Sign in with
Sign up | Sign in
Your question

Q: File/Folder Permissions

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
July 5, 2004 7:55:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi!

I am setting up rights for users and I am running into difficulties.
Some folders are read-only with execute access and some are read-write
without execute access. So far, this all works fine. Now suppose the user
browses to a read-write folder and creates a new folder there. Now the
permissions for that newly created folder can be freely changed, meaning the
user can set it to read-write *with* execute permissions, as well. It seems
like as the creator, the user has special rights, so I tried changing the
rights for 'CREATOR OWNER' and having them inherited all the way thru the
file system, but nothing changed.
Ideally, I would like all newly created objects to be owned by the
admins, so the creator gets no special rights. Not sure if that is possible
or solves my problem even, but if not, is it possible to really restrict the
creator rights?
In the end, I want all created files in a folder with
read-write/no-execute permissions, to get those permissions, and not any
other permissions I did not specify. That reminds me: in the above case, the
permission flag for 'Change permission' is not set, which makes it even more
unclear to me.

Any help is greatly appreciated!
--
jb


(replace y with x if you want to reply by e-mail)
Anonymous
a b 8 Security
July 5, 2004 11:37:35 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Try removing the creator owner as it seems you do not need it in your situation. ---
Steve

"Jakob Bieling" <netsurf@gmy.net> wrote in message
news:ccbmkv$mfb$06$1@news.t-online.com...
> Hi!
>
> I am setting up rights for users and I am running into difficulties.
> Some folders are read-only with execute access and some are read-write
> without execute access. So far, this all works fine. Now suppose the user
> browses to a read-write folder and creates a new folder there. Now the
> permissions for that newly created folder can be freely changed, meaning the
> user can set it to read-write *with* execute permissions, as well. It seems
> like as the creator, the user has special rights, so I tried changing the
> rights for 'CREATOR OWNER' and having them inherited all the way thru the
> file system, but nothing changed.
> Ideally, I would like all newly created objects to be owned by the
> admins, so the creator gets no special rights. Not sure if that is possible
> or solves my problem even, but if not, is it possible to really restrict the
> creator rights?
> In the end, I want all created files in a folder with
> read-write/no-execute permissions, to get those permissions, and not any
> other permissions I did not specify. That reminds me: in the above case, the
> permission flag for 'Change permission' is not set, which makes it even more
> unclear to me.
>
> Any help is greatly appreciated!
> --
> jb
>
>
> (replace y with x if you want to reply by e-mail)
>
>
>
Anonymous
a b 8 Security
July 9, 2004 12:41:27 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:36iGc.28402$IQ4.16009@attbi_s02...
> Try removing the creator owner as it seems you do not need it in your
situation. ---

Hi Steve

thanks for the suggestion, but the same problem still persists: I create
a new subfolder in a folder where I have all write and read permissions, but
no execute and change-permission permissions and I *am* able to change the
permissions. I also tried using the creator owner and only having it
explicitly deny the execute permission, but even that does not work. Why
does it seem like the creator owner permissions have no effect at all? I
doubt that the permission system is buggy, so how do I change this? Running
SP4 btw.

Thanks for the help!
--
jb


(replace y with x if you want to reply by e-mail)
Related resources
Anonymous
a b 8 Security
July 9, 2004 8:16:49 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First make sure that the everyone group does not have full permissions to the
root/drive folder. Usually you want everyone and users to have no more than
read/list/execute permissions to the root folder including in advanced permissions.
If you don't need owner creator try removing it. Otherwise go into advanced
permissions for the top folder you are configuring and in advanced permissions give
owner creator the exact permissions you want it to have to see if that helps. ---
Steve


"Jakob Bieling" <netsurf@gmy.net> wrote in message
news:cclemg$1qe$07$1@news.t-online.com...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:36iGc.28402$IQ4.16009@attbi_s02...
> > Try removing the creator owner as it seems you do not need it in your
> situation. ---
>
> Hi Steve
>
> thanks for the suggestion, but the same problem still persists: I create
> a new subfolder in a folder where I have all write and read permissions, but
> no execute and change-permission permissions and I *am* able to change the
> permissions. I also tried using the creator owner and only having it
> explicitly deny the execute permission, but even that does not work. Why
> does it seem like the creator owner permissions have no effect at all? I
> doubt that the permission system is buggy, so how do I change this? Running
> SP4 btw.
>
> Thanks for the help!
> --
> jb
>
>
> (replace y with x if you want to reply by e-mail)
>
>
Anonymous
a b 8 Security
July 10, 2004 2:57:07 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:QxzHc.49487$%_6.17954@attbi_s01...
> First make sure that the everyone group does not have full permissions to
the
> root/drive folder. Usually you want everyone and users to have no more
than
> read/list/execute permissions to the root folder including in advanced
permissions.
> If you don't need owner creator try removing it. Otherwise go into
advanced
> permissions for the top folder you are configuring and in advanced
permissions give
> owner creator the exact permissions you want it to have to see if that
helps. ---
> Steve


Well, the everyone group exists at root level, but not for many other
directories. Not too sure exactly where I have permissions for everyone and
where not, but I do know that it is always read/execute for the everyone
group.

One thing that caught my eye was the SYSTEM group, though. It does have
full access, but only because it was there from the beginning. It looks like
I should not remove it (just by the name ;) ) .. but what exactly is it for
and (where?) do I need it? Other than that, I only have the admins with full
control ..

Thanks!
--
jb

(replace y with x if you want to reply by e-mail)
Anonymous
a b 8 Security
July 10, 2004 2:57:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

System, basically means the operating system and you want to leave it at full control
as you do administrators. I mention the everyone group because I remember a while
back that there was a user with an issue implementing user permissions in a subfolder
to the root and even though he gave the user explicit permissions, they did not work
as expected. I tried the same scenario an it turned out that as long as the everyone
group had full control of the drive/root folder that subfolder explicit permissions
did not restrict users properly. Weird but that is what seemed to be the
roblem. --- Steve


"Jakob Bieling" <netsurf@gmy.net> wrote in message
news:ccn0qg$95h$02$1@news.t-online.com...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:QxzHc.49487$%_6.17954@attbi_s01...
> > First make sure that the everyone group does not have full permissions to
> the
> > root/drive folder. Usually you want everyone and users to have no more
> than
> > read/list/execute permissions to the root folder including in advanced
> permissions.
> > If you don't need owner creator try removing it. Otherwise go into
> advanced
> > permissions for the top folder you are configuring and in advanced
> permissions give
> > owner creator the exact permissions you want it to have to see if that
> helps. ---
> > Steve
>
>
> Well, the everyone group exists at root level, but not for many other
> directories. Not too sure exactly where I have permissions for everyone and
> where not, but I do know that it is always read/execute for the everyone
> group.
>
> One thing that caught my eye was the SYSTEM group, though. It does have
> full access, but only because it was there from the beginning. It looks like
> I should not remove it (just by the name ;) ) .. but what exactly is it for
> and (where?) do I need it? Other than that, I only have the admins with full
> control ..
>
> Thanks!
> --
> jb
>
> (replace y with x if you want to reply by e-mail)
>
>
!