Inherited Special Permissions in 2003 not Pushed to New Documents

Posted on 2009-04-06
Last Modified: 2012-05-06
We have folders that certain people have special permissions too.  As in they can add files and folders to the folder, but they can't delete anything.  So this group has allow and deny special permissions.  The systems, and admin groups have full control, along with a couple of other individuals.  The folder and the documents in the folder are working the way we want.  But when someone creates a folder and adds a document in that folder, the document only shows system and admin as the only people that have rights to do anything with that document.  I ran the "Replace Permissions on childern" and that didn't do anything.  I would need to delete the permissions and redo them.  Also the new folder that has the document has the correct inherited permissions.  
Am I missing something with setting the permissions, or do I need to set permissions everytime someone puts a new folder out that with documents.

Question by:cjgalvin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 15

Expert Comment

ID: 24078258
It sounds like the permissions are applied only to "This folder and files" instead of "this folder, subfolder, and files" or "subfolder and files only".

So the users need modify on the subfolders and files.  Deny permissions are tricky, because they take precedence over everything except explicit permissions.  So if you give deny to domain users, then domain users won't have access even if they're in a group that has inherited allow permissions.

So, look in the advanced permissions, and at the properties of one of those permissions, and you'll see the drop down that has options for "this folder only, this folder and subfolders, etc."


Author Comment

ID: 24078632
Thanks for the response.  I looked at the options.  On the parent folder they are all set to "This folder, subfolders, and Files".  But when I create a subfolder the same settings are now set to "This Folder only", and it is greyed out.  The only ones that have access to subfolders and files is the ones that have full control(systems and admin).  I'm using a global group to set the permissions.  For deny I selected "delete" and "delete subfolders and files", and I selected modify to allow instead of the special permissions.
LVL 15

Expert Comment

ID: 24079063
I recommend against using the deny permissions, they tend to cause more headaches than their worth.  It's better to set read-only permissions, unless you have a specific reason.  

Can you take a screenshot of the advanced permissions on the parent folder and on a sub folder?  Feel free to black out user/domain names, etc.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 24079877
I would like to just use read-only, but the users need to be able to move files to the folders, but not delete them, or edit them.  It looks like special permissions don't get pushed all the way down.  I would have to edit the permissions everytime a subfolder is created.  

So I guess my next question would be, Do you know of a way users can add but not edit or delete to all subfolders?

Thanks Again.  
LVL 15

Accepted Solution

zelron22 earned 250 total points
ID: 24080054
They should, as long as the "apply onto" and inheritance are set right.  If you post a screenshot of both a parent folder and sub folder, I can probably see the problem.

Author Comment

ID: 24080056
I figured it out.  I set modify in Security.  Then went into advanced and removed write attributes and delete.  Then pushed it down to subfolders.  This worked.  You were right, that deny option was the problem.  Thanks again for you help.
LVL 15

Expert Comment

ID: 24080079
The create file / write data permission should allow them to create files but not modify them.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question