Folder permissions - deny users, allow administrator

[dima]

Hi there,

I am trying to create folder with permissions, such that, all current and
future contents of the folder will allow for read-only access to all members
of the Users group, and allow full control to the Administrators group.

Here's a simplified version of my setup (running on Windows 2003 Server):

root_folder
completed
folder 1
folder 2
folder 3
...
working
folder 4
folder 5
folder 6
...

"root_folder" is shared, with full control given to Everyone. Security
permissions on the folder itself are full control for Administrators,
Creator/Owner, and Users (folder, subfolders, and files). Both "completed"
and "working" are set to inherit from "root_folder". In addition, "completed"
has an extra permission, set to deny everything except read access to Users.
What I find is that, this deny permission also applies to the Administrator
account, which is in no way a member of the Users group.

I want to be able to move any folder from "working" into "completed"
(regardless of who the folder owner/creator is), and by doing so,
automatically make the folder read-only to members of the Users group. From
what I know about NTFS permissions, this basically forces me to use explicit
Deny permissions. If I simply remove the Users group from the permission
entries of "completed", then any folder created by a member of the Users
group will still be under full control of that user, even after being moved
to "completed". I also do not want to re-apply all child permissions every
time I move a folder into "completed".

I hope I made sense. I would appreciate any help anyone can give me.

Thanks in advance.

--
dima

 

[dima]

Apologies for the incorrect formatting. Here's what the folder tree looks like:

root_folder
----completed
--------folder 1
--------folder 2
--------folder 3
--------...
----working
--------folder 4
--------folder 5
--------folder 6
--------...

Thanks,

--
dima

 

[Roger Abell [MVP]]

So are Users members to have the same permissions on
things in Working as in Completed?
You not not state.

Your issue is in part that there is a special grant to Users
that lets them create new things, at which point the grant
to Creator/Owner kicks in an grants that account Full.

Given that Working and Completed are on the same partition
you should copy from Completed to Working, not move.
A move within a partition for Windows up through W2k3
takes along permissions that are explicitly granted on the
moved.

Tell us what you want Working to allow to Users and then
we can get you going.

Roger
"dima" <dima@discussions.microsoft.com> wrote in message
news:B2717A9D-A29F-4402-ADE0-E8A493E94092@microsoft.com...
> Hi there,
>
> I am trying to create folder with permissions, such that, all current and
> future contents of the folder will allow for read-only access to all
> members
> of the Users group, and allow full control to the Administrators group.
>
> Here's a simplified version of my setup (running on Windows 2003 Server):
>
> root_folder
> completed
> folder 1
> folder 2
> folder 3
> ...
> working
> folder 4
> folder 5
> folder 6
> ...
>
> "root_folder" is shared, with full control given to Everyone. Security
> permissions on the folder itself are full control for Administrators,
> Creator/Owner, and Users (folder, subfolders, and files). Both "completed"
> and "working" are set to inherit from "root_folder". In addition,
> "completed"
> has an extra permission, set to deny everything except read access to
> Users.
> What I find is that, this deny permission also applies to the
> Administrator
> account, which is in no way a member of the Users group.
>
> I want to be able to move any folder from "working" into "completed"
> (regardless of who the folder owner/creator is), and by doing so,
> automatically make the folder read-only to members of the Users group.
> From
> what I know about NTFS permissions, this basically forces me to use
> explicit
> Deny permissions. If I simply remove the Users group from the permission
> entries of "completed", then any folder created by a member of the Users
> group will still be under full control of that user, even after being
> moved
> to "completed". I also do not want to re-apply all child permissions every
> time I move a folder into "completed".
>
> I hope I made sense. I would appreciate any help anyone can give me.
>
> Thanks in advance.
>
> --
> dima

 

[dima]

Hi Roger, thanks for replying.

No, members of Users are not to have the same permissions for "working" and
"completed". As I said, both "working" and "completed" inherit from
"root_folder", except "completed" has an extra explicit Deny permission on
top of what's inherited. The purpose of this deny permission is to explicitly
deny everything but read access to Users members in "completed".

I'm aware that Creator/Owner permissions kick in as soon a member of Users
creates a folder in "working", and then moves it to "completed". This is why
I put the Deny permission in place on "completed" - to explicitly override
that. In fact, with it being the only explicit Deny permission, it should
override all Allow permissions of each folder in "completed" - and it does.
However, instead of affecting just members of the Users group, this Deny
permission also affects members of the Administrators group, for no apparent
reason. That is, members of the Administrators group are also denied
everything except read access to the "completed" folder - even though the
permission is set only for the Users group.

I want to be able to have a folder in "working" with full access to Users,
and then have an Administrator to move it to "completed", and by doing so,
automatically make the folder as read-only to Users. I want Administrators to
retain full control over both folders at all times.

Thanks again for the help.

--
dima

"Roger Abell [MVP]" wrote:

> So are Users members to have the same permissions on
> things in Working as in Completed?
> You not not state.
>
> Your issue is in part that there is a special grant to Users
> that lets them create new things, at which point the grant
> to Creator/Owner kicks in an grants that account Full.
>
> Given that Working and Completed are on the same partition
> you should copy from Completed to Working, not move.
> A move within a partition for Windows up through W2k3
> takes along permissions that are explicitly granted on the
> moved.
>
> Tell us what you want Working to allow to Users and then
> we can get you going.
>
> Roger

 

[dima]

> I'm aware that Creator/Owner permissions kick in as soon a member
> of Users creates a folder in "working", and then moves it to "completed".

The last part should read: and that folder is then moved to "completed".

--
dima

"dima" wrote:

> Hi Roger, thanks for replying.
>
> No, members of Users are not to have the same permissions for "working" and
> "completed". As I said, both "working" and "completed" inherit from
> "root_folder", except "completed" has an extra explicit Deny permission on
> top of what's inherited. The purpose of this deny permission is to explicitly
> deny everything but read access to Users members in "completed".
>
> I'm aware that Creator/Owner permissions kick in as soon a member of Users
> creates a folder in "working", and then moves it to "completed". This is why
> I put the Deny permission in place on "completed" - to explicitly override
> that. In fact, with it being the only explicit Deny permission, it should
> override all Allow permissions of each folder in "completed" - and it does.
> However, instead of affecting just members of the Users group, this Deny
> permission also affects members of the Administrators group, for no apparent
> reason. That is, members of the Administrators group are also denied
> everything except read access to the "completed" folder - even though the
> permission is set only for the Users group.
>
> I want to be able to have a folder in "working" with full access to Users,
> and then have an Administrator to move it to "completed", and by doing so,
> automatically make the folder as read-only to Users. I want Administrators to
> retain full control over both folders at all times.
>
> Thanks again for the help.
>
> --
> dima
>
> "Roger Abell [MVP]" wrote:
>
> > So are Users members to have the same permissions on
> > things in Working as in Completed?
> > You not not state.
> >
> > Your issue is in part that there is a special grant to Users
> > that lets them create new things, at which point the grant
> > to Creator/Owner kicks in an grants that account Full.
> >
> > Given that Working and Completed are on the same partition
> > you should copy from Completed to Working, not move.
> > A move within a partition for Windows up through W2k3
> > takes along permissions that are explicitly granted on the
> > moved.
> >
> > Tell us what you want Working to allow to Users and then
> > we can get you going.
> >
> > Roger

 

[Roger Abell [MVP]]

"dima" <dima@discussions.microsoft.com> wrote in message
news:59DC8E88-15F6-4318-871A-33D2F11419A6@microsoft.com...
> Hi Roger, thanks for replying.
>
> No, members of Users are not to have the same permissions for "working"
> and
> "completed". As I said, both "working" and "completed" inherit from
> "root_folder", except "completed" has an extra explicit Deny permission on
> top of what's inherited. The purpose of this deny permission is to
> explicitly
> deny everything but read access to Users members in "completed".
>

OK, but I was hoping for a positive statement of what they should have.
So, it appears that Users should have ability to define new things in
Working and to modifiy them, but that they should have only read/list
on those once they are in Completed.

> I'm aware that Creator/Owner permissions kick in as soon a member of Users
> creates a folder in "working", and then moves it to "completed". This is
> why
> I put the Deny permission in place on "completed" - to explicitly override
> that. In fact, with it being the only explicit Deny permission, it should
> override all Allow permissions of each folder in "completed" - and it
> does.

Not really. It does not work that way.
An inherited deny will only override conflicting grants that are
set at the same or a higher level in the directory tree. It will not
override a grant set at a lower level (closer to the object under
consideration). Hence, the Creator/Owner grant causes a explict
grant to Username on the object they create, and this grant moves
with the object when it is moved to Completed, and this grant then
overrides the inherited deny.

> However, instead of affecting just members of the Users group, this Deny
> permission also affects members of the Administrators group, for no
> apparent
> reason. That is, members of the Administrators group are also denied
> everything except read access to the "completed" folder - even though the
> permission is set only for the Users group.
>

Your members of Administrators are obviously considered to
effectively be members of Users
At a cmd prompt, if you issue
net localgroup administrators
what is the result ?
As stated in reply of other thread, your Users group likely has
either Authenticated Users or Interactive in it. If you remove
these you need to be careful about what they are accomplishing
so that you replace what of that is needed with some other
memberships. However, if you approach this without use of
Deny, which I would recommend, then Administrators being
effective members of Users becomes a non-issue for this issue.

> I want to be able to have a folder in "working" with full access to Users,
> and then have an Administrator to move it to "completed", and by doing so,
> automatically make the folder as read-only to Users. I want Administrators
> to
> retain full control over both folders at all times.
>

Here is what I would suggest.
On Working set
Administrators Full
Users Modify
and nothing else and nothing inherited from parent of Working.
On Completed set
Administrators Full
Users Read/List
and nothing else and nothing inherited from parent of Completed.

With those permissions there will be no explict permissions on
objects withing either Working or Completed. Hence a move
from Working to Completed will result in the moved object then
having only the permissions inherited from Completed.

If there are any permissions set directly on the moved object
those will move with it. That is (part of) what is giving you
problems.

Roger

> Thanks again for the help.
>
> --
> dima
>
> "Roger Abell [MVP]" wrote:
>
>> So are Users members to have the same permissions on
>> things in Working as in Completed?
>> You not not state.
>>
>> Your issue is in part that there is a special grant to Users
>> that lets them create new things, at which point the grant
>> to Creator/Owner kicks in an grants that account Full.
>>
>> Given that Working and Completed are on the same partition
>> you should copy from Completed to Working, not move.
>> A move within a partition for Windows up through W2k3
>> takes along permissions that are explicitly granted on the
>> moved.
>>
>> Tell us what you want Working to allow to Users and then
>> we can get you going.
>>
>> Roger

 

[Roger Abell [MVP]]

alternatively

on parent of Working and Completed set only
Administrators Full
Users Read/List
then on Working set additional
Users Modify

Note that upon a move the adjustment of inherited permissions
is not always reflected immediately, but it will be eventually.


"dima" <dima@discussions.microsoft.com> wrote in message
news:59DC8E88-15F6-4318-871A-33D2F11419A6@microsoft.com...
> Hi Roger, thanks for replying.
>
> No, members of Users are not to have the same permissions for "working"
> and
> "completed". As I said, both "working" and "completed" inherit from
> "root_folder", except "completed" has an extra explicit Deny permission on
> top of what's inherited. The purpose of this deny permission is to
> explicitly
> deny everything but read access to Users members in "completed".
>
> I'm aware that Creator/Owner permissions kick in as soon a member of Users
> creates a folder in "working", and then moves it to "completed". This is
> why
> I put the Deny permission in place on "completed" - to explicitly override
> that. In fact, with it being the only explicit Deny permission, it should
> override all Allow permissions of each folder in "completed" - and it
> does.
> However, instead of affecting just members of the Users group, this Deny
> permission also affects members of the Administrators group, for no
> apparent
> reason. That is, members of the Administrators group are also denied
> everything except read access to the "completed" folder - even though the
> permission is set only for the Users group.
>
> I want to be able to have a folder in "working" with full access to Users,
> and then have an Administrator to move it to "completed", and by doing so,
> automatically make the folder as read-only to Users. I want Administrators
> to
> retain full control over both folders at all times.
>
> Thanks again for the help.
>
> --
> dima
>
> "Roger Abell [MVP]" wrote:
>
>> So are Users members to have the same permissions on
>> things in Working as in Completed?
>> You not not state.
>>
>> Your issue is in part that there is a special grant to Users
>> that lets them create new things, at which point the grant
>> to Creator/Owner kicks in an grants that account Full.
>>
>> Given that Working and Completed are on the same partition
>> you should copy from Completed to Working, not move.
>> A move within a partition for Windows up through W2k3
>> takes along permissions that are explicitly granted on the
>> moved.
>>
>> Tell us what you want Working to allow to Users and then
>> we can get you going.
>>
>> Roger

 

[dima]

Hi Roger, thanks again for taking the time to reply.

> Here is what I would suggest.
> On Working set
> Administrators Full
> Users Modify
> and nothing else and nothing inherited from parent of Working.
> On Completed set
> Administrators Full
> Users Read/List
> and nothing else and nothing inherited from parent of Completed.
>
> With those permissions there will be no explict permissions on
> objects withing either Working or Completed. Hence a move
> from Working to Completed will result in the moved object then
> having only the permissions inherited from Completed.
>
> If there are any permissions set directly on the moved object
> those will move with it. That is (part of) what is giving you
> problems.

I gave this a try, using exactly the setup you specified, but it doesn't
quite achieve what I want. If a Users member creates a folder in "working",
then an Administrator moves it to "completed", the folder retains the full
control permission for Users. When I examine it in advanced security
settings, it says that this permission is inherited from "Parent Object" -
but it doesn't say which folder that parent object is. Administrators retain
full control over the moved folder just fine.

Thank you!

--
dima

 

[Roger Abell [MVP]]

"dima" <dima@discussions.microsoft.com> wrote in message
news:A0B15AC6-8AE6-43F0-A42E-2868FCA9EBB7@microsoft.com...
> Hi Roger, thanks again for taking the time to reply.
>
>> Here is what I would suggest.
>> On Working set
>> Administrators Full
>> Users Modify
>> and nothing else and nothing inherited from parent of Working.
>> On Completed set
>> Administrators Full
>> Users Read/List
>> and nothing else and nothing inherited from parent of Completed.
>>
>> With those permissions there will be no explict permissions on
>> objects withing either Working or Completed. Hence a move
>> from Working to Completed will result in the moved object then
>> having only the permissions inherited from Completed.
>>
>> If there are any permissions set directly on the moved object
>> those will move with it. That is (part of) what is giving you
>> problems.
>
> I gave this a try, using exactly the setup you specified, but it doesn't
> quite achieve what I want. If a Users member creates a folder in
> "working",
> then an Administrator moves it to "completed", the folder retains the full
> control permission for Users. When I examine it in advanced security
> settings, it says that this permission is inherited from "Parent Object" -
> but it doesn't say which folder that parent object is. Administrators
> retain
> full control over the moved folder just fine.
>

Hi Dima,

I am sort of at a loss as I specified nothing about granting
Users Full. Where did that come from ? Check the folder
that is parent of Working and Completed and also each of
those using the Advanced view.
Either strategy I earlier provided should work, but I like
the second, afterthought one better, i.e.
on parent of Working and Completed set only
Administrators Full
Users Read/List
then on Working set additional
Users Modify
But, I did not but should have mentioned to make sure that
the parent of Working and Completed does not inherit from
its parent (or if it does then that adds nothing more than is
being set on parent of Working and Completed)

 

[dima]

Hi Roger,

Thanks for sticking with me. Please see link below for a clearer explanation
of what I'm experiencing.

http://www.telusplanet.net/~dynacor/permissions.html

Thanks again!

"Roger Abell [MVP]" wrote:

> "dima" <dima@discussions.microsoft.com> wrote in message
> news:A0B15AC6-8AE6-43F0-A42E-2868FCA9EBB7@microsoft.com...
>
> Hi Dima,
>
> I am sort of at a loss as I specified nothing about granting
> Users Full. Where did that come from ? Check the folder
> that is parent of Working and Completed and also each of
> those using the Advanced view.
> Either strategy I earlier provided should work, but I like
> the second, afterthought one better, i.e.
> on parent of Working and Completed set only
> Administrators Full
> Users Read/List
> then on Working set additional
> Users Modify
> But, I did not but should have mentioned to make sure that
> the parent of Working and Completed does not inherit from
> its parent (or if it does then that adds nothing more than is
> being set on parent of Working and Completed)

 

[Roger Abell [MVP]]

I think what you are seeing may be artifact of the indeterminant
delay in replacement of old inherited with new inherited. That
is why I advise people to copy when a move is within single
partition and then delete the copied. You however said you
want admins to be able to move and have things turn out right.
MS has finally addressed the mess of this intrapartition move
stuff with Vista/W2k8, but that does not help here. The inherited
permissions adjust "eventually". To see if this is what is up,
try adding some permission to the moved and then remove it.
Does the Modify showing as inherited from parent change to
the expected List/Read inherited from root_folder?

Roger


"dima" <dima@discussions.microsoft.com> wrote in message
news:74F1C5B9-FCE6-42B2-9D04-F7FBBAF5E67F@microsoft.com...
> Hi Roger,
>
> Thanks for sticking with me. Please see link below for a clearer
> explanation
> of what I'm experiencing.
>
> http://www.telusplanet.net/~dynacor/permissions.html
>
> Thanks again!
>
> "Roger Abell [MVP]" wrote:
>
>> "dima" <dima@discussions.microsoft.com> wrote in message
>> news:A0B15AC6-8AE6-43F0-A42E-2868FCA9EBB7@microsoft.com...
>>
>> Hi Dima,
>>
>> I am sort of at a loss as I specified nothing about granting
>> Users Full. Where did that come from ? Check the folder
>> that is parent of Working and Completed and also each of
>> those using the Advanced view.
>> Either strategy I earlier provided should work, but I like
>> the second, afterthought one better, i.e.
>> on parent of Working and Completed set only
>> Administrators Full
>> Users Read/List
>> then on Working set additional
>> Users Modify
>> But, I did not but should have mentioned to make sure that
>> the parent of Working and Completed does not inherit from
>> its parent (or if it does then that adds nothing more than is
>> being set on parent of Working and Completed)
>

 

[dima]

Hi Roger,

I checked back on the folder after leaving it for the weekend, and the
permissions still hadn't changed. I followed your suggestion and added a
dummy permission, at which point the system recalculated, and then set the
correct Read & Execute permissions for Users, inherited from "root_folder".
This is bizarre... Is it a known bug? It's a little hard to believe that a
serious oversight like this could have made it into the operating system.

What are my options now? I can already see myself having to explain to my
boss why something as trivial as moving a folder into a read-only location
doesn't work in Windows.

Once again, thanks for all your help.

--
dima

"Roger Abell [MVP]" wrote:

> I think what you are seeing may be artifact of the indeterminant
> delay in replacement of old inherited with new inherited. That
> is why I advise people to copy when a move is within single
> partition and then delete the copied. You however said you
> want admins to be able to move and have things turn out right.
> MS has finally addressed the mess of this intrapartition move
> stuff with Vista/W2k8, but that does not help here. The inherited
> permissions adjust "eventually". To see if this is what is up,
> try adding some permission to the moved and then remove it.
> Does the Modify showing as inherited from parent change to
> the expected List/Read inherited from root_folder?

 

[Roger Abell [MVP]]

It is considered a documented behavior, or feature. It is a legacy
from the early days, before there was anything in the way of visible
inheritance and when squeaking out every last drop of efficiency
way important. I have bugged the behavior in every beta since
W2k's and am glad to say that the behavior has finally been changed
in the new versions of Windows. It is a serious security issue in
all versions prior to W2k8/Vista. The only real recourse is to not
move within a single partition between areas with different ACLs.
To force users to not do that you can, for example, define a DFS
and form the DFS content with two shares from different machines
or partitions. There are no good solutions.


"dima" <dima@discussions.microsoft.com> wrote in message
news:1596C456-78A9-479F-94F0-36369A897B20@microsoft.com...
> Hi Roger,
>
> I checked back on the folder after leaving it for the weekend, and the
> permissions still hadn't changed. I followed your suggestion and added a
> dummy permission, at which point the system recalculated, and then set the
> correct Read & Execute permissions for Users, inherited from
> "root_folder".
> This is bizarre... Is it a known bug? It's a little hard to believe that a
> serious oversight like this could have made it into the operating system.
>
> What are my options now? I can already see myself having to explain to my
> boss why something as trivial as moving a folder into a read-only location
> doesn't work in Windows.
>
> Once again, thanks for all your help.
>
> --
> dima
>
> "Roger Abell [MVP]" wrote:
>
>> I think what you are seeing may be artifact of the indeterminant
>> delay in replacement of old inherited with new inherited. That
>> is why I advise people to copy when a move is within single
>> partition and then delete the copied. You however said you
>> want admins to be able to move and have things turn out right.
>> MS has finally addressed the mess of this intrapartition move
>> stuff with Vista/W2k8, but that does not help here. The inherited
>> permissions adjust "eventually". To see if this is what is up,
>> try adding some permission to the moved and then remove it.
>> Does the Modify showing as inherited from parent change to
>> the expected List/Read inherited from root_folder?
>