Permissions at file level is causing me problems....

Posted on 2006-05-19
Last Modified: 2013-12-04
I've raised this problem in another question, but didn't get any answer, but now I found the specific problem:

I ran into the problem on my server (SBS 2003) first when trying to control permissions at file level. I thought I did something wrong on the server so I recreated the scenario on my home computer (Windows XP Pro). I'll try to explain as good as I can:

On my home computer I have one account lets call it "Mainaccount" it has administrator rights.

I then created account number 2 called "Testaccount". It has limited rights.

When loggen in as "Mainaccount" I created a folder: "c:\testfolder"

In testfolder properties, open security tab, advanced, remove inheritance. Clean all permissions, then add "Mainaccount" full control, add "Testaccount" full control.

ok move a file into "c:\testfolder". eg. "test.txt".

Open properties for test.txt go to security tab, advanced. remove inheritance, clean all permissions, add "Mainaccount" full control. Click ok.

Now you are in the security tab and not in advanced. Add "testaccount" and click "read".  Click apply.

Just to check everything go to back into advance tab, and choose the "Effective Permissions" Tab. Now Choose the "Testaccount" and see that it has only read permissions. Click "ok" until you are out.

Log off, and log on as "Testaccount" go "c:\testfolder". You can see the "test.txt". It should be write/delete protected. However choose it, push delete and its gone.

My question... How can that be???
Question by:Zoodiaq
    LVL 16

    Expert Comment

    Hi Zoodiaq,

    SETUP: File Delete Child Directory Permission in NTFS;EN-US;q152763

    "Windows NT supports a hidden permission called File Delete Child (FDC) on NTFS volumes. Users who have full control permission on a volume or directory also have the FDC permission. This permission allows a user to delete files at the root level of the directory where they have full control, even if they do not have any permissions on the specific file itself. "
    LVL 16

    Accepted Solution

    On the testfolder there is an entry called 'delete subfolders and file' this is set to 'Allow'
    for the 'testaccount' because they have Full Control.
    Removing this entry will give you the desired effect

    This article might help shed some light on the problem

    "The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

    If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
    If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
    If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied."
    LVL 16

    Expert Comment

    Why not just go into the advanced options and select deny for "delete" on the file for the TestAccount?  I did the exact same thing you did only thing I did different was just go into the advanced set of NTFS permissions and tick deny for "delete".  This is of course on the file itself on not the folder.

    Remember Deny takes presedence over anything if it's checked.

    Also if you share the folder give everyone full control on the share permissions and set the actual permissions via the NTFS tab.  The most restrictive permissions will take presedence and will therefore be the one that is in effect.


    LVL 2

    Expert Comment

    Well the way it works is that if u give "Full Control" to the user at the folder level then the user automatically gets the delete permission to the file. So when u have assigned the "testaccount" with full permission to the folder, go to Advanced and highlight that user and click "Edit" and Deny Delete permissions. and do rest the same as u r doing...

    Hope it works...

    Author Comment

    mdiglio you solved my problems again. How would it be possible to know, that M$ made the settings so difficult to control:

    Now to explain what I did, and what worked:

    As long as the user has full control over the parent library it doesn't matter what settings you change on the files in that folder the user will be able to delete, even with "deny" permissions.

    The trick is to give the user all permissions expect full control in the parent library, then you are able to write-protect files in the folder. However two things to remember:

    1) If the user is the owner of either the file or owner of a owner of parent folderthat the user has access to it is possible for the user to reset the permissions.
    2) If the user is an administrator it seems that the user can take ownership no matter what, and reset the permissions.

    I learned most of it from trying myself and from the links for mdiglio, thx.


    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now