
> >> There are 10 kinds of people in the world. Those who do understand
> binary
> >> and those who don't.
> >> "Bill A" <BillA RemoveThis @discussions.microsoft.com> wrote in message
> >> news:66FC6200-1B2A-494A-B751-C70A21A08C1A@microsoft.com...
> >> >I have set it up that way and everything seems to work, except the
> >> >person
> >> >who
> >> > copied the file into the folder can still delete it. They don't
> want
> >> > that
> >> > person to be able to delete it once he places the file in the
> folder.
> >> >
> >> > The test files I have copied have been from a local hard drive on
> the
> >> > workstation, but the owner who copied it can delete the file from
> the
> >> > sub
> >> > folder. Someone else in the group can not delete it.
> >> >
> >> > Am I missing something, or is this just the way ownership works?
> >> >
> >> > Thanks
> >> >
> >> > Bill A.
> >> >
> >> > "Manny Borges" wrote:
> >> >
> >> >> On the parent folder :
> >> >>
> >> >> Grant generic read access to the a group you have made for this
> >> >> purpose.
> >> >> Go to special permissions and allow create files/write data.
> Deny
> >> >> create
> >> >> folder/append data and delete.
> >> >>
> >> >> Any files copied into this directory will inherit the
> permissions.
> >> >> Any file moved from within the same volume will not.
> >> >> Thats just how inheritence works.
> >> >>
> >> >> --
> >> >> Manny Borges
> >> >> MCSE NT4-2003 (+ Security)
> >> >> MCT, Certified Cheese Master
> >> >>
> >> >> There are 10 kinds of people in the world. Those who do
> understand
> >> >> binary
> >> >> and those who don't.
> >> >> "Bill A" <Bill A RemoveThis @discussions.microsoft.com> wrote in message
> >> >> news:4C9621B1-C0D6-4C90-80D9-C2D0E4900734@microsoft.com...
> >> >> >I have a request for a folder within a share on a Windows Server
> 2003
> >> >> >in
> >> >> >a
> >> >> > Windows 2000 domain which contains 2 sub folders. The users
> want 2
> >> >> > groups
> >> >> > of
> >> >> > user permissions:
> >> >> >
> >> >> > 1 - Full Control over files in the sub folders. Obviously, no
> >> >> > problem.
> >> >> >
> >> >> > 2 - Allow users to copy files in the sub folders. See the
> files
> >> >> > that
> >> >> > are
> >> >> > in
> >> >> > those sub folders. Deny modify or delete them once they have
> placed
> >> >> > the
> >> >> > files in the sub folders.
> >> >> >
> >> >> > The folder exists in the root of a share that is a wide open
> share
> >> >> > where
> >> >> > "All Employees" have full control over the share and they use
> this
> >> >> > mapped
> >> >> > drive to share files with people in other offices. (We have 15
> >> >> > offices
> >> >> > on
> >> >> > our
> >> >> > frame network)
> >> >> >
> >> >> > I have tried a number of ways to setup permissions on the
> second
> >> >> > group,
> >> >> > but
> >> >> > have not been able to make it happen.
> >> >> >
> >> >> > Any suggestions on how to set permissions on the second group
> to
> >> >> > give
> >> >> > them
> >> >> > what they want.
> >> >> >
> >> >> > Thanks in advance for your help.
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>


--
rrafiringa
------------------------------------------------------------------------
rrafiringa's Profile: http://forums.techarena.in/member.php?userid=18734
View this thread: http://forums.techarena.in/showthread.php?t=495942

http://www.techarena.in
 >> Stay informed about: Permissions question