NTFS meltdown :-(

Discussion in 'MCSA' started by John, Nov 28, 2006.

  1. John

    John Guest

    I seem to be having an NTFS meltdown here. Believe it or not, I've
    read several Microsoft books, as well as articles on TechNet covering
    NTFS permissions thoroughly, but I appear to be regressing. I'm just
    trying to grasp this. I thought I understood the idea of permissions
    being cumulative. I also thought I understood that an explicit Deny
    overrides all. That being said, why would user1 still be able to
    delete the Test.txt file in the following scenario?

    User1 is a member of the Users group
    Administrator is the owner of Test.txt and C:\Data

    C:\DATA <--- Users Group Full Control
    (nothing else on ACL)
    (Inheritance: This folder only)

    C:\DATA\TEST.TXT <--- User1 Explicitly denied Delete on file
    (nothing else on ACL)
    (Inheritance turned off)

    When User1 logs in, he is able to delete test.txt!! Why? Am I missing
    something? Also something to note, I opt to delete to the recycle bin,
    but when user1 deletes this file, the file is permanently deleted and
    the undo option is greyed out. User1 should not have been able to
    delete this file. User1's effective permissions say he does not have
    the ability to delete it.

    John
     
    John, Nov 28, 2006
    #1
    1. Advertising

  2. "John" wrote:

    > I seem to be having an NTFS meltdown here. Believe it or not, I've
    > read several Microsoft books, as well as articles on TechNet covering
    > NTFS permissions thoroughly, but I appear to be regressing. I'm just
    > trying to grasp this. I thought I understood the idea of permissions
    > being cumulative. I also thought I understood that an explicit Deny
    > overrides all. That being said, why would user1 still be able to
    > delete the Test.txt file in the following scenario?
    >
    > User1 is a member of the Users group
    > Administrator is the owner of Test.txt and C:\Data
    >
    > C:\DATA <--- Users Group Full Control
    > (nothing else on ACL)
    > (Inheritance: This folder only)
    >
    > C:\DATA\TEST.TXT <--- User1 Explicitly denied Delete on file
    > (nothing else on ACL)
    > (Inheritance turned off)
    >
    > When User1 logs in, he is able to delete test.txt!! Why? Am I missing
    > something? Also something to note, I opt to delete to the recycle bin,
    > but when user1 deletes this file, the file is permanently deleted and
    > the undo option is greyed out. User1 should not have been able to
    > delete this file. User1's effective permissions say he does not have
    > the ability to delete it.
    >
    > John
    >


    on the DATA folder under Special permissions, uncheck the Delete Subfolders
    and Files.
    Please note, if your account has Full Control over a folder, you have the
    power to delete subfolders and files within that folder regardless of the
    permissions assigned to those subfolders and files individually.
    Secondly, When you have NTFS permissions applied on both user and group, the
    least restrictive permissions applied.
     
    Dragon Without Wings, Nov 28, 2006
    #2
    1. Advertising

  3. > Secondly, When you have NTFS permissions applied on both user and group, the
    > least restrictive permissions applied.


    ???

    It's not the opposite? The MOST restrictive permissions applied?
     
    Rafael Santos, Nov 28, 2006
    #3
  4. "Rafael Santos" wrote:

    > > Secondly, When you have NTFS permissions applied on both user and group, the
    > > least restrictive permissions applied.

    >
    > ???
    >
    > It's not the opposite? The MOST restrictive permissions applied?


    Nope, The MOST restrictive permissions applied when you have a shared folder
     
    Dragon Without Wings, Nov 28, 2006
    #4
  5. Rafael Santos wrote:
    >> Secondly, When you have NTFS permissions applied on both user and group, the
    >> least restrictive permissions applied.

    >
    > ???
    >
    > It's not the opposite? The MOST restrictive permissions applied?


    No... it never made sense to me either!
     
    Jonathan Roberts, Nov 28, 2006
    #5
  6. John

    John Guest

    Actually, I found the answer to my own question from Microsoft's site.
    Everything is starting to make sense now.

    Microsoft's Explantion:

    "Groups or users that are granted Full Control on a folder can delete
    any files in that folder, regardless of the permissions protecting the
    file."

    So, even if the Users group has Full Control on the folder and User1
    who is a member of the users group has Deny Full Control on a file,
    User1 can still delete the file when he logs on. This appears to be
    the only instance where an explicit Deny does not apply.

    The solution is to not grant Full Control to the Users group on the
    folder, but rather grant the Modify permission if you plan on marking
    certain files to Deny delete for the Users group.

    Link:

    http://technet2.microsoft.com/Windo...5a2e-4001-b659-0c23c90f76f61033.mspx?mfr=true

    John


    On Tue, 28 Nov 2006 01:56:48 -0700, John <> wrote:

    >I seem to be having an NTFS meltdown here. Believe it or not, I've
    >read several Microsoft books, as well as articles on TechNet covering
    >NTFS permissions thoroughly, but I appear to be regressing. I'm just
    >trying to grasp this. I thought I understood the idea of permissions
    >being cumulative. I also thought I understood that an explicit Deny
    >overrides all. That being said, why would user1 still be able to
    >delete the Test.txt file in the following scenario?
    >
    >User1 is a member of the Users group
    >Administrator is the owner of Test.txt and C:\Data
    >
    >C:\DATA <--- Users Group Full Control
    > (nothing else on ACL)
    > (Inheritance: This folder only)
    >
    >C:\DATA\TEST.TXT <--- User1 Explicitly denied Delete on file
    > (nothing else on ACL)
    > (Inheritance turned off)
    >
    >When User1 logs in, he is able to delete test.txt!! Why? Am I missing
    >something? Also something to note, I opt to delete to the recycle bin,
    >but when user1 deletes this file, the file is permanently deleted and
    >the undo option is greyed out. User1 should not have been able to
    >delete this file. User1's effective permissions say he does not have
    >the ability to delete it.
    >
    >John
     
    John, Nov 29, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tech
    Replies:
    3
    Views:
    726
    Plato
    Apr 6, 2004
  2. gavin

    Wannadoo meltdown

    gavin, Dec 11, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    505
    gavin
    Dec 12, 2004
  3. Eduardo

    Camera meltdown

    Eduardo, Jun 10, 2004, in forum: Digital Photography
    Replies:
    8
    Views:
    397
    Eduardo
    Jun 16, 2004
  4. WinningerR

    Dvdplanet Meltdown Continues

    WinningerR, Jul 3, 2003, in forum: DVD Video
    Replies:
    1
    Views:
    439
    Gerrry
    Jul 3, 2003
  5. Mr. Mike

    DIVX meltdown

    Mr. Mike, May 17, 2006, in forum: DVD Video
    Replies:
    11
    Views:
    2,023
    sbherculano
    Oct 15, 2007
Loading...

Share This Page