NTFS Permissions Question

Discussion in 'MCSE' started by blastingfonda@gmail.com, Feb 3, 2005.

  1. Guest

    I've Googled and searched all over Microsoft's site for an answer to
    this question and I'm completely stumped. Hopefully I can find an
    answer here...

    Everywhere I've read (Win 2k3 server documentation on Microsoft's web
    site, the Microsoft Press books, etc.), if a user is granted Modify
    permission, he cannot delete files or subfolders unless explicitly
    granted the Delete permission. However, the Full Control permission
    does include the Delete Subfolders and Files special permission.

    To see how this played out, I created a new user, TestUser, and created
    two new folders in a NTFS partition on a Win2k3 box as the Admin -
    Modify and FullControl. Each has a subfolder labeled Test with a file.
    TestUser has Modify rights on the Modify folder and Full Control rights
    to the FullControl folder. TestUser is not a member of the
    Administrators or any other group and no other users or groups have
    rights to these folders.

    When I log in as TestUser, I can delete the Test subfolder in the
    Modify folder. Why is this happening? Well, when I look at the ACL on
    the Test folder, I notice TestUser's Modify permission is inherited
    from the Modify folder -- and of course that includes the ability to
    Delete.

    So what happens when I flip off the inheritance checkbox? TestUser can
    no longer delete the subfolder - which is good. However, I then
    unchecked the inheritance checkboxes in the FullControl folder as well
    and logged on as TestUser. TestUser CAN'T delete subfolders when
    inheritance is flipped off, even though he has the Delete Subfolders
    and Files permission at the folder level. Once again, everywhere I've
    read states that a user with that permission should be able to delete
    subfolders regardless of a lack of explicit permissions.

    Try this scenario yourself to see what I'm experiencing... (who knows,
    it may just be a glitch on my config...)

    Needless to say I wouldn't give a rat's ass about this in real world
    situations and would simply assign Deny permissions in cases where I
    didn't want to give people access, but on the MCSE tests there are a
    ton of questions on permissions and inheritance that don't really
    correspond to real world scenarios, but may deny someone from getting a
    useless piece of paper that companies nonetheless put value in if they
    get those questions wrong.

    Any help on this would be appreciated...

    - bf -
     
    , Feb 3, 2005
    #1
    1. Advertising

  2. Neil Guest

    did you hear say in news:1107470999.091325.292670
    @z14g2000cwz.googlegroups.com:

    > Everywhere I've read (Win 2k3 server documentation on Microsoft's web
    > site, the Microsoft Press books, etc.), if a user is granted Modify
    > permission, he cannot delete files or subfolders unless explicitly
    > granted the Delete permission. However, the Full Control permission
    > does include the Delete Subfolders and Files special permission.


    it's called inheritance. applying the modify permission on a top level
    folder causes that permission to flow down to sub-folders and files. Unless
    the inheritance is blocked or an additional explicit overriding permission
    is applied this is the default in 2k/2k3.

    here:
    http://www.microsoft.com/mspress/books/sampchap/6103a.asp

    --
    Neil MCNGP #30
    Visit www.mcngp.com for your chance to amuse
    nerd32768 and annoy the rest of us
     
    Neil, Feb 4, 2005
    #2
    1. Advertising

  3. Adam Leinss Guest

    wrote in
    news::

    >... if a user is granted
    > Modify permission, he cannot delete files or subfolders unless
    > explicitly granted the Delete permission.


    > ... when I look at the ACL
    > on the Test folder, I notice TestUser's Modify permission is
    > inherited from the Modify folder -- and of course that includes
    > the ability to Delete.


    You seem to be saying two completely different things here about what
    the modify permission allows you to do. I believe the permissions are
    additive and work like this:

    Modify rights only: can modify files or folders, but not delete them

    Delete rights only: since you cannot modify files or folders, you can
    not delete them (deletion would be a modification would it not?)

    Modify + Delete rights: you can both modify and delete files

    Adam
     
    Adam Leinss, Feb 4, 2005
    #3
  4. Guest

    Neil wrote:
    > > Everywhere I've read (Win 2k3 server documentation on Microsoft's

    web
    > > site, the Microsoft Press books, etc.), if a user is granted Modify
    > > permission, he cannot delete files or subfolders unless explicitly
    > > granted the Delete permission. However, the Full Control permission
    > > does include the Delete Subfolders and Files special permission.

    >
    > it's called inheritance. applying the modify permission on a top

    level
    > folder causes that permission to flow down to sub-folders and files.

    Unless
    > the inheritance is blocked or an additional explicit overriding

    permission
    > is applied this is the default in 2k/2k3.


    The problem I have is that if inheritance is not blocked, Modify
    behaves the same as Full Control - I can delete all subfolders and
    files at will without having to assign myself a "delete" right - which
    goes against all documentation on the issue. This because modify
    trickles down to the subfolder if inheritance is checked.

    But if I block inheritence, then I should still be able to delete the
    subfolder if I have Full Control. Full Control includes the Delete
    Subfolders and Files permission. Modify does not.

    But that isn't happening. Full Control and Modify are behaving the same
    with inheritance blocked or unblocked as far as deleting folders is
    concerned - but that's 100% wrong according to the documentation.
    That's why I'm banging my head against the wall on this issue.
     
    , Feb 4, 2005
    #4
  5. Modify permissions does allow a user to delete the file or folder they have
    modify permissions to. If you check the special permissions for that user it
    should show "delete" is enabled. --- Steve



    <> wrote in message
    news:...
    >
    > Neil wrote:
    >> > Everywhere I've read (Win 2k3 server documentation on Microsoft's

    > web
    >> > site, the Microsoft Press books, etc.), if a user is granted Modify
    >> > permission, he cannot delete files or subfolders unless explicitly
    >> > granted the Delete permission. However, the Full Control permission
    >> > does include the Delete Subfolders and Files special permission.

    >>
    >> it's called inheritance. applying the modify permission on a top

    > level
    >> folder causes that permission to flow down to sub-folders and files.

    > Unless
    >> the inheritance is blocked or an additional explicit overriding

    > permission
    >> is applied this is the default in 2k/2k3.

    >
    > The problem I have is that if inheritance is not blocked, Modify
    > behaves the same as Full Control - I can delete all subfolders and
    > files at will without having to assign myself a "delete" right - which
    > goes against all documentation on the issue. This because modify
    > trickles down to the subfolder if inheritance is checked.
    >
    > But if I block inheritence, then I should still be able to delete the
    > subfolder if I have Full Control. Full Control includes the Delete
    > Subfolders and Files permission. Modify does not.
    >
    > But that isn't happening. Full Control and Modify are behaving the same
    > with inheritance blocked or unblocked as far as deleting folders is
    > concerned - but that's 100% wrong according to the documentation.
    > That's why I'm banging my head against the wall on this issue.
    >
     
    Steven L Umbach, Feb 4, 2005
    #5
  6. Guest

    Adam Leinss wrote:

    > You seem to be saying two completely different things here about what


    > the modify permission allows you to do. I believe the permissions

    are
    > additive and work like this:
    >
    > Modify rights only: can modify files or folders, but not delete them
    >
    > Delete rights only: since you cannot modify files or folders, you can


    > not delete them (deletion would be a modification would it not?)
    >
    > Modify + Delete rights: you can both modify and delete files
    >
    > Adam


    Wrong - Modify includes Delete.

    Rights that are activated when you apply the Modify right on a folder:
    Traverse Folder/Execute File
    List Folder/Read Data
    Read Attributes
    Read Extended Attributes
    Create Files/Write Data
    Create Folders/Append Data
    Write Attributes
    Write Extended Attributes
    Delete
    Read Permissions
    Synchronize

    Rights that aren't activated when you select Modify:
    Delete Subfolders and Files
    Change Permissions
    Take Ownership

    ....all of which you can do when Full Control is applied.

    This is obtained from Microsoft Win2k3 Server Docs:
    http://www.microsoft.com/resources/...ard/proddocs/en-us/acl_folder_permissions.asp

    Now check out the entries for Delete and Delete Subfolders and Files:

    Delete: Allows or denies deleting the file or folder. If you do not
    have Delete permission on a file or folder, you can still delete it if
    you have been granted Delete Subfolders and Files on the parent folder.


    Delete Subfolders and Files: Allows or denies deleting subfolders and
    files, even if the Delete permission has not been granted on the
    subfolder or file. (Applies to folders.)

    This is obstained here:
    http://www.microsoft.com/resources/...d/proddocs/en-us/sag_SEconceptsImpLocScen.asp

    However what's happening is both Modify and Full Control (which has the
    delete Subfolders and Files permission) behave exactly the same. Both
    delete subfolders if inheritance on the child folder is checked, both
    are unable to delete subfolders if inheritance on the child folder is
    unchecked.

    Try it yourself.
     
    , Feb 4, 2005
    #6
  7. Guest

    Steven L Umbach wrote:
    > Modify permissions does allow a user to delete the file or folder

    they have
    > modify permissions to. If you check the special permissions for that

    user it
    > should show "delete" is enabled. --- Steve


    Thanks -- but if you reread my initial post you'll notice I stated that
    already.

    But back to my original question - does Modify allow you to delete
    subfolders / files? If so, why isn't the Delete Subfolders and Files
    permission highlighted when you select Modify?
     
    , Feb 4, 2005
    #7
  8. MikeF Guest

    Sorry for top post.
    Answer is, modify includes delete, but not delete subfolders and files. If
    they have modify on the parent folder they have delete on the parent, which
    flows thru inheritance to the subfolders and files.

    The purpose of the delete subfolders and files is to be applied to specific
    subfolder(s) when delete is not inherited from the parent folder. Thus you
    could have a parent folder to which the user's perms allow no deletion.
    Under it you could have 5 subfolders. And under them more subs, and so on.
    On two of the subfolders you might wish to give the user delete subfolders
    and files. And here comes Microsoft, with just the permission you need.

    The relevant info is available in Server 03 help. I copied it below, but if
    it comes out garbled, searh on permissions, then find Permissions : Access
    Control > Permissions For Files and Folders, then from a link on that page,
    File and Folder Permissions.

    It's admittedly finicky, but it makes sense.

    Good luck

    Mike


    Delete Subfolders and Files Allows or denies deleting subfolders and
    files, even if the Delete permission has not been granted on the subfolder
    or file. (Applies to folders.)
    Delete Allows or denies deleting the file or folder. If you do not
    have Delete permission on a file or folder, you can still delete it if you
    have been granted Delete Subfolders and Files on the parent folder.


    Special Permissions Full Control Modify Read & Execute List Folder
    Contents(folders only) Read Write
    Traverse Folder/Execute File x x x x
    List Folder/Read Data x x x x x
    Read Attributes x x x x x
    Read Extended Attributes x x x x x
    Create Files/Write Data x x x
    Create Folders/Append Data x x x
    Write Attributes x x x
    Write Extended Attributes x x x
    Delete Subfolders and Files x
    Delete x x
    Read Permissions x x x x x x
    Change Permissions x
    Take Ownership x
    Synchronize x x x x x x


    <> wrote in message
    news:...
    > I've Googled and searched all over Microsoft's site for an answer to
    > this question and I'm completely stumped. Hopefully I can find an
    > answer here...
    >
    > Everywhere I've read (Win 2k3 server documentation on Microsoft's web
    > site, the Microsoft Press books, etc.), if a user is granted Modify
    > permission, he cannot delete files or subfolders unless explicitly
    > granted the Delete permission. However, the Full Control permission
    > does include the Delete Subfolders and Files special permission.
    >
    > To see how this played out, I created a new user, TestUser, and created
    > two new folders in a NTFS partition on a Win2k3 box as the Admin -
    > Modify and FullControl. Each has a subfolder labeled Test with a file.
    > TestUser has Modify rights on the Modify folder and Full Control rights
    > to the FullControl folder. TestUser is not a member of the
    > Administrators or any other group and no other users or groups have
    > rights to these folders.
    >
    > When I log in as TestUser, I can delete the Test subfolder in the
    > Modify folder. Why is this happening? Well, when I look at the ACL on
    > the Test folder, I notice TestUser's Modify permission is inherited
    > from the Modify folder -- and of course that includes the ability to
    > Delete.
    >
    > So what happens when I flip off the inheritance checkbox? TestUser can
    > no longer delete the subfolder - which is good. However, I then
    > unchecked the inheritance checkboxes in the FullControl folder as well
    > and logged on as TestUser. TestUser CAN'T delete subfolders when
    > inheritance is flipped off, even though he has the Delete Subfolders
    > and Files permission at the folder level. Once again, everywhere I've
    > read states that a user with that permission should be able to delete
    > subfolders regardless of a lack of explicit permissions.
    >
    > Try this scenario yourself to see what I'm experiencing... (who knows,
    > it may just be a glitch on my config...)
    >
    > Needless to say I wouldn't give a rat's ass about this in real world
    > situations and would simply assign Deny permissions in cases where I
    > didn't want to give people access, but on the MCSE tests there are a
    > ton of questions on permissions and inheritance that don't really
    > correspond to real world scenarios, but may deny someone from getting a
    > useless piece of paper that companies nonetheless put value in if they
    > get those questions wrong.
    >
    > Any help on this would be appreciated...
    >
    > - bf -
    >
     
    MikeF, Feb 4, 2005
    #8
  9. Guest

    Steven L Umbach wrote:
    > Modify permissions does allow a user to delete the file or folder

    they have
    > modify permissions to. If you check the special permissions for that

    user it
    > should show "delete" is enabled. --- Steve


    Yup, noticed that. But back to my original quesiton - does Modify let
    you delete subfolders / files? If so, why is the Delete Subfolder and
    Files permission not granted to it?
     
    , Feb 4, 2005
    #9
  10. Yes modify allows user delete subfolders and files. If you check the special
    permissions and "delete" is shown for the folder or file, then it can be
    deleted by the user. I have never found a need for "delete subfolders and
    files" permission since modify always [from what I can tell] includes
    "delete". The link below may help or cloud the issue. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419

    <> wrote in message
    news:...
    > Steven L Umbach wrote:
    >> Modify permissions does allow a user to delete the file or folder

    > they have
    >> modify permissions to. If you check the special permissions for that

    > user it
    >> should show "delete" is enabled. --- Steve

    >
    > Thanks -- but if you reread my initial post you'll notice I stated that
    > already.
    >
    > But back to my original question - does Modify allow you to delete
    > subfolders / files? If so, why isn't the Delete Subfolders and Files
    > permission highlighted when you select Modify?
    >
     
    Steven L Umbach, Feb 4, 2005
    #10
  11. Guest

    MikeF wrote:
    > Sorry for top post.
    > Answer is, modify includes delete, but not delete subfolders and

    files. If
    > they have modify on the parent folder they have delete on the parent,

    which
    > flows thru inheritance to the subfolders and files.
    >
    > The purpose of the delete subfolders and files is to be applied to

    specific
    > subfolder(s) when delete is not inherited from the parent folder.

    Thus you
    > could have a parent folder to which the user's perms allow no

    deletion.
    > Under it you could have 5 subfolders. And under them more subs, and

    so on.
    > On two of the subfolders you might wish to give the user delete

    subfolders
    > and files. And here comes Microsoft, with just the permission you

    need.
    >
    > The relevant info is available in Server 03 help. I copied it below,

    but if
    > it comes out garbled, searh on permissions, then find Permissions :

    Access
    > Control > Permissions For Files and Folders, then from a link on that

    page,
    > File and Folder Permissions.
    >
    > It's admittedly finicky, but it makes sense.
    >
    > Good luck
    >
    > Mike


    Thanks everyone for posting - I think most comments were helpful and
    very close to the mark.

    As many noted, Modify causes the Delete permission to drill down when
    inheritance isn't blocked. So it doesn't matter that the Delete
    Subfolders and Files is unchecked. In this case, the feature is
    essentially useless - it can be checked or checked and it doesn't make
    a difference either way. On Full Control, it's a superfluous permission
    since FC already has the Delete permission and that's being inherited
    by child objects.

    That's why I was confused - I thought Full Control somehow had an
    ability to delete subfolders that Modify didn't. But outside of the
    take ownership permission and the ability to change permissions of
    child objects within the folder, Full Control = Modify.

    Meanwhile, I did some fiddling on my own and I came to the same
    conclusion that I see Mike posted here - the one time the Delete
    Subfolders and Files permission ever comes into play is when Delete is
    flipped off on the top-level folder and the Delete Subfolders and Files
    is flipped on. The user is then blocked from deleting the top folder,
    but can delete ALL subfolders and files, not just specific ones, Mike,
    unless inheritance is blocked or explicit Denies are put into place. I
    can see using this feature on Employee Folders on a company server,
    where you don't really care what employees do inside their own folder
    as long as they don't accidently delete the "JohnDoe" folder itself.

    Thanks once again for all the help. It appears you guys aren't nearly
    as "worthless" as that one poster claimed. :)

    - bf -
     
    , Feb 4, 2005
    #11
  12. Neil Guest

    did you hear say in news:1107488431.775741.66700
    @f14g2000cwb.googlegroups.com:

    > Modify
    > behaves the same as Full Control


    Modify allows delete. Fullcontrol allows delete and the ability to grant
    permissions. did you READ that chapter?

    --
    Neil MCNGP #30
    Visit www.mcngp.com for your chance to amuse
    nerd32768 and annoy the rest of us
     
    Neil, Feb 4, 2005
    #12
  13. Neil Guest

    did you hear say in news:1107490075.892141.156290
    @z14g2000cwz.googlegroups.com:

    >
    > Steven L Umbach wrote:
    >> Modify permissions does allow a user to delete the file or folder

    > they have
    >> modify permissions to. If you check the special permissions for that

    > user it
    >> should show "delete" is enabled. --- Steve

    >
    > Yup, noticed that. But back to my original quesiton - does Modify let
    > you delete subfolders / files? If so, why is the Delete Subfolder and
    > Files permission not granted to it?
    >
    >


    http://www.rmccown.org/bob/rtfm.html

    oy!

    --
    Neil MCNGP #30
    Visit www.mcngp.com for your chance to amuse
    nerd32768 and annoy the rest of us
     
    Neil, Feb 4, 2005
    #13
  14. Neil Guest

    did you hear say in news:1107489755.315832.132040
    @o13g2000cwo.googlegroups.com:

    > Rights that aren't activated when you select Modify:
    > Delete Subfolders and Files
    > Change Permissions
    > Take Ownership
    >
    > ...all of which you can do when Full Control is applied.


    though in da book WRONG! but I'm gonna take a stab and say that in MS's
    mind "the inheritance reapplies the top level permission on this folder as
    it flows down, reappying the delete permission to the sub-folder when the
    modify permission is inherited from teh level above."

    --
    Neil MCNGP #30
    Visit www.mcngp.com for your chance to amuse
    nerd32768 and annoy the rest of us
     
    Neil, Feb 4, 2005
    #14
  15. kpg Guest

    kpg, Feb 4, 2005
    #15
  16. T-Bone Guest

    <> wrote
    > Thanks everyone for posting - I think most comments were helpful and
    > very close to the mark.


    Like we told him, if you ask a good question, you get a good answer. You
    tried to find the answer yourself before posting. That is appreciated.

    T-Bone
    MCNGP
     
    T-Bone, Feb 4, 2005
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kenny
    Replies:
    5
    Views:
    29,843
    IT_Guru
    Apr 3, 2009
  2. Slarty Bartfast

    NTFS Permissions

    Slarty Bartfast, Aug 4, 2006, in forum: MCSE
    Replies:
    18
    Views:
    914
    Slarty Bartfast
    Aug 15, 2006
  3. JustMe
    Replies:
    4
    Views:
    830
    JustMe
    Jul 19, 2006
  4. Tester

    Unix-style permissions on NTFS?

    Tester, Dec 2, 2006, in forum: Computer Support
    Replies:
    4
    Views:
    1,209
    Tester
    Dec 2, 2006
  5. Warwick

    ntfs permissions

    Warwick, Apr 6, 2006, in forum: NZ Computing
    Replies:
    14
    Views:
    585
    Enkidu
    Apr 7, 2006
Loading...

Share This Page