Permissions question

Discussion in 'MCSE' started by =?Utf-8?B?Q29saW4=?=, Dec 13, 2005.

  1. I have this senario:

    Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
    Access.

    Security permissions on folder:
    Administrators: Full Control
    CREATOR OWNER: Full Control
    SYSTEM: Full Control
    Test Group: Read, Create, Write, Append

    So when a user of Test Group creates a file or folder on the share they
    become Creator Owner and have full access to that file or folder. But they
    cannot delete files or folders created by other users.

    Test
    1. Create a file in the folder as domain admin.
    2. Map to the share as a user in Test Group and try delete the file. You get
    permission denied which is expected.
    3. As the mapped user, create a folder in the share.
    4. Now create a file in that created folder as domain admin.
    5. Check permissions on the newly created file. Test Group or user has no
    delete permissions. Running Effective Permissions against the user also shows
    no delete permissions.
    6. Try delete the file as the user, file is deleted!

    I assume the file can be deleted because the user is the Creator Owner of
    the parent folder which propegated Full Access down to the file. But this
    does not show up on the file's security settings. Why is that?
     
    =?Utf-8?B?Q29saW4=?=, Dec 13, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?Q29saW4=?=

    Ben Smith Guest

    In article <>,
    says...
    > I have this senario:
    >
    > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
    > Access.
    >
    > Security permissions on folder:
    > Administrators: Full Control
    > CREATOR OWNER: Full Control
    > SYSTEM: Full Control
    > Test Group: Read, Create, Write, Append
    >
    > So when a user of Test Group creates a file or folder on the share they
    > become Creator Owner and have full access to that file or folder. But they
    > cannot delete files or folders created by other users.
    >
    > Test
    > 1. Create a file in the folder as domain admin.
    > 2. Map to the share as a user in Test Group and try delete the file. You get
    > permission denied which is expected.
    > 3. As the mapped user, create a folder in the share.
    > 4. Now create a file in that created folder as domain admin.
    > 5. Check permissions on the newly created file. Test Group or user has no
    > delete permissions. Running Effective Permissions against the user also shows
    > no delete permissions.
    > 6. Try delete the file as the user, file is deleted!


    Right, this is the expected behavior.

    > I assume the file can be deleted because the user is the Creator Owner of
    > the parent folder which propegated Full Access down to the file. But this
    > does not show up on the file's security settings. Why is that?
    >


    Because the permission the user is exercising is not on the file - it is
    on an object in the folder he has full control over. I will admit, it is
    a bit confusing.
     
    Ben Smith, Dec 13, 2005
    #2
    1. Advertising

  3. Ok, I understand that part. I'm still not rock solid about why it isn't
    visible through Secuity or Effective Permissions of that file object.

    I guess my question would be, how would you know that a user of Test Group
    could delete any files and folders under that directory just by looking at
    the security of one of those files or folders? What if you have a scenario
    where a file is buried under 100's of directories, the top one being owned by
    some specific user, how hard would it be to determine that that file could be
    deleted by the user owning the top dir? How do you see that this user has any
    control over this file without winding your way up all the directories and
    looking for permissions. There must be an easier way? Effective Permissions
    tab does not help, as this reports no delete permission but it is in fact
    allowed.

    "Ben Smith" wrote:

    > In article <>,
    > says...
    > > I have this senario:
    > >
    > > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
    > > Access.
    > >
    > > Security permissions on folder:
    > > Administrators: Full Control
    > > CREATOR OWNER: Full Control
    > > SYSTEM: Full Control
    > > Test Group: Read, Create, Write, Append
    > >
    > > So when a user of Test Group creates a file or folder on the share they
    > > become Creator Owner and have full access to that file or folder. But they
    > > cannot delete files or folders created by other users.
    > >
    > > Test
    > > 1. Create a file in the folder as domain admin.
    > > 2. Map to the share as a user in Test Group and try delete the file. You get
    > > permission denied which is expected.
    > > 3. As the mapped user, create a folder in the share.
    > > 4. Now create a file in that created folder as domain admin.
    > > 5. Check permissions on the newly created file. Test Group or user has no
    > > delete permissions. Running Effective Permissions against the user also shows
    > > no delete permissions.
    > > 6. Try delete the file as the user, file is deleted!

    >
    > Right, this is the expected behavior.
    >
    > > I assume the file can be deleted because the user is the Creator Owner of
    > > the parent folder which propegated Full Access down to the file. But this
    > > does not show up on the file's security settings. Why is that?
    > >

    >
    > Because the permission the user is exercising is not on the file - it is
    > on an object in the folder he has full control over. I will admit, it is
    > a bit confusing.
    >
     
    =?Utf-8?B?Q29saW4=?=, Dec 13, 2005
    #3
  4. =?Utf-8?B?Q29saW4=?=

    Ben Smith Guest

    In article <>,
    says...
    > Ok, I understand that part. I'm still not rock solid about why it isn't
    > visible through Secuity or Effective Permissions of that file object.


    I am not sure how the UI calculates the effective permissions. Take a
    look at the Test group's permission on the folder. You should see that
    the permission is to the Folder and all objects in the folder, but the
    explicit permission are only on folder objects, not file objects (which
    would explain the results of the effective permissions tab.)

    > I guess my question would be, how would you know that a user of Test Group
    > could delete any files and folders under that directory just by looking at
    > the security of one of those files or folders? What if you have a scenario
    > where a file is buried under 100's of directories, the top one being owned by
    > some specific user, how hard would it be to determine that that file could be
    > deleted by the user owning the top dir? How do you see that this user has any
    > control over this file without winding your way up all the directories and
    > looking for permissions. There must be an easier way? Effective Permissions
    > tab does not help, as this reports no delete permission but it is in fact
    > allowed.


    You point is well-taken. I will run some tests next week and file a bug
    on it.

    > "Ben Smith" wrote:
    >
    > > In article <>,
    > > says...
    > > > I have this senario:
    > > >
    > > > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
    > > > Access.
    > > >
    > > > Security permissions on folder:
    > > > Administrators: Full Control
    > > > CREATOR OWNER: Full Control
    > > > SYSTEM: Full Control
    > > > Test Group: Read, Create, Write, Append
    > > >
    > > > So when a user of Test Group creates a file or folder on the share they
    > > > become Creator Owner and have full access to that file or folder. But they
    > > > cannot delete files or folders created by other users.
    > > >
    > > > Test
    > > > 1. Create a file in the folder as domain admin.
    > > > 2. Map to the share as a user in Test Group and try delete the file. You get
    > > > permission denied which is expected.
    > > > 3. As the mapped user, create a folder in the share.
    > > > 4. Now create a file in that created folder as domain admin.
    > > > 5. Check permissions on the newly created file. Test Group or user has no
    > > > delete permissions. Running Effective Permissions against the user also shows
    > > > no delete permissions.
    > > > 6. Try delete the file as the user, file is deleted!

    > >
    > > Right, this is the expected behavior.
    > >
    > > > I assume the file can be deleted because the user is the Creator Owner of
    > > > the parent folder which propegated Full Access down to the file. But this
    > > > does not show up on the file's security settings. Why is that?
    > > >

    > >
    > > Because the permission the user is exercising is not on the file - it is
    > > on an object in the folder he has full control over. I will admit, it is
    > > a bit confusing.
    > >

    >
     
    Ben Smith, Dec 13, 2005
    #4
  5. Security Effective Permissions doesn't take into account any SHARE
    permissions only the NTFS permissions. And if you are looking for creator
    owner permissions then you would need to use CREATOR OWNER in the effective
    permissions user dialog box.

    --
    ..rev.mct.mcngp.44

    It is the mark of an educated man to be able to entertain a thought without
    accepting it.
    ~Aristotle
    ..
    "Colin" <> wrote in message
    news:...
    >I have this senario:
    >
    > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone:
    > Full
    > Access.
    >
    > Security permissions on folder:
    > Administrators: Full Control
    > CREATOR OWNER: Full Control
    > SYSTEM: Full Control
    > Test Group: Read, Create, Write, Append
    >
    > So when a user of Test Group creates a file or folder on the share they
    > become Creator Owner and have full access to that file or folder. But they
    > cannot delete files or folders created by other users.
    >
    > Test
    > 1. Create a file in the folder as domain admin.
    > 2. Map to the share as a user in Test Group and try delete the file. You
    > get
    > permission denied which is expected.
    > 3. As the mapped user, create a folder in the share.
    > 4. Now create a file in that created folder as domain admin.
    > 5. Check permissions on the newly created file. Test Group or user has no
    > delete permissions. Running Effective Permissions against the user also
    > shows
    > no delete permissions.
    > 6. Try delete the file as the user, file is deleted!
    >
    > I assume the file can be deleted because the user is the Creator Owner of
    > the parent folder which propegated Full Access down to the file. But this
    > does not show up on the file's security settings. Why is that?
     
    The Rev [MCT], Dec 13, 2005
    #5
  6. =?Utf-8?B?Q29saW4=?=

    Ben Smith Guest

    In article <>,
    says...
    > Subject: Re: Permissions question
    > From: =?Utf-8?B?Q29saW4=?= <>
    > Newsgroups: microsoft.public.cert.exam.mcse
    >
    > Ok, I understand that part. I'm still not rock solid about why it isn't
    > visible through Secuity or Effective Permissions of that file object.
    >
    > I guess my question would be, how would you know that a user of Test Group
    > could delete any files and folders under that directory just by looking at
    > the security of one of those files or folders? What if you have a scenario
    > where a file is buried under 100's of directories, the top one being owned by
    > some specific user, how hard would it be to determine that that file could be
    > deleted by the user owning the top dir? How do you see that this user has any
    > control over this file without winding your way up all the directories and
    > looking for permissions. There must be an easier way? Effective Permissions
    > tab does not help, as this reports no delete permission but it is in fact
    > allowed.
    >


    I ran this test on XPSP2. The test user did not show up in the file ACL,
    as expected, but the effective permissions tab did show that the test
    user had modify permissions on the file.

    Steps:

    1) Create share on HOST (HOST\Share) for c:\test1 as Ben, an
    administrator
    2) Change Share perms from everyone Read to FC
    3) Grant Bill_Test Modify permissions on the folder c:\test1
    4) Map a drive to HOST\share from remote computer as Bill_Test
    5) Create a folder called Bill_Test1 in HOST\Share
    6) On host, create a file (as Ben) in c:\test1\Bill_Test

    Opening the ACL editor and looking at the file's acl does not list
    Bill_Test in the ACEs (this is expected), but using the Effective
    Permissions tab did show that Bill_Test effectively had Modify
    permissions on the file because Bill_Test has FC on the folder where the
    file was created.

    The real problem is that Bill_Test could modify the file, but was not
    listed in the ACL.

    I will ping the person who owns the ACL UI today.
     
    Ben Smith, Dec 13, 2005
    #6
  7. =?Utf-8?B?Q29saW4=?=

    Ben Smith Guest

    In article <OA5KAy$$>,
    says...
    > Subject: Re: Permissions question
    > From: The Rev [MCT] <>
    > Newsgroups: microsoft.public.cert.exam.mcse
    >
    > Security Effective Permissions doesn't take into account any SHARE
    > permissions only the NTFS permissions. And if you are looking for creator
    > owner permissions then you would need to use CREATOR OWNER in the effective
    > permissions user dialog box.
    >
    >


    Share permission are completely irrelevant in this scenario because they
    are set to FC.
     
    Ben Smith, Dec 13, 2005
    #7
  8. =?Utf-8?B?Q29saW4=?=

    Ben Smith Guest

    In article <>,
    says...
    > I will ping the person who owns the ACL UI today.
    >
    >


    He is out until next week, so I will update this when he returns.
     
    Ben Smith, Dec 13, 2005
    #8
  9. Also, apart from what Ben said, the owner of the file is administrator.

    "The Rev [MCT]" wrote:

    > Security Effective Permissions doesn't take into account any SHARE
    > permissions only the NTFS permissions. And if you are looking for creator
    > owner permissions then you would need to use CREATOR OWNER in the effective
    > permissions user dialog box.
    >
    > --
    > ..rev.mct.mcngp.44
    >
    > It is the mark of an educated man to be able to entertain a thought without
    > accepting it.
    > ~Aristotle
    > ..
    > "Colin" <> wrote in message
    > news:...
    > >I have this senario:
    > >
    > > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone:
    > > Full
    > > Access.
    > >
    > > Security permissions on folder:
    > > Administrators: Full Control
    > > CREATOR OWNER: Full Control
    > > SYSTEM: Full Control
    > > Test Group: Read, Create, Write, Append
    > >
    > > So when a user of Test Group creates a file or folder on the share they
    > > become Creator Owner and have full access to that file or folder. But they
    > > cannot delete files or folders created by other users.
    > >
    > > Test
    > > 1. Create a file in the folder as domain admin.
    > > 2. Map to the share as a user in Test Group and try delete the file. You
    > > get
    > > permission denied which is expected.
    > > 3. As the mapped user, create a folder in the share.
    > > 4. Now create a file in that created folder as domain admin.
    > > 5. Check permissions on the newly created file. Test Group or user has no
    > > delete permissions. Running Effective Permissions against the user also
    > > shows
    > > no delete permissions.
    > > 6. Try delete the file as the user, file is deleted!
    > >
    > > I assume the file can be deleted because the user is the Creator Owner of
    > > the parent folder which propegated Full Access down to the file. But this
    > > does not show up on the file's security settings. Why is that?

    >
    >
    >
     
    =?Utf-8?B?Q29saW4=?=, Dec 14, 2005
    #9
  10. "Ben Smith" wrote:

    > In article <>,
    > says...
    > > I will ping the person who owns the ACL UI today.
    > >
    > >

    >
    > He is out until next week, so I will update this when he returns.
    >


    Great, thanks Ben.
     
    =?Utf-8?B?Q29saW4=?=, Dec 14, 2005
    #10
  11. >
    > I ran this test on XPSP2. The test user did not show up in the file ACL,
    > as expected, but the effective permissions tab did show that the test
    > user had modify permissions on the file.
    >
    > Steps:
    >
    > 1) Create share on HOST (HOST\Share) for c:\test1 as Ben, an
    > administrator
    > 2) Change Share perms from everyone Read to FC
    > 3) Grant Bill_Test Modify permissions on the folder c:\test1
    > 4) Map a drive to HOST\share from remote computer as Bill_Test
    > 5) Create a folder called Bill_Test1 in HOST\Share
    > 6) On host, create a file (as Ben) in c:\test1\Bill_Test
    >
    > Opening the ACL editor and looking at the file's acl does not list
    > Bill_Test in the ACEs (this is expected), but using the Effective
    > Permissions tab did show that Bill_Test effectively had Modify
    > permissions on the file because Bill_Test has FC on the folder where the
    > file was created.
    >
    > The real problem is that Bill_Test could modify the file, but was not
    > listed in the ACL.
    >
    > I will ping the person who owns the ACL UI today.
    >


    I got to try this eventually on XPSP2, first using my steps and I got the
    same result as on W2k3 Server. So I tried your steps and got your results,
    Effective permissions are correct ACL entries are not. So there is a
    difference between what your steps do and mine. The difference between your
    method and mine is that you grant the user Modify permissions and I grant the
    standard Read, Execute permissions that are granted when adding a new ACL
    entry but include Create Files / Write Data, Create Folders / Append Data so
    new users can create new content and delete it, but cannot delete content
    created by other users.

    The result is, it is still the same problem between XPSP2 and W2K3 Server. I
    wrote a quick and dirty script that uses WMI to display ACL entries and I get
    the same results given to me by the ACL editor.

    '-------------------------------------------
    ' Main
    '-------------------------------------------

    DisplaySecurity "D:\Share\New\abc.txt"

    '-------------------------------------------
    ' End Main
    '-------------------------------------------

    '-------------------------------------------
    ' Display file / folder security
    '-------------------------------------------
    Sub DisplaySecurity(Path)
    Dim oFileSec
    Dim oSecDesc
    Dim Ace

    WScript.Echo Path & vbCrLf

    Path = Replace(Path, "\", "\\")

    Set oFileSec =
    GetObject("winmgmts:root\cimv2:Win32_LogicalFileSecuritySetting.path='" &
    Path & "'")
    Call oFileSec.GetSecurityDescriptor(oSecDesc)

    For Each Ace In oSecDesc.DACL
    WScript.Echo "Access Mask : " & Ace.AccessMask
    WScript.Echo "ACE Type " & vbTab & ": " & Ace.AceType

    If Len(Ace.Trustee.Domain) > 0 Then
    WScript.Echo "Name " & vbTab & vbTab & ": " & Ace.Trustee.Domain & "\" &
    Ace.Trustee.Name
    Else
    WScript.Echo "Name " & vbTab & vbTab & ": " & Ace.Trustee.Name
    End If

    WScript.Echo "SID " & vbTab & vbTab & ": {" & join(Ace.Trustee.SID, "-") &
    "}"
    WScript.Echo ""
    Next

    WScript.Echo ""
    End Sub
     
    =?Utf-8?B?Q29saW4=?=, Dec 16, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HowburyPete

    File shaing - how to set permissions?

    HowburyPete, Jul 5, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    1,303
    HowburyPete
    Jul 7, 2004
  2. Dan Orth

    Sharing permissions based on user

    Dan Orth, Jul 14, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    3,300
    Simon Pleasants
    Jul 16, 2004
  3. Dave
    Replies:
    6
    Views:
    484
    Rowdy Yates
    Nov 20, 2004
  4. Replies:
    15
    Views:
    4,802
    T-Bone
    Feb 4, 2005
  5. Replies:
    6
    Views:
    1,761
Loading...

Share This Page