Windows Security Inheritable Permissions Question

tallboy755
tallboy755 used Ask the Experts™
on
Let me explain what I am trying to do in a simple form. Lets say I have a drive that Joe Blow (active directory user) has FULL CONTROL of that drive. I then create a folder called "Top Level Folder" and the drive permissions are inherited from the drive to that folder, so now Joe Blow has full control of that folder.

 I now create a folder called "Second Level Folder" this folder is subfolder of "Top Level Folder", so again permissions are inherited, but this time I don't want them to be. So I go to the advanced security tab and uncheck the "allow inheritable permissions..." and I reduce Joe Blow to read only on that folder.

Now this is what I cannot figure out. Now I create a folder called "Third Level Folder" which is a subfolder of "Second Level Folder", Now I want Joe Blow to again have full control of that folder and its subfolders, to be able to do as he pleases.... If I use inherited permissions it will transfer them from the "Second Level Folder" which will restrict Joe Blow. I see a place in advanced security for "inherited from" but I cannot figure out where that is set at.

I'm sure its a simple answer, so him me with it :)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Chris DentPowerShell Developer
Top Expert 2010

Commented:

You cannot skip a level like that with Inheritance, you would have to explicitly define permissions for him on the third level folder.

Perhaps an alternative approach is to create an explicit Deny (applied to the current folder / files only) on the Second Level Folder. Then you can allow inheritance on Second Level Folder and won't have to worry about Third Level.

Kind of confusing arranged like that though ;)

Chris
Inherited from is read-only. If you haven't blocked inheritence, then level 3 could potentially have inherited permissions from the top level folder ot the level 2 folder - this field tells you where to go to modify those permissions.

Your only option in this case is to allocate joe permissions at level 3 again
Jan Vojtech VanicekIT Specialist

Commented:
You can on 2nd folder click on the check button allow subfolders to inherit from this folder... the second checkbox... This will remake all security settings from the 2nd folder...
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
RE: Chris-Dent

Denies always overrule an allow right?

That would probably work. Let me check!
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Yes, it should. An explicit deny will take precedence over implicit (inherited) allow.

Chris
Jan Vojtech VanicekIT Specialist

Commented:
The selected checkbox... But if the user have full access to uplevel folder, I think that he can override the rights and can escalate them to Full access... you must set him modify... and he cannot have rights to take ownership, in this case he can modify it also.
rights.png
Jan Vojtech VanicekIT Specialist

Commented:
Also take a look at inherited from column... that is the problem... all 1st, 2nd and 3rd folder have primary setup to inherit from D: (or your drive letter) you can modify it by the check box about what im talking.

Author

Commented:
The deny override is not working. I HATE windows security.

If I add a deny, and go to advanced to check "Full Control" the user cannot even access "Second Level Folder"... If I leave all other denies checked (delete, modify, execute) but ONLY uncheck the "full control" the user can now rename or delete "Second Level Folder" and all its subfolders.
Jan Vojtech VanicekIT Specialist

Commented:
For users you cannot allow FULL ACCESS...

If someone have FULL ACCESS he can change everything... Propagating the DENY rights is the last possible way!

Try to setup thru inherit from, it is more logical...
Chris DentPowerShell Developer
Top Expert 2010

Commented:

The trick is only to deny things you want to prevent happening. Full Control is a composite right, it's everything all at once, you won't be able to deny Full Control and maintain read access.

It'll be something like this:

Top Level Folder:
  Joe - Allow: Modify (Set to apply to all Folders, SubFolder and Files)

Second Level Folder:
  Joe - Allow: Modify (Inherited)
  Joe - Deny: Write (Current Folder and Files only)

Third Level Folder:
  Joe - Allow: Modify (Inherited)

Assigning Full Control to any of those will mean the user can undo the permission change (Change Permission / Take Ownership right). So Modify is much more appropriate.

Chris
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Just to be clear, you might find it better to add the access control entry on the Second Level via the advanced control. Then you know exactly which things you're denying rather than the combined rights the main security box shows (Modify, Write, etc, etc).

NTFS permissions make sense if you spend long enough glaring at them ;)

Chris
Jan Vojtech VanicekIT Specialist

Commented:
Forget the deny rights! Just play with inherit from information in advanced settings - see my screenshots. It is less painful

Author

Commented:
Sheesh, I cannot find the perfect mix.

I DO NOT want users to be able to rename or delete "Second Level Folder", but I do want them to be able to create and delete subfolders inside of "Second Level Folder". It seems that even in the advanced settings, although there are a lot of options to deny, the end result is that my user can either delete "Second Level Folder" and its subfolders, or they get "access denied" upon trying to enter "Second Level Folder"
PowerShell Developer
Top Expert 2010
Commented:

Expanding on the above, this is the Modify composite right:

Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete
Read Permissions

To prevent modification of files (or addition / deletion of files) on the second level these must be set to Deny (via addition of a new Access Control Entry rather than just ticking Deny on the existing rule):

Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete

That leaves the user with these effective rights on the second level:

Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

The third level will be unaffected as long as the new ACL only applies to "This folder and Files".

It is high maintenance, Vanikcz is certainly right about that. However, I consider knowing how this works quite valuable, then you can make your own decisions about how you secure file systems.

Chris

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial