Junction Points and ACL 'protection' - how?

[Cwebb]

I've set up a couple of Junction Points (reparse points), in order to gain more
space on my C: drive, redirecting the Documents and Settings folder and the
Program Files folder.

Microsoft highly recommends using an ACL to prevent these Junction Points
from being inadvertently deleted from Explorer, etc.

How can I protect only the Junction Point from modification/deletion, using
ACL permissions? Setting the Write or Modify permissions on the Junction Point
also prevents writing and modifying of any 'children' of the junction point, even
if the target-folder's permissions are set to allow writing and modifying.

I've set the security settings via the junction point's Properties, changing the
permissions, removing (unchecking) the 'Modify' and the 'Write' permissions,
for 'Everyone'. I then looked at the 'target' folder to see if those specific
permissions were affected on the target folders, and they weren't.

With the permissions set this way however, I can only write/make changes to
the target folder's files if I go directly to the target-folder, and not if I access it via
the junction point. In other words, setting the junction point's permissions to not
allow Writing or Modifying of the Junction Point also sets the permissions for the
child of the junction point when accessed through the junction point, butwhen 'going
around' the junction point, accessing the target-folder directly, the changed permissions
are not in force.

What am I missing? What's the right way to protect only the junction-point so it
can't be deleted or renamed (even by an administrator with a failing memory).

Thanks for any input on this, I can use all the help I can get.

 

[Cwebb]

After some trial and error, it looks as though Win2k (SP4) by default, is
protecting _folders_ that are accessed through the Junction Point, but
not the Junction Point itself.... I can delete the Junction Point through Explorer,
but cannot delete folders that are 'inside' the J.P. However, I _can_ delete
files that are 'inside' the Junction Point.

iow: I've found that I'm unable to delete any folders that I access _through_ the
J.P. using Explorer, although files are fair game, and can be deleted. Yet,
it's no problem deleting these folders with Explorer from the Junction Point's
actual target folder.

I still would like to know how to keep Junction Points safe from errant users...

Anyone know about this?

 

[John John]

My findings are not consistent with yours, if I properly protect the
target, the contents of the junction point or the junction point itself
cannot be deleted.

John

 

[Cwebb]

Well, the problem may be that I don't know what I'm doing!

I understand you to be saying that the permissions that are set on the
target folder propagate back to the junction point, is that what you're
seeing?

I'm using each folder's <Properties/Security-tab/Advanced> to modify the
permissions settings, and I'm changing the permission:
for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
leaving all other permissions at 'Allow'. I'm doing the same for both the
junction-point and the target folder, and leaving the parent-propagate
and child-propagate boxes unchecked in each case.

I've made sure the child-folders have all permissions set at 'Allow', after
I've set the parent folder permissions.

What is it that I'm missing?

Thanks.

 

[Cwebb]

Another weird thing is that I can't delete any _folders_ in the
junction-point's target folder, but only if I go through the
junction-point to get to it (however, I can delete files).

But, as I said, I don't have any problems deleting the same
folder if I get to it via it's actual parent folder.

 

[John John]

I don't have extensive experience with Junction Points and ACL but that
is how it appears to be working for me here. I use Advanced permissions
and on the target directory I explicitly Deny two items to Everyone:

Delete Subfolders and Files
Delete

and from the Windows Explorer GUI I as an Administrator/Owner Creator
cannot delete files or folder in the target folder or in the Junction
Point, nor can I delete the Junction Point. In the Advanced Permissions
make sure that you don't have a check mark on "Apply these permissions
to objects and/or containers within this container only"

The only variable might be that I used the Sysinternal Junction tool
instead of the Resource Kit tools to create the symbolic link, I don't
think that would make a difference but maybe it does, I don't know for sure.

John

 

[Cwebb]

I'm baffled.

Though, it seems that you might be going for different results than
I am.

It sounds like you're setting the child-folders as well as the
junction-point to be delete-protected, is that right?

I'm hoping to simply protect the junction-point, so it isn't deleted
by mistake. I thinks that's all Microsoft means when they
say to:
- Use NTFS ACLs to protect junction points from inadvertent deletion.
- Use NTFS ACLs to protect files and directories that are targeted by
junction points from inadvertent deletion or other file system operations.

Since I've used a junction-point to be able to move my Documents and
Settings folder, I don't want to protect, for example, my desktop, so I
need to Allow deletes on folders and files contained in the targeted folders.

But, just to test, I tried setting all to Allow, except I set Deny on
'Delete' and 'Delete Subfolders and Files', and I'm still able to delete
either folder from Explorer.

And I too, am using Sysinternals' Junction utility...

????

I'm at a loss.

Thanks for your input John.

 

[John John]

I can do this at the Junction Point without inheritance. I can apply
different permissions to any or all of the folders or files. As soon as
one item within the container has a deny delete I cannot delete the
Junction point, the deny can be applied on the items in the symbolic
link or in the target, the results are the same, as soon as one item is
protected inside the container I cannot delete the Junction Point. Put
a dummy folder in there and explicitly deny "Everyone" delete rights on
it and you won't be able to delete the Junction Point.

John

 

[Cwebb]

I may have something missing with an update patch. I'll have to
get the 'Unofficial Service Pack 5' installed. Maybe that'll help.

Thanks for your suggestions John.

 

[Cwebb]

I've found a good alternative....

I've installed the latest version of DMEXbar, a great Explorer 'extension'. This version (v13) happens
to provide a 'protect Junction Points' feature, which won't allow a simple Explorer delete of a Junction
point.

I think I'll stick with this solution, for now.

Again, thanks John.

 

[John John]

You're welcome, thanks for letting us know how you got around the problem.

John