Permissions at file level is causing me problems....

I've raised this problem in another question, but didn't get any answer, but now I found the specific problem:

I ran into the problem on my server (SBS 2003) first when trying to control permissions at file level. I thought I did something wrong on the server so I recreated the scenario on my home computer (Windows XP Pro). I'll try to explain as good as I can:

On my home computer I have one account lets call it "Mainaccount" it has administrator rights.

I then created account number 2 called "Testaccount". It has limited rights.

When loggen in as "Mainaccount" I created a folder: "c:\testfolder"

In testfolder properties, open security tab, advanced, remove inheritance. Clean all permissions, then add "Mainaccount" full control, add "Testaccount" full control.

ok move a file into "c:\testfolder". eg. "test.txt".

Open properties for test.txt go to security tab, advanced. remove inheritance, clean all permissions, add "Mainaccount" full control. Click ok.

Now you are in the security tab and not in advanced. Add "testaccount" and click "read".  Click apply.

Just to check everything go to back into advance tab, and choose the "Effective Permissions" Tab. Now Choose the "Testaccount" and see that it has only read permissions. Click "ok" until you are out.

Log off, and log on as "Testaccount" go "c:\testfolder". You can see the "test.txt". It should be write/delete protected. However choose it, push delete and its gone.

My question... How can that be???
Who is Participating?
On the testfolder there is an entry called 'delete subfolders and file' this is set to 'Allow'
for the 'testaccount' because they have Full Control.
Removing this entry will give you the desired effect

This article might help shed some light on the problem

"The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied."
Hi Zoodiaq,

SETUP: File Delete Child Directory Permission in NTFS;EN-US;q152763

"Windows NT supports a hidden permission called File Delete Child (FDC) on NTFS volumes. Users who have full control permission on a volume or directory also have the FDC permission. This permission allows a user to delete files at the root level of the directory where they have full control, even if they do not have any permissions on the specific file itself. "
Kevin HaysIT AnalystCommented:
Why not just go into the advanced options and select deny for "delete" on the file for the TestAccount?  I did the exact same thing you did only thing I did different was just go into the advanced set of NTFS permissions and tick deny for "delete".  This is of course on the file itself on not the folder.

Remember Deny takes presedence over anything if it's checked.

Also if you share the folder give everyone full control on the share permissions and set the actual permissions via the NTFS tab.  The most restrictive permissions will take presedence and will therefore be the one that is in effect.


Well the way it works is that if u give "Full Control" to the user at the folder level then the user automatically gets the delete permission to the file. So when u have assigned the "testaccount" with full permission to the folder, go to Advanced and highlight that user and click "Edit" and Deny Delete permissions. and do rest the same as u r doing...

Hope it works...
ZoodiaqAuthor Commented:
mdiglio you solved my problems again. How would it be possible to know, that M$ made the settings so difficult to control:

Now to explain what I did, and what worked:

As long as the user has full control over the parent library it doesn't matter what settings you change on the files in that folder the user will be able to delete, even with "deny" permissions.

The trick is to give the user all permissions expect full control in the parent library, then you are able to write-protect files in the folder. However two things to remember:

1) If the user is the owner of either the file or owner of a owner of parent folderthat the user has access to it is possible for the user to reset the permissions.
2) If the user is an administrator it seems that the user can take ownership no matter what, and reset the permissions.

I learned most of it from trying myself and from the links for mdiglio, thx.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.