User can change folder permissions

[Mark A. Sam]

I wanted to test whether I was able to protect a data backend from being
deleted, so I created a folder, "Test" with a subfolder "data". I am an
admin on the system, and created these folders on my machine. I set
permissions for "Everyone" to Deny Delete and Deny Folders and Subfolders
for
the "Data" folder. This did what I wanted. I tested it on a user machine
and was unable to delete files from the "Data" folder as well as use the
app.

Here is the issue. Logged on as a user "Sales", I was able to set the
permission of the "Data" folder to Deny Full Control. After making the
change, there were no security options available to reset the permissions
and
I could not open the folder or access the tables in the backend db. I
logged on as myself on that machine and was also denied access. I then went
to my machine, logged off and back on as myself and had to reset the
permissions as I was denied access to the folders and database.

Anyone know if this a quirk or normal security functionality? It seems odd
that a user is able to affect the permissions to someone elses folder.

Thanks for any info and God Bless,

Mark A. Sam

 

[Colin Nash [MVP]]

I wanted to test whether I was able to protect a data backend from being
deleted, so I created a folder, "Test" with a subfolder "data". I am an
admin on the system, and created these folders on my machine. I set
permissions for "Everyone" to Deny Delete and Deny Folders and Subfolders
for
the "Data" folder. This did what I wanted. I tested it on a user machine
and was unable to delete files from the "Data" folder as well as use the
app.

Here is the issue. Logged on as a user "Sales", I was able to set the
permission of the "Data" folder to Deny Full Control. After making the
change, there were no security options available to reset the permissions
and
I could not open the folder or access the tables in the backend db. I
logged on as myself on that machine and was also denied access. I then
went
to my machine, logged off and back on as myself and had to reset the
permissions as I was denied access to the folders and database.

Anyone know if this a quirk or normal security functionality? It seems
odd
that a user is able to affect the permissions to someone elses folder.

Thanks for any info and God Bless,

Mark A. Sam

I'm a little unclear on what you are describing but I'll do my best...

If you put a "Deny" entry for "Everyone" on Full Control, then yes you will
lock everyone out (administrators can use a privilege to reset permissions
regardless of anything you do, of course.)

Generally, you don't need to put any explicit "Deny" entries (it is fairly
rare to ever be in a situation that needs a "Deny." You just put "allow"
entries for users and groups that should have access and completely remove
entries for others... anyone not listed as "Allowed" will not have access.

If you put a "Deny", it will take precedence over everything else.
'Everyone' includes all users-- even administrators.

I'm also not sure what you mean by "someone else's folder" -- basically if a
user has Full Control on a folder, they can change permissions.
(Administrators can give themselves full control so it's never possible to
lock out an admin.)

 

[Mark A. Sam]

Hello Colin,

My purpose is to disallow a user from deleting a data file. If you don't
deny delete, then any user has access to the folder and can trash the file.
I'm not clear why a user can deny the creator of the file access.

Thanks for your reply and God Bless,

Mark A. Sam