«

Can someone please tell me why this is not working?
I'm using xp sp2 with the NTFS file system.

Scenario:

* Using the admin account, I created a standard user, named "User1"

* I have a folder at the root of C:\ called "DATA"

* I disabled inheritance for "C:\DATA" Via the admin account

* I removed all entries from the C:\DATA folder's ACL and added the
users group "Full Control" for "This Folder, Subfolders, and Files"

* Under the C:\DATA folder I created a text document called TEST.TXT

* On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
and then and added only one entry to the ACL which is set to: User1
to have Read-only access.

Now, when I log into xp using the User1 account, i can access the
TEST.TXT file as expected, but I am able to delete it. Why is this
the case if User1 has only read permissions on that file? I thought
that by shutting off inheritance for individual files enables you to
have more granular control over objects via their own ACL. I thought
i would have received an access denied message. Why is it still
looking at the Users Group "Full Control" setting on the parent folder
if I shut off inheritance for the TEST.TXT file? How do I do a
workaround?

John

"John" wrote:

> Can someone please tell me why this is not working?
> I'm using xp sp2 with the NTFS file system.
>
> Scenario:
>
> * Using the admin account, I created a standard user, named "User1"
>
> * I have a folder at the root of C:\ called "DATA"
>
> * I disabled inheritance for "C:\DATA" Via the admin account
>
> * I removed all entries from the C:\DATA folder's ACL and added the
> users group "Full Control" for "This Folder, Subfolders, and Files"
>
> * Under the C:\DATA folder I created a text document called TEST.TXT
>
> * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
> and then and added only one entry to the ACL which is set to: User1
> to have Read-only access.
>
> Now, when I log into xp using the User1 account, i can access the
> TEST.TXT file as expected, but I am able to delete it. Why is this
> the case if User1 has only read permissions on that file? I thought
> that by shutting off inheritance for individual files enables you to
> have more granular control over objects via their own ACL. I thought
> i would have received an access denied message. Why is it still
> looking at the Users Group "Full Control" setting on the parent folder
> if I shut off inheritance for the TEST.TXT file? How do I do a
> workaround?
>
> John
>
>

Principal rule for NTFS permission: "NTFS permissions are cumulative". This
means that a user's effective permissions are the result of combining the
user's assigned permissions. If your User1 is belong to the User Group then
he will have Read and Change permissions on that TEST.TXT file which in turn
allows him to delete the file.

In addition to "dragon without wings's" reply - in creation of the file did
"user1" become the owner?

"Dragon Without Wings" <> wrote in message
news:2A57650C-603B-46F0-9921-...
> "John" wrote:
>
>> Can someone please tell me why this is not working?
>> I'm using xp sp2 with the NTFS file system.
>>
>> Scenario:
>>
>> * Using the admin account, I created a standard user, named "User1"
>>
>> * I have a folder at the root of C:\ called "DATA"
>>
>> * I disabled inheritance for "C:\DATA" Via the admin account
>>
>> * I removed all entries from the C:\DATA folder's ACL and added the
>> users group "Full Control" for "This Folder, Subfolders, and Files"
>>
>> * Under the C:\DATA folder I created a text document called TEST.TXT
>>
>> * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
>> and then and added only one entry to the ACL which is set to: User1
>> to have Read-only access.
>>
>> Now, when I log into xp using the User1 account, i can access the
>> TEST.TXT file as expected, but I am able to delete it. Why is this
>> the case if User1 has only read permissions on that file? I thought
>> that by shutting off inheritance for individual files enables you to
>> have more granular control over objects via their own ACL. I thought
>> i would have received an access denied message. Why is it still
>> looking at the Users Group "Full Control" setting on the parent folder
>> if I shut off inheritance for the TEST.TXT file? How do I do a
>> workaround?
>>
>> John
>>
>>
>
> Principal rule for NTFS permission: "NTFS permissions are cumulative".
> This
> means that a user's effective permissions are the result of combining the
> user's assigned permissions. If your User1 is belong to the User Group
> then
> he will have Read and Change permissions on that TEST.TXT file which in
> turn
> allows him to delete the file.

No, TEST.TXT was created with the adminstrator account, so the admin
is the owner.


On Mon, 27 Nov 2006 17:17:31 -0500, "AJR" <> wrote:

>In addition to "dragon without wings's" reply - in creation of the file did
>"user1" become the owner?
>
>"Dragon Without Wings" <> wrote in message
>news:2A57650C-603B-46F0-9921-...
>> "John" wrote:
>>
>>> Can someone please tell me why this is not working?
>>> I'm using xp sp2 with the NTFS file system.
>>>
>>> Scenario:
>>>
>>> * Using the admin account, I created a standard user, named "User1"
>>>
>>> * I have a folder at the root of C:\ called "DATA"
>>>
>>> * I disabled inheritance for "C:\DATA" Via the admin account
>>>
>>> * I removed all entries from the C:\DATA folder's ACL and added the
>>> users group "Full Control" for "This Folder, Subfolders, and Files"
>>>
>>> * Under the C:\DATA folder I created a text document called TEST.TXT
>>>
>>> * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
>>> and then and added only one entry to the ACL which is set to: User1
>>> to have Read-only access.
>>>
>>> Now, when I log into xp using the User1 account, i can access the
>>> TEST.TXT file as expected, but I am able to delete it. Why is this
>>> the case if User1 has only read permissions on that file? I thought
>>> that by shutting off inheritance for individual files enables you to
>>> have more granular control over objects via their own ACL. I thought
>>> i would have received an access denied message. Why is it still
>>> looking at the Users Group "Full Control" setting on the parent folder
>>> if I shut off inheritance for the TEST.TXT file? How do I do a
>>> workaround?
>>>
>>> John
>>>
>>>
>>
>> Principal rule for NTFS permission: "NTFS permissions are cumulative".
>> This
>> means that a user's effective permissions are the result of combining the
>> user's assigned permissions. If your User1 is belong to the User Group
>> then
>> he will have Read and Change permissions on that TEST.TXT file which in
>> turn
>> allows him to delete the file.
>

"John" wrote:

> No, TEST.TXT was created with the adminstrator account, so the admin
> is the owner.
>
>


Let me repeat it again: "NTFS permissions are cumulative". NTFS permission
inheritance is just for a network admin's convenience. Just imagine an
admin's nightmare without NTFS permission inheritance, he would have had to
go through every single folder and file just to set appropriated permissions.
Disable file/folder inheritance (static inheritance) is not strongly
recommended because it will create more headache later on if you have to
troubleshoot file/folder permissions. If you just want the User1 to have
Read only access to the file TEST.TXT, then create a new security group,
let's just say Restricted Users, and add him in. Now the User1 is a member
of both Restricted Users and Users groups. On the DATA folder, set all
entries in the ACL that you don't want them to have access to the folder to
DENY (make sure the User1 is not a member of any of those), and add those two
groups in. Remember, Deny always overdrives other permission, therefore give
the Users group Full Control permission, and the Restricted Users group Read
& Execute (Which will include Read and List Folder Contents). Now, you don't
want the User1 to be able to delete the TEST.TXT file (which he still is
now). Click on Advance to go to Special permissions and select the
Restricted Users group. Edit the permission to which will Deny this group
from Delete and Delete Subfolders and Files.
Hope this will help.

Well, my english is terrible but i'll give my 2c...

If you just deny everything but reading for User1 it will work fine.

But you have to explicit deny, if you just let them unchecked the OS will
use the folder permissions.

It looks like you just did not check the deny options for user1 and just
leave the permissions implicit.

Hope you can understand me...

--
Rafael Santos
Criterium Business Mobile
Porto Alegre - RS - Brasil
www.criterium.com.br