Permissions not making sense

D

Dean

Hi,

I think I'm loosing it. The permissions seems to be a
rather backwards system. Let me explain.

I want to prevent a User from reading the contents of a
folder, but a file inside the folder can be accessed via a
shortcut.

User U1 is part of Group G1

To understand this, I tried to sent up a folder in which
the Administrator has Full Control.

If the Group "Everyone" has permissions to read the
contents of the folder, User U1 can read the contents.

If "Everyone" is removed but U1 is added with Full Control
it comes up Access Denied. (Whether individually or part
of group "G1")

It is as though if by group membership in "Everyone", U1
can access the folder, but with explicit "Allow"
statements it doesn't work.

The original folder share had permissions set to
allow "Everyone" Full Control.

Does this make sense to anyone else, or has Microsoft
invoked some weird sense of logic? Any suggestions of
where I can find info to help sort this out?

Dean
 
P

Pegasus \(MVP\)

Dean said:
Hi,

I think I'm loosing it. The permissions seems to be a
rather backwards system. Let me explain.

I want to prevent a User from reading the contents of a
folder, but a file inside the folder can be accessed via a
shortcut.

User U1 is part of Group G1

To understand this, I tried to sent up a folder in which
the Administrator has Full Control.

If the Group "Everyone" has permissions to read the
contents of the folder, User U1 can read the contents.

If "Everyone" is removed but U1 is added with Full Control
it comes up Access Denied. (Whether individually or part
of group "G1")

It is as though if by group membership in "Everyone", U1
can access the folder, but with explicit "Allow"
statements it doesn't work.

The original folder share had permissions set to
allow "Everyone" Full Control.

Does this make sense to anyone else, or has Microsoft
invoked some weird sense of logic? Any suggestions of
where I can find info to help sort this out?

Dean
Click to expand...

It all depends what you mean with 'If "Everyone" is removed'.
If you deny "Everyone" access to a certain resource then
the denial will take precedence over other permissions.
 
D

Dean

-----Original Message-----



It all depends what you mean with 'If "Everyone" is removed'.
If you deny "Everyone" access to a certain resource then
the denial will take precedence over other permissions.


.
Click to expand...
Hi
Actually, I meant if the "Everyone" group was removed from
the permission list. Not setting any "Deny" entries, but
removing the "Everyone" group from the permissions list.
Dean
 
P

Pegasus \(MVP\)

Dean said:
Hi
Actually, I meant if the "Everyone" group was removed from
the permission list. Not setting any "Deny" entries, but
removing the "Everyone" group from the permissions list.
Dean
Click to expand...

I ran this little batch file to test your claim:

@echo off
if exist d:\test rd /s /q d:\test
md d:\test

cacls d:\test
echo.
echo Authenticated Users have full access.
pause

cacls d:\test /t /e /g administrators:F
echo.
echo Administrators ^& Authenticated Users have full access.
pause

cacls d:\test /t /e /r "authenticated users"
echo.
echo Only Administrators have access.
pause

net localgroup G1 /add
net localgroup G1 "Dean" /add
cacls d:\test /t /e /g "G1":F
echo.
echo Administrators ^& members of G1 have full access.

Before I executed the batch file, I used runas.exe to start an instance
of cmd.exe under "Dean". Each time the batch file paused, I ran this
command in the "Dean" instance of cmd.exe:

cacls d:\test

The results corresponded exactly with my expectations: "Dean"
was denied access only in the case where "Administrators" had
sole access rights. In all other cases, "Dean" had full access rights.
 
R

Ricardo M. Urbano - W2K/NT4 MVP

Dean said:
Hi,

I think I'm loosing it. The permissions seems to be a
rather backwards system. Let me explain.

I want to prevent a User from reading the contents of a
folder, but a file inside the folder can be accessed via a
shortcut.

User U1 is part of Group G1

To understand this, I tried to sent up a folder in which
the Administrator has Full Control.

If the Group "Everyone" has permissions to read the
contents of the folder, User U1 can read the contents.

If "Everyone" is removed but U1 is added with Full Control
it comes up Access Denied. (Whether individually or part
of group "G1")

It is as though if by group membership in "Everyone", U1
can access the folder, but with explicit "Allow"
statements it doesn't work.

The original folder share had permissions set to
allow "Everyone" Full Control.

Does this make sense to anyone else, or has Microsoft
invoked some weird sense of logic? Any suggestions of
where I can find info to help sort this out?

Dean
Click to expand...

Dean, are you talking about share permissions or NTFS permissions??
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Query to find the Percentage of items in a field 3
Administrator Privileges and permissions when in a User account 3
regain control on security permissions on shared folders 1
another permissions Q 2
File permissions 1
Inherited Permissions for Folders 3
FitWidth not working in XML description 1
Windows 8.1 permissions/files delete? 7

Top