Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 270
  • Last Modified:

Inherited Special Permissions in 2003 not Pushed to New Documents

We have folders that certain people have special permissions too.  As in they can add files and folders to the folder, but they can't delete anything.  So this group has allow and deny special permissions.  The systems, and admin groups have full control, along with a couple of other individuals.  The folder and the documents in the folder are working the way we want.  But when someone creates a folder and adds a document in that folder, the document only shows system and admin as the only people that have rights to do anything with that document.  I ran the "Replace Permissions on childern" and that didn't do anything.  I would need to delete the permissions and redo them.  Also the new folder that has the document has the correct inherited permissions.  
Am I missing something with setting the permissions, or do I need to set permissions everytime someone puts a new folder out that with documents.

Thanks,
Chris
0
cjgalvin
Asked:
cjgalvin
  • 4
  • 3
1 Solution
 
zelron22Commented:
It sounds like the permissions are applied only to "This folder and files" instead of "this folder, subfolder, and files" or "subfolder and files only".

So the users need modify on the subfolders and files.  Deny permissions are tricky, because they take precedence over everything except explicit permissions.  So if you give deny to domain users, then domain users won't have access even if they're in a group that has inherited allow permissions.

So, look in the advanced permissions, and at the properties of one of those permissions, and you'll see the drop down that has options for "this folder only, this folder and subfolders, etc."

0
 
cjgalvinAuthor Commented:
Thanks for the response.  I looked at the options.  On the parent folder they are all set to "This folder, subfolders, and Files".  But when I create a subfolder the same settings are now set to "This Folder only", and it is greyed out.  The only ones that have access to subfolders and files is the ones that have full control(systems and admin).  I'm using a global group to set the permissions.  For deny I selected "delete" and "delete subfolders and files", and I selected modify to allow instead of the special permissions.
0
 
zelron22Commented:
I recommend against using the deny permissions, they tend to cause more headaches than their worth.  It's better to set read-only permissions, unless you have a specific reason.  

Can you take a screenshot of the advanced permissions on the parent folder and on a sub folder?  Feel free to black out user/domain names, etc.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
cjgalvinAuthor Commented:
I would like to just use read-only, but the users need to be able to move files to the folders, but not delete them, or edit them.  It looks like special permissions don't get pushed all the way down.  I would have to edit the permissions everytime a subfolder is created.  

So I guess my next question would be, Do you know of a way users can add but not edit or delete to all subfolders?

Thanks Again.  
0
 
zelron22Commented:
They should, as long as the "apply onto" and inheritance are set right.  If you post a screenshot of both a parent folder and sub folder, I can probably see the problem.
0
 
cjgalvinAuthor Commented:
OK,
I figured it out.  I set modify in Security.  Then went into advanced and removed write attributes and delete.  Then pushed it down to subfolders.  This worked.  You were right, that deny option was the problem.  Thanks again for you help.
0
 
zelron22Commented:
The create file / write data permission should allow them to create files but not modify them.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now