Solved

Inherited Special Permissions in 2003 not Pushed to New Documents

Posted on 2009-04-06
7
260 Views
Last Modified: 2012-05-06
We have folders that certain people have special permissions too.  As in they can add files and folders to the folder, but they can't delete anything.  So this group has allow and deny special permissions.  The systems, and admin groups have full control, along with a couple of other individuals.  The folder and the documents in the folder are working the way we want.  But when someone creates a folder and adds a document in that folder, the document only shows system and admin as the only people that have rights to do anything with that document.  I ran the "Replace Permissions on childern" and that didn't do anything.  I would need to delete the permissions and redo them.  Also the new folder that has the document has the correct inherited permissions.  
Am I missing something with setting the permissions, or do I need to set permissions everytime someone puts a new folder out that with documents.

Thanks,
Chris
0
Comment
Question by:cjgalvin
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24078258
It sounds like the permissions are applied only to "This folder and files" instead of "this folder, subfolder, and files" or "subfolder and files only".

So the users need modify on the subfolders and files.  Deny permissions are tricky, because they take precedence over everything except explicit permissions.  So if you give deny to domain users, then domain users won't have access even if they're in a group that has inherited allow permissions.

So, look in the advanced permissions, and at the properties of one of those permissions, and you'll see the drop down that has options for "this folder only, this folder and subfolders, etc."

0
 

Author Comment

by:cjgalvin
ID: 24078632
Thanks for the response.  I looked at the options.  On the parent folder they are all set to "This folder, subfolders, and Files".  But when I create a subfolder the same settings are now set to "This Folder only", and it is greyed out.  The only ones that have access to subfolders and files is the ones that have full control(systems and admin).  I'm using a global group to set the permissions.  For deny I selected "delete" and "delete subfolders and files", and I selected modify to allow instead of the special permissions.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24079063
I recommend against using the deny permissions, they tend to cause more headaches than their worth.  It's better to set read-only permissions, unless you have a specific reason.  

Can you take a screenshot of the advanced permissions on the parent folder and on a sub folder?  Feel free to black out user/domain names, etc.
0
 

Author Comment

by:cjgalvin
ID: 24079877
I would like to just use read-only, but the users need to be able to move files to the folders, but not delete them, or edit them.  It looks like special permissions don't get pushed all the way down.  I would have to edit the permissions everytime a subfolder is created.  

So I guess my next question would be, Do you know of a way users can add but not edit or delete to all subfolders?

Thanks Again.  
0
 
LVL 15

Accepted Solution

by:
zelron22 earned 250 total points
ID: 24080054
They should, as long as the "apply onto" and inheritance are set right.  If you post a screenshot of both a parent folder and sub folder, I can probably see the problem.
0
 

Author Comment

by:cjgalvin
ID: 24080056
OK,
I figured it out.  I set modify in Security.  Then went into advanced and removed write attributes and delete.  Then pushed it down to subfolders.  This worked.  You were right, that deny option was the problem.  Thanks again for you help.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24080079
The create file / write data permission should allow them to create files but not modify them.
0

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now