Totally confused with this NTFS scenario!

Discussion in 'MCSA' started by John, Nov 27, 2006.

  1. John

    John Guest

    Can someone please tell me why this is not working?
    I'm using xp sp2 with the NTFS file system.

    Scenario:

    * Using the admin account, I created a standard user, named "User1"

    * I have a folder at the root of C:\ called "DATA"

    * I disabled inheritance for "C:\DATA" Via the admin account

    * I removed all entries from the C:\DATA folder's ACL and added the
    users group "Full Control" for "This Folder, Subfolders, and Files"

    * Under the C:\DATA folder I created a text document called TEST.TXT

    * On TEST.TXT, i disabled inheritance, removed all entries on the ACL,
    and then and added only one entry to the ACL which is set to: User1
    to have Read-only access.

    Now, when I log into xp using the User1 account, i can access the
    TEST.TXT file as expected, but I am able to delete it. Why is this
    the case if User1 has only read permissions on that file? I thought
    that by shutting off inheritance for individual files enables you to
    have more granular control over objects via their own ACL. I thought
    i would have received an access denied message. Why is it still
    looking at the Users Group "Full Control" setting on the parent folder
    if I shut off inheritance for the TEST.TXT file? How do I do a
    workaround?

    John
     
    John, Nov 27, 2006
    #1
    1. Advertisements

  2. Principal rule for NTFS permission: "NTFS permissions are cumulative". This
    means that a user's effective permissions are the result of combining the
    user's assigned permissions. If your User1 is belong to the User Group then
    he will have Read and Change permissions on that TEST.TXT file which in turn
    allows him to delete the file.
     
    Dragon Without Wings, Nov 27, 2006
    #2
    1. Advertisements

  3. John

    AJR Guest

    In addition to "dragon without wings's" reply - in creation of the file did
    "user1" become the owner?
     
    AJR, Nov 27, 2006
    #3
  4. John

    John Guest

    No, TEST.TXT was created with the adminstrator account, so the admin
    is the owner.
     
    John, Nov 28, 2006
    #4

  5. Let me repeat it again: "NTFS permissions are cumulative". NTFS permission
    inheritance is just for a network admin's convenience. Just imagine an
    admin's nightmare without NTFS permission inheritance, he would have had to
    go through every single folder and file just to set appropriated permissions.
    Disable file/folder inheritance (static inheritance) is not strongly
    recommended because it will create more headache later on if you have to
    troubleshoot file/folder permissions. If you just want the User1 to have
    Read only access to the file TEST.TXT, then create a new security group,
    let's just say Restricted Users, and add him in. Now the User1 is a member
    of both Restricted Users and Users groups. On the DATA folder, set all
    entries in the ACL that you don't want them to have access to the folder to
    DENY (make sure the User1 is not a member of any of those), and add those two
    groups in. Remember, Deny always overdrives other permission, therefore give
    the Users group Full Control permission, and the Restricted Users group Read
    & Execute (Which will include Read and List Folder Contents). Now, you don't
    want the User1 to be able to delete the TEST.TXT file (which he still is
    now). Click on Advance to go to Special permissions and select the
    Restricted Users group. Edit the permission to which will Deny this group
    from Delete and Delete Subfolders and Files.
    Hope this will help.
     
    Dragon Without Wings, Nov 28, 2006
    #5
  6. Well, my english is terrible but i'll give my 2c...

    If you just deny everything but reading for User1 it will work fine.

    But you have to explicit deny, if you just let them unchecked the OS will
    use the folder permissions.

    It looks like you just did not check the deny options for user1 and just
    leave the permissions implicit.

    Hope you can understand me... :p
     
    Rafael Santos, Nov 28, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.