Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Inherited Special Permissions in 2003 not Pushed to New Documents

Posted on 2009-04-06
Medium Priority
Last Modified: 2012-05-06
We have folders that certain people have special permissions too.  As in they can add files and folders to the folder, but they can't delete anything.  So this group has allow and deny special permissions.  The systems, and admin groups have full control, along with a couple of other individuals.  The folder and the documents in the folder are working the way we want.  But when someone creates a folder and adds a document in that folder, the document only shows system and admin as the only people that have rights to do anything with that document.  I ran the "Replace Permissions on childern" and that didn't do anything.  I would need to delete the permissions and redo them.  Also the new folder that has the document has the correct inherited permissions.  
Am I missing something with setting the permissions, or do I need to set permissions everytime someone puts a new folder out that with documents.

Question by:cjgalvin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 15

Expert Comment

ID: 24078258
It sounds like the permissions are applied only to "This folder and files" instead of "this folder, subfolder, and files" or "subfolder and files only".

So the users need modify on the subfolders and files.  Deny permissions are tricky, because they take precedence over everything except explicit permissions.  So if you give deny to domain users, then domain users won't have access even if they're in a group that has inherited allow permissions.

So, look in the advanced permissions, and at the properties of one of those permissions, and you'll see the drop down that has options for "this folder only, this folder and subfolders, etc."


Author Comment

ID: 24078632
Thanks for the response.  I looked at the options.  On the parent folder they are all set to "This folder, subfolders, and Files".  But when I create a subfolder the same settings are now set to "This Folder only", and it is greyed out.  The only ones that have access to subfolders and files is the ones that have full control(systems and admin).  I'm using a global group to set the permissions.  For deny I selected "delete" and "delete subfolders and files", and I selected modify to allow instead of the special permissions.
LVL 15

Expert Comment

ID: 24079063
I recommend against using the deny permissions, they tend to cause more headaches than their worth.  It's better to set read-only permissions, unless you have a specific reason.  

Can you take a screenshot of the advanced permissions on the parent folder and on a sub folder?  Feel free to black out user/domain names, etc.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 24079877
I would like to just use read-only, but the users need to be able to move files to the folders, but not delete them, or edit them.  It looks like special permissions don't get pushed all the way down.  I would have to edit the permissions everytime a subfolder is created.  

So I guess my next question would be, Do you know of a way users can add but not edit or delete to all subfolders?

Thanks Again.  
LVL 15

Accepted Solution

zelron22 earned 1000 total points
ID: 24080054
They should, as long as the "apply onto" and inheritance are set right.  If you post a screenshot of both a parent folder and sub folder, I can probably see the problem.

Author Comment

ID: 24080056
I figured it out.  I set modify in Security.  Then went into advanced and removed write attributes and delete.  Then pushed it down to subfolders.  This worked.  You were right, that deny option was the problem.  Thanks again for you help.
LVL 15

Expert Comment

ID: 24080079
The create file / write data permission should allow them to create files but not modify them.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question