Announcement

Collapse
No announcement yet.

User permissions not working?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User permissions not working?

    I created a new folder called "fTest". I removed all users from the folder except for "Domain Admins" and "uTest".

    I want the user uTest to have Read, Write, etc permission to that folder but NOT Delete, so that the user can not delete any files/folders but can still create new ones.

    But for some reason, I can't stop the user from deleting files & folders from that folder.

    I checked the Effective Permissions for the user and get:
    • Traverse Folder/Executable File
    • List Folder/Read Data
    • Read Attributes
    • Read Extended Attributes
    • Read Permissions


    These settings to me indicate that the permissions are set correctly, but they don't work in the real-world. The user uTest is only a member of the Domain Users group.

    I enabled Auditing on:
    • Create Files/Write Data
    • Create Folders/Append Data
    • Write Attributes
    • Write Extended Attributes
    • Delete Subfolders & Files
    • Delete

    Here's what I get in the Event viewer when deleting a subfolder:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Object Access
    Event ID: 560
    Date: 14/11/2006
    Time: 10:59:47 AM
    User: JLRXMELB\uTest
    Computer: JLRX01
    Description:
    Object Open:
    Object Server: Security
    Object Type: File
    Object Name: E:\jlrx\JLData\General (non-specific)\fTest\DONOTDELETE
    Handle ID: 43740
    Operation ID: {0,299112940}
    Process ID: 4
    Image File Name:
    Primary User Name: JLRX01$
    Primary Domain: JLRXMELB
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: uTest
    Client Domain: JLRXMELB
    Client Logon ID: (0x0,0x11A98D50)
    Accesses: DELETE

    Privileges: -
    Restricted Sid Count: 0
    Access Mask: 0x10000


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Am I doing something wrong?

    Windows 2003 Server
    Last edited by JDMils; 14th November 2006, 01:03.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: User permissions not working?

    Did you use uTest to create the file? If so he would be the owner of the file and would be able to delete it.

    I don't really know how you would handle what you're trying to do. If they create it, they'll be able to delete it unless you change the permissions and take ownership.
    Maybe a script that would run once (twice? three times?) a day to change the permissions to what you want. But until the script runs they would be able to delete the file.

    Is there perhaps a technology that would handle this?
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: User permissions not working?

      Your are exactly right. After more testing...., uTest can create new folders and files which is OK with me. I just thought that anything newly created by a user would inherit the parent folder's permissions, but as you stated, it doesn't!

      When a folder is created, what actually happens is that "For this folder only", uTest has Full Control, and for "Subfolders and files only", uTest is given the same permissions as the parent. But if a subfolder or file is created by the user, it is then given Full Control Permissions to uTest, so effectively, the "Subfolders and files only" permissions given to uTest are never effective!

      Thanks for the help.
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: User permissions not working?

        Originally posted by JDMils View Post
        I just thought that anything newly created by a user would inherit the parent folder's permissions, but as you stated, it doesn't!
        Actually (and I hope I'm not being confusing) it does inherit the permissions plus it gets some explicitly defined permissions. Look at the Security tab, the grayed ones are inherited, the back ones are explicit.

        so effectively, the "Subfolders and files only" permissions given to uTest are never effective!
        It may seem this way but it is effective on the folder and anything in it but there can be other permissions explicitly defined as well as configuring the file or folder to not inherit permissions. That's why if you have a script run you can change the permissions to what you want... but there may be (and probably is) a better way to handle it.
        Last edited by JeremyW; 14th November 2006, 03:45. Reason: Corrected mental mistake
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment

        Working...
        X