User without delete permissions can still delete files
Posted on 2009-03-31
We are running windows 2000 server ( soon to be upgraded ) and have what seems like a simple process to implement.
We have digital photos that we need to keep in a directory structure like this
(I've never posted on here so I don't know if this will be mangled )
jpg files go here
jpg files go here
same as above
Users should be able to create new folders under A and B ( I.E. 0003 and so on ) and put files in them.
Every 15 minutes I want to run a script that makes all of the files and directories under A and B "read only", meaning that they can't be deleted or moved without getting an admin invovled.
The permissions on "Digital Photos" is set for "Domain Users" to have all but:
Another group and the Administrators group have full control.
A and B inherit permisions.
My script uses cacls to hit all of the FILES ( selected using FORFILES testing @ISDIR for files ) and does the following cacls on them in 2 passes:
/E /R "Domain Users"
/E /G "Domain Users":R
This seems like it should work, the effective permissions for a test user show only:
Traverse Folder / Execute File
List Folder / Read Data
Read Extended Attributes
BUT the user can still delete the files in the 0001 level directories that they create.
I have tried setting the owner of the file to Administrator.
I have tried breaking inheritance at the 0001 directory level to eliminate the permissions from the A and B directories.
I have tried using cacls to change the permissions on the 0001 directory to the same as the indiviual files using cacls as above so the directory isn't inheriting anything from higher levels.
All of these have no noticeable effect on the "effective permissions" when the test user hits the share ( except for the change of ownership )
BUT The test user can STILL delete the files without so much as a warning.
I'm scratching my head at this point, anybody have any ideas ?
Everything says I should not be able to delete the files as a "Domain Users" member, but my test user is always able to.....
I'm sure I'm missing something obvious....