On my Windows 2000 workstations I want my users to have the following access
on a specific folder e.g. named "test" (This folder has no subfolders and
files yet but the permissions will also concern the future ones):

Administrators: Full Control (ok that's easy)

Authenticated Users will:
- have Read & Execute permissions on the folder
- have Full Control on future subfolders and files
- not be able to delete or rename the foler "test"

Can this be done with the command "cacls" ? How can I deny deletion of a
folder with "cacls" ??

If "cacls" can not be used can any one spend one minute and tell me how can
I achieve this using NTFS permissions ???

p.s. I understand everything about special permissions and inheritance in
the advanced tab etc. but dening deletion of the folder "test" itself does
not work even if I set this in the advanced tab:
"Apply onto: This folder only - Deny - Delete". Despite this setting my
users CAN delete the folder "test"! What am I doing wrong?

Thanks in advance

On the main security page give administrators full control and users
read/list/execute. The go into advanced permissions page. Select add, select the
users group, in apply onto select subfolders and files only, then check allow for all
permissions. Hit OK and you should have the permissions you want. -- Steve


"Netmasker" <(E-Mail Removed)> wrote in message news:blmr94$1n2$(E-Mail Removed)...
> On my Windows 2000 workstations I want my users to have the following access
> on a specific folder e.g. named "test" (This folder has no subfolders and
> files yet but the permissions will also concern the future ones):
>
> Administrators: Full Control (ok that's easy)
>
> Authenticated Users will:
> - have Read & Execute permissions on the folder
> - have Full Control on future subfolders and files
> - not be able to delete or rename the foler "test"
>
> Can this be done with the command "cacls" ? How can I deny deletion of a
> folder with "cacls" ??
>
> If "cacls" can not be used can any one spend one minute and tell me how can
> I achieve this using NTFS permissions ???
>
> p.s. I understand everything about special permissions and inheritance in
> the advanced tab etc. but dening deletion of the folder "test" itself does
> not work even if I set this in the advanced tab:
> "Apply onto: This folder only - Deny - Delete". Despite this setting my
> users CAN delete the folder "test"! What am I doing wrong?
>
> Thanks in advance
>
>
>
>
>
>
>

Thanks Steven but I have done this many times and it doesn't work. Please
spend a minute to TRY IT YOURSELF (and anyone else) and you will see that IT
DOES NOT WORK. 'Users' are able to delete the foler "test" and they can't
create any subfolders and files in it!!! It does not seem logic but that is
the case!
I think that the problem is that there are no subfolders and files created
yet inside the folder "test".
Please TRY IT before proposing something else.

Any other help is appreciated


"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:gjEfb.217570$(E-Mail Removed)...
> On the main security page give administrators full control and users
> read/list/execute. The go into advanced permissions page. Select add,
select the
> users group, in apply onto select subfolders and files only, then check
allow for all
> permissions. Hit OK and you should have the permissions you want. --
Steve
>
>
> "Netmasker" <(E-Mail Removed)> wrote in message
news:blmr94$1n2$(E-Mail Removed)...
> > On my Windows 2000 workstations I want my users to have the following
access
> > on a specific folder e.g. named "test" (This folder has no subfolders
and
> > files yet but the permissions will also concern the future ones):
> >
> > Administrators: Full Control (ok that's easy)
> >
> > Authenticated Users will:
> > - have Read & Execute permissions on the folder
> > - have Full Control on future subfolders and files
> > - not be able to delete or rename the foler "test"
> >
> > Can this be done with the command "cacls" ? How can I deny deletion of a
> > folder with "cacls" ??
> >
> > If "cacls" can not be used can any one spend one minute and tell me how
can
> > I achieve this using NTFS permissions ???
> >
> > p.s. I understand everything about special permissions and inheritance
in
> > the advanced tab etc. but dening deletion of the folder "test" itself
does
> > not work even if I set this in the advanced tab:
> > "Apply onto: This folder only - Deny - Delete". Despite this setting my
> > users CAN delete the folder "test"! What am I doing wrong?
> >
> > Thanks in advance

I have done it numerous times before, but I apologize because I see my recommendation
was wrong. I just need to modify my recommendation by saying that users will need
read/list/execute/write permissions on the main security page. They must have write
permissions to the folder to be able to create subfolders/files, but that will not
allow them to delete the main folder you refer to as test [assuming a regular user is
not owner also]. After you set it up double check the advanced permissions to make
sure that delete is not selected for users for any special permission that includes
"folder". Also make sure your test user is only a member of the users group. I did
just test my recommendation again by creating a folder while logged on as
administrator with the said permissions. When I logged on as a regular user I was
able to create/delete subfolders and files but not delete the root folder where I set
permissions. Keep in mind that with ntfs permissions an explicit allow overrides and
inherited deny. --- Steve

"Netmasker" <(E-Mail Removed)> wrote in message news:bmcao4$5ql$(E-Mail Removed)...
> Thanks Steven but I have done this many times and it doesn't work. Please
> spend a minute to TRY IT YOURSELF (and anyone else) and you will see that IT
> DOES NOT WORK. 'Users' are able to delete the foler "test" and they can't
> create any subfolders and files in it!!! It does not seem logic but that is
> the case!
> I think that the problem is that there are no subfolders and files created
> yet inside the folder "test".
> Please TRY IT before proposing something else.
>
> Any other help is appreciated
>
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:gjEfb.217570$(E-Mail Removed)...
> > On the main security page give administrators full control and users
> > read/list/execute. The go into advanced permissions page. Select add,
> select the
> > users group, in apply onto select subfolders and files only, then check
> allow for all
> > permissions. Hit OK and you should have the permissions you want. --
> Steve
> >
> >
> > "Netmasker" <(E-Mail Removed)> wrote in message
> news:blmr94$1n2$(E-Mail Removed)...
> > > On my Windows 2000 workstations I want my users to have the following
> access
> > > on a specific folder e.g. named "test" (This folder has no subfolders
> and
> > > files yet but the permissions will also concern the future ones):
> > >
> > > Administrators: Full Control (ok that's easy)
> > >
> > > Authenticated Users will:
> > > - have Read & Execute permissions on the folder
> > > - have Full Control on future subfolders and files
> > > - not be able to delete or rename the foler "test"
> > >
> > > Can this be done with the command "cacls" ? How can I deny deletion of a
> > > folder with "cacls" ??
> > >
> > > If "cacls" can not be used can any one spend one minute and tell me how
> can
> > > I achieve this using NTFS permissions ???
> > >
> > > p.s. I understand everything about special permissions and inheritance
> in
> > > the advanced tab etc. but dening deletion of the folder "test" itself
> does
> > > not work even if I set this in the advanced tab:
> > > "Apply onto: This folder only - Deny - Delete". Despite this setting my
> > > users CAN delete the folder "test"! What am I doing wrong?
> > >
> > > Thanks in advance
>
>
>
>
>
>

I have figured out the problem but not the solution!

The problem is that my folder "test" IS UNDER THE ROOT DIRECTORY (C:\) and
even the 'explicit deny deletion' of the folder "test" does not work for the
'users' (and of course I DO NOT "Allow inheritable permissions from parent
to propagate to the this object").

But if I set the exactly same permissions to a subfolder of the folder
"test" then I take the desired result!!!

I have to mention that the permissions on my root directory (c:\) are set to
"Everyone-Full Control", but why does this affect the folders inside the
root directory when I do not allow inheritance ???

Please try it yourself and you will see this strange behavior of NTFS
permissions...


"Steven L Umbach" <(E-Mail Removed)> wrote in message
newsXjib.105860$%h1.108457@sccrnsc02...
> I have done it numerous times before, but I apologize because I see my
recommendation
> was wrong. I just need to modify my recommendation by saying that users
will need
> read/list/execute/write permissions on the main security page. They must
have write
> permissions to the folder to be able to create subfolders/files, but that
will not
> allow them to delete the main folder you refer to as test [assuming a
regular user is
> not owner also]. After you set it up double check the advanced permissions
to make
> sure that delete is not selected for users for any special permission that
includes
> "folder". Also make sure your test user is only a member of the users
group. I did
> just test my recommendation again by creating a folder while logged on as
> administrator with the said permissions. When I logged on as a regular
user I was
> able to create/delete subfolders and files but not delete the root folder
where I set
> permissions. Keep in mind that with ntfs permissions an explicit allow
overrides and
> inherited deny. --- Steve
>

Hi! I tryed it at home! on my c:\ root with a dir name test... and
same for me, i was unable to deny delete permission of \test folder ..
only if i give read permission! stange! if i only give deny write on
folder it work! and on my root i only have Administrator, system and
service that can use my drive at all...

i tryed in advance tab! but unable! to comply!...

i search for my probleme! and found it! it because i test id with user
administrator... and administrator have owner on the files! and maybe
win2k! let me delete it cause of that!

anyway... in my mind this is not right! when i set permission to deny
delete.. it must do it! in anyway! if you remove inheritable!


Greenseed

It should not. Make sure you logoff and back on computer before testing changes. I
did create a folder under the root and had no problem denying access to regular users
to delete the "main" folder. My root folder however has the everyone group removed
and users have read/list/execute permissions. I have emailed you a screenshot of my
test folder permissions. --- Steve

"Netmasker" <(E-Mail Removed)> wrote in message news:bmn4qm$44b$(E-Mail Removed)...
> I have figured out the problem but not the solution!
>
> The problem is that my folder "test" IS UNDER THE ROOT DIRECTORY (C:\) and
> even the 'explicit deny deletion' of the folder "test" does not work for the
> 'users' (and of course I DO NOT "Allow inheritable permissions from parent
> to propagate to the this object").
>
> But if I set the exactly same permissions to a subfolder of the folder
> "test" then I take the desired result!!!
>
> I have to mention that the permissions on my root directory (c:\) are set to
> "Everyone-Full Control", but why does this affect the folders inside the
> root directory when I do not allow inheritance ???
>
> Please try it yourself and you will see this strange behavior of NTFS
> permissions...
>
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> newsXjib.105860$%h1.108457@sccrnsc02...
> > I have done it numerous times before, but I apologize because I see my
> recommendation
> > was wrong. I just need to modify my recommendation by saying that users
> will need
> > read/list/execute/write permissions on the main security page. They must
> have write
> > permissions to the folder to be able to create subfolders/files, but that
> will not
> > allow them to delete the main folder you refer to as test [assuming a
> regular user is
> > not owner also]. After you set it up double check the advanced permissions
> to make
> > sure that delete is not selected for users for any special permission that
> includes
> > "folder". Also make sure your test user is only a member of the users
> group. I did
> > just test my recommendation again by creating a folder while logged on as
> > administrator with the said permissions. When I logged on as a regular
> user I was
> > able to create/delete subfolders and files but not delete the root folder
> where I set
> > permissions. Keep in mind that with ntfs permissions an explicit allow
> overrides and
> > inherited deny. --- Steve
> >
>
>
>
>
>
>
>

I realized after posting that I was on my XP computer. So I went into the
basement where the W2K Server boxes are and set one up with everything
exactly as you described and lo and behold I experienced the same thing on
the W2K computer as you described. With the everyone group having full
permissions to the root folder and NO permisions [not even listed] at all on
a subfolder, a user with only read/list/execute/write ntfs permissions to
the subfolder of the root could delete it. I would classify that as a "bug".
If I changed the everyone group to read/list/execute on the root folder,
then a regular user could no longer delete the subfolder. If you can live
with the everone group having no more than read/list/execute/write
permissions on the root folder, then you should be able to implement your
folder structure as needed. This was a new one for me - as I said I always
remove or give the everyone no more than read/list execute. --- Steve

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:wQAkb.315452$(E-Mail Removed)...
> It should not. Make sure you logoff and back on computer before testing
changes. I
> did create a folder under the root and had no problem denying access to
regular users
> to delete the "main" folder. My root folder however has the everyone group
removed
> and users have read/list/execute permissions. I have emailed you a
screenshot of my
> test folder permissions. --- Steve
>
> "Netmasker" <(E-Mail Removed)> wrote in message
news:bmn4qm$44b$(E-Mail Removed)...
> > I have figured out the problem but not the solution!
> >
> > The problem is that my folder "test" IS UNDER THE ROOT DIRECTORY (C:\)
and
> > even the 'explicit deny deletion' of the folder "test" does not work for
the
> > 'users' (and of course I DO NOT "Allow inheritable permissions from
parent
> > to propagate to the this object").
> >
> > But if I set the exactly same permissions to a subfolder of the folder
> > "test" then I take the desired result!!!
> >
> > I have to mention that the permissions on my root directory (c:\) are
set to
> > "Everyone-Full Control", but why does this affect the folders inside the
> > root directory when I do not allow inheritance ???
> >
> > Please try it yourself and you will see this strange behavior of NTFS
> > permissions...
> >
> >
> > "Steven L Umbach" <(E-Mail Removed)> wrote in message
> > newsXjib.105860$%h1.108457@sccrnsc02...
> > > I have done it numerous times before, but I apologize because I see my
> > recommendation
> > > was wrong. I just need to modify my recommendation by saying that
users
> > will need
> > > read/list/execute/write permissions on the main security page. They
must
> > have write
> > > permissions to the folder to be able to create subfolders/files, but
that
> > will not
> > > allow them to delete the main folder you refer to as test [assuming a
> > regular user is
> > > not owner also]. After you set it up double check the advanced
permissions
> > to make
> > > sure that delete is not selected for users for any special permission
that
> > includes
> > > "folder". Also make sure your test user is only a member of the users
> > group. I did
> > > just test my recommendation again by creating a folder while logged on
as
> > > administrator with the said permissions. When I logged on as a regular
> > user I was
> > > able to create/delete subfolders and files but not delete the root
folder
> > where I set
> > > permissions. Keep in mind that with ntfs permissions an explicit
allow
> > overrides and
> > > inherited deny. --- Steve
> > >
> >
> >
> >
> >
> >
> >
> >
>
>