NTFS Permissions - Sub-Folders

[Richard Tubb]

Hi,

I'm struggling with an issue regarding NTFS permissions that I can't seem to
resolve. Would appreciate any assistance.

On our Windows Server 2003 SP1 server we have a Public Share. Under this
public share are sub-folders that users have full access to.

Share Permissions are set to Authenticated Users - Full Control.

Domain Admins have Full Control to the root share and all sub-folders.

I'm now trying to tweak NTFS Permissions to achieve the following:-

1. Allow Authenticated Users to create, modify and delete files in
sub-folders.
2. Allow Authenticated Users to create, modify and delete sub-sub-folders.
3. Not allow authenticated users to delete sub-folders in the root only

In other words, not allow users to delete folders in the root, but do allow
them to delete any files and sub-folders under sub-folders in the root.

I can't seem to achieve this solution.

The permissions as it stand are:-

PUBLIC DRIVE:-

1. Authenticated Users - Allow - Traverse Folder, List Folder, Read
Attributes, Read Extended Attributes, Create Files/Write Data, Create
Folders/Append Data, Write Attributes, Write Extended Attributes, Delete,
Read Permissions - SUBFOLDERS AND FILES ONLY ("Apply these permissions to
objects or containers within this container only" - UNTICKED)

2. Authenticated Users - Allow - Traverse Folder, List Folder, Read
Attributes, Read Extended Attributes, Read Permissions - THIS FILE AND
FOLDERS ("Apply these permissions to objects or containers within this
container only" - TICKED)

3. Domain Admins - Allow - Full Control - THIS FOLDER, SUBFOLDERS AND FILES
(Apply these permissions to objects or containers within this container
only" - UNTICKED)

If I change permission number 1 to remove the Delete permission, users lose
the ability to delete files in sub-folders.

I only want to prevent them deleting folders in the root of the Public
Drive, sub-folders under these folders they can delete as necessary.

Any suggestions gratefully received!

Regards,

Richard Tubb.

 

[Vincent Xu [MSFT]]

Hi,

I think, you should explicitly grant authenticate users permission of
delete on the subfolder under the public share and deny the on the public
share.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Roger Abell [MVP]]

At the share root set the permissions that apply everywhere, such
as Administrators Full, and include there a grant for Authenticated
Users of List. Then, on each folder at the first level under the shared
folder add a grant to Authenticated Users for Modify, but then use
the Advanced tab to edit that grant and to change it so that it applies
to Subfolders and Files.

 

[Guest]

Hi both,

Thanks for this. I was ideally looking for find a solution where all newly
created directories under the root automatically got all the permissions they
required. However I appreciate this doesn't seem possible, so with a small
bit of administration new directories can achieve the same result.

For the sake of completeness, here's what I did in a test environment:-

01. create a folder named ROOT with Windows Explorer
02. right-click ROOT, choose Properties/Security/Advanced/Permissions,
uncheck "Allow inheritable permissions from ..."
03. choose Copy to keep the original permissons
04. remove all permissions except the two for ADMIN and CREATOR OWNER
05. make sure ADMIN has FULL CONTROL while CREATOR OWNER has SPECIAL
PERMISSIONS
06. add AUTH users and grant READ/EXEC (R/E, L.F.C and R), press OK to
reutrn to Windows Explorer
07. create two folders named F1 and F2 under the folder ROOT with Windows
Explorer
08. right-click F1, choose Properties/Security, add MODIFY (M and W) for
AUTH users
09. click Advanced/Permissions, choose AUTH users with permission MODIFY,
click Edit
10. check "Delete Subfolders and Files" in Allow column
11. uncheck "Delete" in Allow column
12. press OK, OK, OK to return to Windows Explorer
13. do step 8-12 again for F2
14. create some files in ROOT, F1 and F2
15. SHARE the ROOT folder with FULL CONTROL for share level permission
16. test AUTH users accessessing the ROOT, F1 and F2...

Thanks again for your help - with the assistance of yourself and others I
finally achieved a satisfactory solution!

--
Regards,

Richard Tubb.

 

[Vincent Xu [MSFT]]

Hi,

Glad to hear that.

Have a good day!


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------