Totally confused with this NTFS scenario!

Discussion in 'MCSA' started by John, Nov 27, 2006.

  1. John

    John Guest

    Can someone please tell me why this is not working?
    I'm using xp sp2 with the NTFS file system.

    Scenario:

    * Using the admin account, I created a standard user, named "User1"

    * I have a folder at the root of C:\ called "DATA"

    * I disabled inheritance for "C:\DATA" Via the admin account

    * I removed all entries from the C:\DATA folder's ACL and added the
    users group "Full Control" for "This Folder, Subfolders, and Files"

    * Under the C:\DATA folder I created a text document called TEST.TXT

    * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
    and then and added only one entry to the ACL which is set to: User1
    to have Read-only access.

    Now, when I log into xp using the User1 account, i can access the
    TEST.TXT file as expected, but I am able to delete it. Why is this
    the case if User1 has only read permissions on that file? I thought
    that by shutting off inheritance for individual files enables you to
    have more granular control over objects via their own ACL. I thought
    i would have received an access denied message. Why is it still
    looking at the Users Group "Full Control" setting on the parent folder
    if I shut off inheritance for the TEST.TXT file? How do I do a
    workaround?

    John
     
    John, Nov 27, 2006
    #1
    1. Advertising

  2. "John" wrote:

    > Can someone please tell me why this is not working?
    > I'm using xp sp2 with the NTFS file system.
    >
    > Scenario:
    >
    > * Using the admin account, I created a standard user, named "User1"
    >
    > * I have a folder at the root of C:\ called "DATA"
    >
    > * I disabled inheritance for "C:\DATA" Via the admin account
    >
    > * I removed all entries from the C:\DATA folder's ACL and added the
    > users group "Full Control" for "This Folder, Subfolders, and Files"
    >
    > * Under the C:\DATA folder I created a text document called TEST.TXT
    >
    > * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
    > and then and added only one entry to the ACL which is set to: User1
    > to have Read-only access.
    >
    > Now, when I log into xp using the User1 account, i can access the
    > TEST.TXT file as expected, but I am able to delete it. Why is this
    > the case if User1 has only read permissions on that file? I thought
    > that by shutting off inheritance for individual files enables you to
    > have more granular control over objects via their own ACL. I thought
    > i would have received an access denied message. Why is it still
    > looking at the Users Group "Full Control" setting on the parent folder
    > if I shut off inheritance for the TEST.TXT file? How do I do a
    > workaround?
    >
    > John
    >
    >


    Principal rule for NTFS permission: "NTFS permissions are cumulative". This
    means that a user's effective permissions are the result of combining the
    user's assigned permissions. If your User1 is belong to the User Group then
    he will have Read and Change permissions on that TEST.TXT file which in turn
    allows him to delete the file.
     
    Dragon Without Wings, Nov 27, 2006
    #2
    1. Advertising

  3. John

    AJR Guest

    In addition to "dragon without wings's" reply - in creation of the file did
    "user1" become the owner?

    "Dragon Without Wings" <> wrote in message
    news:...
    > "John" wrote:
    >
    >> Can someone please tell me why this is not working?
    >> I'm using xp sp2 with the NTFS file system.
    >>
    >> Scenario:
    >>
    >> * Using the admin account, I created a standard user, named "User1"
    >>
    >> * I have a folder at the root of C:\ called "DATA"
    >>
    >> * I disabled inheritance for "C:\DATA" Via the admin account
    >>
    >> * I removed all entries from the C:\DATA folder's ACL and added the
    >> users group "Full Control" for "This Folder, Subfolders, and Files"
    >>
    >> * Under the C:\DATA folder I created a text document called TEST.TXT
    >>
    >> * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
    >> and then and added only one entry to the ACL which is set to: User1
    >> to have Read-only access.
    >>
    >> Now, when I log into xp using the User1 account, i can access the
    >> TEST.TXT file as expected, but I am able to delete it. Why is this
    >> the case if User1 has only read permissions on that file? I thought
    >> that by shutting off inheritance for individual files enables you to
    >> have more granular control over objects via their own ACL. I thought
    >> i would have received an access denied message. Why is it still
    >> looking at the Users Group "Full Control" setting on the parent folder
    >> if I shut off inheritance for the TEST.TXT file? How do I do a
    >> workaround?
    >>
    >> John
    >>
    >>

    >
    > Principal rule for NTFS permission: "NTFS permissions are cumulative".
    > This
    > means that a user's effective permissions are the result of combining the
    > user's assigned permissions. If your User1 is belong to the User Group
    > then
    > he will have Read and Change permissions on that TEST.TXT file which in
    > turn
    > allows him to delete the file.
     
    AJR, Nov 27, 2006
    #3
  4. John

    John Guest

    No, TEST.TXT was created with the adminstrator account, so the admin
    is the owner.


    On Mon, 27 Nov 2006 17:17:31 -0500, "AJR" <> wrote:

    >In addition to "dragon without wings's" reply - in creation of the file did
    >"user1" become the owner?
    >
    >"Dragon Without Wings" <> wrote in message
    >news:...
    >> "John" wrote:
    >>
    >>> Can someone please tell me why this is not working?
    >>> I'm using xp sp2 with the NTFS file system.
    >>>
    >>> Scenario:
    >>>
    >>> * Using the admin account, I created a standard user, named "User1"
    >>>
    >>> * I have a folder at the root of C:\ called "DATA"
    >>>
    >>> * I disabled inheritance for "C:\DATA" Via the admin account
    >>>
    >>> * I removed all entries from the C:\DATA folder's ACL and added the
    >>> users group "Full Control" for "This Folder, Subfolders, and Files"
    >>>
    >>> * Under the C:\DATA folder I created a text document called TEST.TXT
    >>>
    >>> * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
    >>> and then and added only one entry to the ACL which is set to: User1
    >>> to have Read-only access.
    >>>
    >>> Now, when I log into xp using the User1 account, i can access the
    >>> TEST.TXT file as expected, but I am able to delete it. Why is this
    >>> the case if User1 has only read permissions on that file? I thought
    >>> that by shutting off inheritance for individual files enables you to
    >>> have more granular control over objects via their own ACL. I thought
    >>> i would have received an access denied message. Why is it still
    >>> looking at the Users Group "Full Control" setting on the parent folder
    >>> if I shut off inheritance for the TEST.TXT file? How do I do a
    >>> workaround?
    >>>
    >>> John
    >>>
    >>>

    >>
    >> Principal rule for NTFS permission: "NTFS permissions are cumulative".
    >> This
    >> means that a user's effective permissions are the result of combining the
    >> user's assigned permissions. If your User1 is belong to the User Group
    >> then
    >> he will have Read and Change permissions on that TEST.TXT file which in
    >> turn
    >> allows him to delete the file.

    >
     
    John, Nov 28, 2006
    #4
  5. "John" wrote:

    > No, TEST.TXT was created with the adminstrator account, so the admin
    > is the owner.
    >
    >



    Let me repeat it again: "NTFS permissions are cumulative". NTFS permission
    inheritance is just for a network admin's convenience. Just imagine an
    admin's nightmare without NTFS permission inheritance, he would have had to
    go through every single folder and file just to set appropriated permissions.
    Disable file/folder inheritance (static inheritance) is not strongly
    recommended because it will create more headache later on if you have to
    troubleshoot file/folder permissions. If you just want the User1 to have
    Read only access to the file TEST.TXT, then create a new security group,
    let's just say Restricted Users, and add him in. Now the User1 is a member
    of both Restricted Users and Users groups. On the DATA folder, set all
    entries in the ACL that you don't want them to have access to the folder to
    DENY (make sure the User1 is not a member of any of those), and add those two
    groups in. Remember, Deny always overdrives other permission, therefore give
    the Users group Full Control permission, and the Restricted Users group Read
    & Execute (Which will include Read and List Folder Contents). Now, you don't
    want the User1 to be able to delete the TEST.TXT file (which he still is
    now). Click on Advance to go to Special permissions and select the
    Restricted Users group. Edit the permission to which will Deny this group
    from Delete and Delete Subfolders and Files.
    Hope this will help.
     
    Dragon Without Wings, Nov 28, 2006
    #5
  6. Well, my english is terrible but i'll give my 2c...

    If you just deny everything but reading for User1 it will work fine.

    But you have to explicit deny, if you just let them unchecked the OS will
    use the folder permissions.

    It looks like you just did not check the deny options for user1 and just
    leave the permissions implicit.

    Hope you can understand me... :p

    --
    Rafael Santos
    Criterium Business Mobile
    Porto Alegre - RS - Brasil
    www.criterium.com.br
     
    Rafael Santos, Nov 28, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Voight

    Re: Scenario

    Michael Voight, Jul 19, 2003, in forum: Cisco
    Replies:
    3
    Views:
    822
  2. Tech
    Replies:
    3
    Views:
    752
    Plato
    Apr 6, 2004
  3. Joe

    Totally confused (never networked before)

    Joe, Jun 1, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    490
    roach
    Jun 1, 2005
  4. Joe

    Totally confused (never networked before)

    Joe, Jun 1, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    495
    Duane Arnold
    Jun 1, 2005
  5. Replies:
    5
    Views:
    686
    John Navas
    Feb 13, 2008
Loading...

Share This Page