Folder Permissions - delete

[pittspeed]

Hello,

I have a share on a data server that is the lump of my document
management software... in this share, there are just folder upon subfolder
upon subfolder of word documents and excel ect. ect.

at the top of the share i have permisssions set so that the admin has
rights to do anything but delete, and domain users have full rights to
modify... i aslo have another 'super' admin that is designated as the only
group that had delete rights.

i have propogate checked on the permissions, so that the same
permissions as set on the share will trickle down to the subfolders... this
does not seem to be the case first i don't see any permissions carry down...
and second, i'm wondering if the advanced permissions (delete) option is
acutally going to work against deleting files as opposed to folders.

please give me any advice or consulation on my current plan. thanks.

 

[Steven L Umbach]

For one thing "modify" permissions will allow a user to delete a file. You may also
want to look at using the fileacl utility to change permissions [which can also do
advanced permissions] and force inheritance if the Explorer gui does not seem to be
working right. Be sure to have a full backup before you start in case things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

 

[pittspeed]

thansk... i'm making myself and the two higher level admins the actual
admins to delete files... i'm keeping the techs out of the delete permission
incase somone does a search and wipes out some docs by accident.

i've found that my permissions were copying down... but i was getting a
problem with creation of new docs... the users did not have permissions to
create new docs when i took away delete and take ownership...

it seems that if i just take away delete and leave modify in the regular
permissions (not in the advanced tab) the user can still delete...

so i'm wondering how i can make it so that domain users cannot delete, but
can create new docs...

For one thing "modify" permissions will allow a user to delete a file. You may also
want to look at using the fileacl utility to change permissions [which can also do
advanced permissions] and force inheritance if the Explorer gui does not seem to be
working right. Be sure to have a full backup before you start in case things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

Hello,

I have a share on a data server that is the lump of my document
management software... in this share, there are just folder upon subfolder
upon subfolder of word documents and excel ect. ect.

at the top of the share i have permisssions set so that the admin has
rights to do anything but delete, and domain users have full rights to
modify... i aslo have another 'super' admin that is designated as the only
group that had delete rights.

i have propogate checked on the permissions, so that the same
permissions as set on the share will trickle down to the subfolders... this
does not seem to be the case first i don't see any permissions carry down...
and second, i'm wondering if the advanced permissions (delete) option is
acutally going to work against deleting files as opposed to folders.

please give me any advice or consulation on my current plan. thanks.

 

[Steven L Umbach]

Yes, modify will allow a user to delete files. Try giving then just
read/list/execute/write permissions to the folder. That should allow then to write
files to the folder, but not delete them unless the creator owner is present and has
full/modify permissions. The creator owner causes users to receive permissions
assigned to it when a user writes a file and is based on ownership. -- Steve

thansk... i'm making myself and the two higher level admins the actual
admins to delete files... i'm keeping the techs out of the delete permission
incase somone does a search and wipes out some docs by accident.

i've found that my permissions were copying down... but i was getting a
problem with creation of new docs... the users did not have permissions to
create new docs when i took away delete and take ownership...

it seems that if i just take away delete and leave modify in the regular
permissions (not in the advanced tab) the user can still delete...

so i'm wondering how i can make it so that domain users cannot delete, but
can create new docs...

For one thing "modify" permissions will allow a user to delete a file. You may also
want to look at using the fileacl utility to change permissions [which can also do
advanced permissions] and force inheritance if the Explorer gui does not seem to be
working right. Be sure to have a full backup before you start in case things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

 

[pittspeed]

so for good practice the creator owner should be the 'super admin' group i
made, or just the domain\administrator account?

thanks for the help Steven

Yes, modify will allow a user to delete files. Try giving then just
read/list/execute/write permissions to the folder. That should allow then to write
files to the folder, but not delete them unless the creator owner is present and has
full/modify permissions. The creator owner causes users to receive permissions
assigned to it when a user writes a file and is based on ownership. -- Steve

thansk... i'm making myself and the two higher level admins the actual
admins to delete files... i'm keeping the techs out of the delete permission
incase somone does a search and wipes out some docs by accident.

i've found that my permissions were copying down... but i was getting a
problem with creation of new docs... the users did not have permissions to
create new docs when i took away delete and take ownership...

it seems that if i just take away delete and leave modify in the regular
permissions (not in the advanced tab) the user can still delete...

so i'm wondering how i can make it so that domain users cannot delete, but
can create new docs...

For one thing "modify" permissions will allow a user to delete a file.

You
may also

want to look at using the fileacl utility to change permissions [which

can
also do

advanced permissions] and force inheritance if the Explorer gui does

not
seem to be

working right. Be sure to have a full backup before you start in case things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

admin
has the
only subfolders...
this

 

[Steven L Umbach]

No. The creator owner simply allows the person who creates a file to have higher
permissions than would otherwise be assigned to that user based on their group
membership. You domain administrators are always the top dog. --- Steve

so for good practice the creator owner should be the 'super admin' group i
made, or just the domain\administrator account?

thanks for the help Steven

Yes, modify will allow a user to delete files. Try giving then just
read/list/execute/write permissions to the folder. That should allow then to write
files to the folder, but not delete them unless the creator owner is present and has
full/modify permissions. The creator owner causes users to receive permissions
assigned to it when a user writes a file and is based on ownership. -- Steve

thansk... i'm making myself and the two higher level admins the actual
admins to delete files... i'm keeping the techs out of the delete permission
incase somone does a search and wipes out some docs by accident.

i've found that my permissions were copying down... but i was getting a
problem with creation of new docs... the users did not have permissions to
create new docs when i took away delete and take ownership...

it seems that if i just take away delete and leave modify in the regular
permissions (not in the advanced tab) the user can still delete...

so i'm wondering how i can make it so that domain users cannot delete, but
can create new docs...
For one thing "modify" permissions will allow a user to delete a file. You
may also
want to look at using the fileacl utility to change permissions [which can
also do
advanced permissions] and force inheritance if the Explorer gui does not
seem to be
working right. Be sure to have a full backup before you start in case
things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

 

[pittspeed]

once i set up all the permissions and the deny rule for delete and delete
subfolders... i'm still getting an error about permissions and not being
able to be saved... i'm wondering if the ownership is messed up and is
causing my domain users to NOT be able to save... the ownership tab as the
local admin and the network administrator accounts attached.

any ideas on why i'm running into issues... basically i want my users to
have modify rights MINUS the delete options... but it doesn't seem to work
for me...

No. The creator owner simply allows the person who creates a file to have higher
permissions than would otherwise be assigned to that user based on their group
membership. You domain administrators are always the top dog. --- Steve

so for good practice the creator owner should be the 'super admin' group i
made, or just the domain\administrator account?

thanks for the help Steven

Yes, modify will allow a user to delete files. Try giving then just
read/list/execute/write permissions to the folder. That should allow

then
to write

files to the folder, but not delete them unless the creator owner is present and has
full/modify permissions. The creator owner causes users to receive permissions
assigned to it when a user writes a file and is based on

wnership. --
Steve

thansk... i'm making myself and the two higher level admins the actual
admins to delete files... i'm keeping the techs out of the delete permission
incase somone does a search and wipes out some docs by accident.

i've found that my permissions were copying down... but i was getting a
problem with creation of new docs... the users did not have

permissions
to

create new docs when i took away delete and take ownership...

it seems that if i just take away delete and leave modify in the regular
permissions (not in the advanced tab) the user can still delete...

so i'm wondering how i can make it so that domain users cannot

delete,
but

can create new docs...
For one thing "modify" permissions will allow a user to delete a

file.
You

may also
want to look at using the fileacl utility to change permissions

[which
can

also do
advanced permissions] and force inheritance if the Explorer gui

does
not

seem to be
working right. Be sure to have a full backup before you start in case
things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

rights
to as
the

 

[Steven L Umbach]

I think you are trying to do the impossible. Modify without delete permissions is the
same as write permissions which is not good enough to modify files in many cases.
Owner ship has nothing to do with the ability to save or delete files. The owner can
change permissions. --- Steve

once i set up all the permissions and the deny rule for delete and delete
subfolders... i'm still getting an error about permissions and not being
able to be saved... i'm wondering if the ownership is messed up and is
causing my domain users to NOT be able to save... the ownership tab as the
local admin and the network administrator accounts attached.

any ideas on why i'm running into issues... basically i want my users to
have modify rights MINUS the delete options... but it doesn't seem to work
for me...

No. The creator owner simply allows the person who creates a file to have higher
permissions than would otherwise be assigned to that user based on their group
membership. You domain administrators are always the top dog. --- Steve

so for good practice the creator owner should be the 'super admin' group i
made, or just the domain\administrator account?

thanks for the help Steven


Yes, modify will allow a user to delete files. Try giving then just
read/list/execute/write permissions to the folder. That should allow then
to write
files to the folder, but not delete them unless the creator owner is
present and has
full/modify permissions. The creator owner causes users to receive
permissions
assigned to it when a user writes a file and is based on wnership. --
Steve


thansk... i'm making myself and the two higher level admins the actual
admins to delete files... i'm keeping the techs out of the delete
permission
incase somone does a search and wipes out some docs by accident.

i've found that my permissions were copying down... but i was getting a
problem with creation of new docs... the users did not have permissions
to
create new docs when i took away delete and take ownership...

it seems that if i just take away delete and leave modify in the regular
permissions (not in the advanced tab) the user can still delete...

so i'm wondering how i can make it so that domain users cannot delete,
but
can create new docs...
For one thing "modify" permissions will allow a user to delete a file.
You
may also
want to look at using the fileacl utility to change permissions [which
can
also do
advanced permissions] and force inheritance if the Explorer gui does
not
seem to be
working right. Be sure to have a full backup before you start in case
things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

 

[pittspeed]

ok... i was just making sure that the 'requirement' for our file system is
unattainable... from the one post from you i thought it was possible... i
*thought that modify is basically write permission which in turn is
essentially delete permission... which is impossible to avoid.

Thanks for the help steven.

I think you are trying to do the impossible. Modify without delete permissions is the
same as write permissions which is not good enough to modify files in many cases.
Owner ship has nothing to do with the ability to save or delete files. The owner can
change permissions. --- Steve

once i set up all the permissions and the deny rule for delete and delete
subfolders... i'm still getting an error about permissions and not being
able to be saved... i'm wondering if the ownership is messed up and is
causing my domain users to NOT be able to save... the ownership tab as the
local admin and the network administrator accounts attached.

any ideas on why i'm running into issues... basically i want my users to
have modify rights MINUS the delete options... but it doesn't seem to work
for me...

No. The creator owner simply allows the person who creates a file to

have
higher

permissions than would otherwise be assigned to that user based on

their
group

membership. You domain administrators are always the top dog. --- Steve

so for good practice the creator owner should be the 'super admin'

group
i

made, or just the domain\administrator account?

thanks for the help Steven


Yes, modify will allow a user to delete files. Try giving then just
read/list/execute/write permissions to the folder. That should

allow
then

to write
files to the folder, but not delete them unless the creator owner is
present and has
full/modify permissions. The creator owner causes users to receive
permissions
assigned to it when a user writes a file and is based on wnership. --
Steve


thansk... i'm making myself and the two higher level admins the actual
admins to delete files... i'm keeping the techs out of the delete
permission
incase somone does a search and wipes out some docs by accident.

i've found that my permissions were copying down... but i was getting a
problem with creation of new docs... the users did not have permissions
to
create new docs when i took away delete and take ownership...

it seems that if i just take away delete and leave modify in the regular
permissions (not in the advanced tab) the user can still delete...

so i'm wondering how i can make it so that domain users cannot delete,
but
can create new docs...
For one thing "modify" permissions will allow a user to delete

a
file.

You
may also
want to look at using the fileacl utility to change

permissions
[which

can
also do
advanced permissions] and force inheritance if the Explorer

gui
does

not
seem to be
working right. Be sure to have a full backup before you start

in
case

things go wrong
though with fileacl an administrator always should be able to change
ermissions. --- Steve

http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en

designated
as permissions
carry