Advanced security permissions in Windows 2000 server

[Andrew]

Seems that part of the advanced security permissions for
Windows 2000 server don't work properly. I'm reffering at
Create Files \ Write Data and Create Folders \ Append
Data. You may append just in case Delete is checked but in
that case you may delete the file itself.
So is it possible to set permissions to a folder such way
that you may add \create files append data but not delete
the file?

 

[Dmitry Korolyov [MVP]]

Set the permissions like this:

Create files\write data, applies onto: this folder only (or this folders an
subfolders)


--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Seems that part of the advanced security permissions for
Windows 2000 server don't work properly. I'm reffering at
Create Files \ Write Data and Create Folders \ Append
Data. You may append just in case Delete is checked but in
that case you may delete the file itself.
So is it possible to set permissions to a folder such way
that you may add \create files append data but not delete
the file?

 

[Miha Pihler]

Try it the way Dmitry suggested, but be aware that client can still open
file, erase all content and save the file. In either case you lose the
content of the file.

Mike

 

[Dmitry Korolyov [MVP]]

You should also be aware that for any file created, the user who created it
is the owner, and thus can set any permissions on the file - including Full
Control to self, and then just delete the file.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Try it the way Dmitry suggested, but be aware that client can still open
file, erase all content and save the file. In either case you lose the
content of the file.

Mike

 

[Guest]

I tried it and I can confirm it's not working as suppose
to. You are right but that's exactly my problem...
When you check the append box it will create a temp file
and a new empty file if you rename your initial file.
You may get rid of that temp file if you create two group
of permissions one for folders and subfolders and one for
files only but still you get that empty renamed file if
you append something. Deleting a file as a owner is not an
option since in my environment it's not supposed to be
done. A solution would be to manually or using a script to
delete all files with 0 size.

-----Original Message-----
You should also be aware that for any file created, the user who created it
is the owner, and thus can set any permissions on the file - including Full
Control to self, and then just delete the file.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Try it the way Dmitry suggested, but be aware that client can still open
file, erase all content and save the file. In either case you lose the
content of the file.

Mike

Seems that part of the advanced security permissions for
Windows 2000 server don't work properly. I'm reffering at
Create Files \ Write Data and Create Folders \ Append
Data. You may append just in case Delete is checked but in
that case you may delete the file itself.
So is it possible to set permissions to a folder such way
that you may add \create files append data but not delete
the file?

 

[Steven L Umbach]

If a user has write permissions then they have the append data permission and can
create files. Write permission does not allow a user to delete a file. You can see
that if you issue a group write permissions and look at there permissions in the
advanced page. If creator owner is present, then the user who creates the file will
receive creator owner permissions also which usually are full control. You can change
the permissions for creator owner or remove it. Of course the owner of a file can
always change permissions IF he knows how and in XP Pro you can use Group Policy to
hide the security tab to a folder, though a resourceful user may still figure out how
to use command line tools. --- Steve