Agrh... stuck in NTFS permissions.

Hello, experts.
This is my first post to this list and i'm not a kind of 'IT pro' so excuse me if this question is too newbie :)

Here's my situation:
Consider a folder, say, 'root-folder' containing some subfolders/files on NTFS5 partition including 'special' folder in the root of 'root-folder'. I want to set NTFS permissions for 'root-folder' and all files/folders exept 'spesial' to full access to particular user.  For 'special' folder i want to set r/o access, so nobody can change content of folder or rename this folder. And last is the problem for me. Even if 'spesial' folder does not inherit permissions and explicit permissions set to read/execute/list content, the user CAN RENAME this folder.
So the question is: How can i protect particular folder from renaming and leave other folders on same level r/w using NTFS security? What did i miss?

Thanks in advance.

4auHuk.
LVL 7
4auHukAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VahikCommented:
From Designing microsoft windows 2000 network security chapter 6,
If permissions for a resource are inherited you cant remove them directly.You must copy the inherited
permissions to the folder,thus breaking the inheritance,and then remove the individual Access Control
Entry(ACE)from the Discrectionary Access Control List(DACL).Is this how u removed the inheritance?
mdiglioCommented:
Hello,

You are not missing enaything sometimes even with NTFS it is difficult to manage permissions on such a small scale.

From your post it looks like you removed the inheritance from the 'special' folder.
If you didn't from the security tab >> click advanced >> 
on the permissions tab uncheck "inherit from parent the permissions ...."

This will allow you to arrange permissions the way you would like.
Always keep someone that has full control such as the administrator's group.

To prevent a certain group or user from renaming a folder you will have to follow these directions
from the security tab of the special folder  click advanced >> on the permissions tab highlight the user/group
you would like to NOT be able to rename this folder >> click Edit >>
uncheck the advanced DELETE permission under the allow column

sometimes even this is not enough and you must deny this delete entry.
That is why I recommend you make sure someone has full control over this folder as a just-in-case measure.

Hope this helps!
mdiglioCommented:
sorry Vahik - took me a long time to type and to gather my thoughts :0
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

4auHukAuthor Commented:
Thank you for reply.

2Vahik: Maybe i did'nt make it clear (sorry, english is not my native), but, yes i break inheritance by unchecking "Inherit from parent... " checkbox and press "Copy" in pop-up box. Then i tried to customize (i called it 'explicit permissions') Discrectionary ACL.

2mdiglio: I'll try that "delete" permission and will repost.

Thanks again :)
VahikCommented:
Mdiglio I usually post in exchange section and it happens all the times.I do not post for points and i like confirmation
on my posts.I type 6 words per hour with my glasses on and I started typing for this question yesterday.I never learned how to type and that is why i stayed independant.
4auHukAuthor Commented:
Still can rename folder :(

Here's my setup:

c:\root
           \root.file
            \special.folder
                                  \special.file
            \other.folder
                                \other.file

root:
Administrator:   allow full access
4auHuk:            allow full access

other.folder
inherit permissions

special.folder
do not inherit permissions
Administrator:   allow full access
4auHuk:            allow read&execute, list folder contents, read; deny delete

Result: can rename 'special' folder. Furthermore, if 'special' is empty, can delete it.

Correct me if i wrong, but isn't it that the ability to rename folder is granted in *parent* folder's advanced permissions? And blocking inheritance can't help because parent folder's properties says "this user can do anyhing with all subfolders/files".
Whatever i set in 'spesial' folder's properties is walid to it's files/subfolders rather than to 'spesial' folder itself as object.
So in my case i can't set different permission to 'special' and 'other' folders *themself*.
Or am i completely wrong?

P.S. Just noticed mistyping in my first post.
In
"I want to set NTFS permissions for 'root-folder' and all files/folders exept "
i mean
"I want to set NTFS permissions for 'root-folder' and all it's files/subfolders exept "
mdiglioCommented:
Hello,
Ok we'll get this!

>>Correct me if i wrong, but isn't it that the ability to rename folder is granted in *parent* folder's advanced permissions? And blocking >>inheritance can't help because parent folder's properties says "this user can do anyhing with all subfolders/files".

Great point! so in addition to what I said earlier about the advanced 'delete' permission on the special folder
you should try changing the advanced 'delete sub folders and files' permission on c:\root

If this is an XP machine you are working on jump over to the 'effective permissions' tab and
start using that for troubleshooting

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VahikCommented:
Also make sure 4auHuk is not the one who created the special file or folder.
4auHukAuthor Commented:
>you should try changing the advanced 'delete sub folders and files' permission on c:\root
Sadly, i *need* to be able to 'delete subfolders and files' exept 'special' folder.

...pause...

Hey! It works! :) Just cleared that box and voila.

But how - that still escapes me. Well, NTFS permissions is not so plain thing. I will spend some time to  this figure out... :)
Already started to understand...

Thanks a lot, mdiglio. Here goes 125pts :)
Thanks for reply again, Vahik.
VahikCommented:
thank u guys for the  lesson.
Again from the book.
Delete Subfolders and files. Allows or denies deleting subfolders and files when applied at parent
folder,even if the Delete permission has not been granted on the specific subfolder or file.Interesting.
mdiglioCommented:
Hello,
Thank you too!
Clearly I didn't know the proper answer until your post stirred up the dust.
Like I said sometimes when you try to give permissions on such a small level it ends up being more
of a challenge than you would like.

I'm glad you got it working
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.