Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Permissions at file level is causing me problems....

Posted on 2006-05-19
5
Medium Priority
?
258 Views
Last Modified: 2013-12-04
I've raised this problem in another question, but didn't get any answer, but now I found the specific problem:

I ran into the problem on my server (SBS 2003) first when trying to control permissions at file level. I thought I did something wrong on the server so I recreated the scenario on my home computer (Windows XP Pro). I'll try to explain as good as I can:

On my home computer I have one account lets call it "Mainaccount" it has administrator rights.

I then created account number 2 called "Testaccount". It has limited rights.

When loggen in as "Mainaccount" I created a folder: "c:\testfolder"

In testfolder properties, open security tab, advanced, remove inheritance. Clean all permissions, then add "Mainaccount" full control, add "Testaccount" full control.

ok move a file into "c:\testfolder". eg. "test.txt".

Open properties for test.txt go to security tab, advanced. remove inheritance, clean all permissions, add "Mainaccount" full control. Click ok.

Now you are in the security tab and not in advanced. Add "testaccount" and click "read".  Click apply.

Just to check everything go to back into advance tab, and choose the "Effective Permissions" Tab. Now Choose the "Testaccount" and see that it has only read permissions. Click "ok" until you are out.

Log off, and log on as "Testaccount" go "c:\testfolder". You can see the "test.txt". It should be write/delete protected. However choose it, push delete and its gone.

My question... How can that be???
0
Comment
Question by:Zoodiaq
5 Comments
 
LVL 16

Expert Comment

by:mdiglio
ID: 16719379
Hi Zoodiaq,

SETUP: File Delete Child Directory Permission in NTFS
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152763

"Windows NT supports a hidden permission called File Delete Child (FDC) on NTFS volumes. Users who have full control permission on a volume or directory also have the FDC permission. This permission allows a user to delete files at the root level of the directory where they have full control, even if they do not have any permissions on the specific file itself. "
0
 
LVL 16

Accepted Solution

by:
mdiglio earned 2000 total points
ID: 16719699
On the testfolder there is an entry called 'delete subfolders and file' this is set to 'Allow'
for the 'testaccount' because they have Full Control.
Removing this entry will give you the desired effect

This article might help shed some light on the problem

http://www.microsoft.com/technet/technetmag/issues/2005/11/HowITWorksNTFS/default.aspx

"The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied."
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 16725950
Why not just go into the advanced options and select deny for "delete" on the file for the TestAccount?  I did the exact same thing you did only thing I did different was just go into the advanced set of NTFS permissions and tick deny for "delete".  This is of course on the file itself on not the folder.

Remember Deny takes presedence over anything if it's checked.

Also if you share the folder give everyone full control on the share permissions and set the actual permissions via the NTFS tab.  The most restrictive permissions will take presedence and will therefore be the one that is in effect.

regards,

kshays
0
 
LVL 2

Expert Comment

by:logic0004
ID: 16731852
Well the way it works is that if u give "Full Control" to the user at the folder level then the user automatically gets the delete permission to the file. So when u have assigned the "testaccount" with full permission to the folder, go to Advanced and highlight that user and click "Edit" and Deny Delete permissions. and do rest the same as u r doing...

Hope it works...
0
 

Author Comment

by:Zoodiaq
ID: 16732123
mdiglio you solved my problems again. How would it be possible to know, that M$ made the settings so difficult to control:

Now to explain what I did, and what worked:

As long as the user has full control over the parent library it doesn't matter what settings you change on the files in that folder the user will be able to delete, even with "deny" permissions.

The trick is to give the user all permissions expect full control in the parent library, then you are able to write-protect files in the folder. However two things to remember:

1) If the user is the owner of either the file or owner of a owner of parent folderthat the user has access to it is possible for the user to reset the permissions.
2) If the user is an administrator it seems that the user can take ownership no matter what, and reset the permissions.

I learned most of it from trying myself and from the links for mdiglio, thx.

Zoodiaq
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Screencast - Getting to Know the Pipeline
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question