Q: File/Folder Permissions

Archived from groups: microsoft.public.win2000.security (More info?)

Hi!

I am setting up rights for users and I am running into difficulties.
Some folders are read-only with execute access and some are read-write
without execute access. So far, this all works fine. Now suppose the user
browses to a read-write folder and creates a new folder there. Now the
permissions for that newly created folder can be freely changed, meaning the
user can set it to read-write *with* execute permissions, as well. It seems
like as the creator, the user has special rights, so I tried changing the
rights for 'CREATOR OWNER' and having them inherited all the way thru the
file system, but nothing changed.
Ideally, I would like all newly created objects to be owned by the
admins, so the creator gets no special rights. Not sure if that is possible
or solves my problem even, but if not, is it possible to really restrict the
creator rights?
In the end, I want all created files in a folder with
read-write/no-execute permissions, to get those permissions, and not any
other permissions I did not specify. That reminds me: in the above case, the
permission flag for 'Change permission' is not set, which makes it even more
unclear to me.

Any help is greatly appreciated!
--
jb


(replace y with x if you want to reply by e-mail)
5 answers Last reply
More about file folder permissions
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Try removing the creator owner as it seems you do not need it in your situation. ---
    Steve

    "Jakob Bieling" <netsurf@gmy.net> wrote in message
    news:ccbmkv$mfb$06$1@news.t-online.com...
    > Hi!
    >
    > I am setting up rights for users and I am running into difficulties.
    > Some folders are read-only with execute access and some are read-write
    > without execute access. So far, this all works fine. Now suppose the user
    > browses to a read-write folder and creates a new folder there. Now the
    > permissions for that newly created folder can be freely changed, meaning the
    > user can set it to read-write *with* execute permissions, as well. It seems
    > like as the creator, the user has special rights, so I tried changing the
    > rights for 'CREATOR OWNER' and having them inherited all the way thru the
    > file system, but nothing changed.
    > Ideally, I would like all newly created objects to be owned by the
    > admins, so the creator gets no special rights. Not sure if that is possible
    > or solves my problem even, but if not, is it possible to really restrict the
    > creator rights?
    > In the end, I want all created files in a folder with
    > read-write/no-execute permissions, to get those permissions, and not any
    > other permissions I did not specify. That reminds me: in the above case, the
    > permission flag for 'Change permission' is not set, which makes it even more
    > unclear to me.
    >
    > Any help is greatly appreciated!
    > --
    > jb
    >
    >
    > (replace y with x if you want to reply by e-mail)
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:36iGc.28402$IQ4.16009@attbi_s02...
    > Try removing the creator owner as it seems you do not need it in your
    situation. ---

    Hi Steve

    thanks for the suggestion, but the same problem still persists: I create
    a new subfolder in a folder where I have all write and read permissions, but
    no execute and change-permission permissions and I *am* able to change the
    permissions. I also tried using the creator owner and only having it
    explicitly deny the execute permission, but even that does not work. Why
    does it seem like the creator owner permissions have no effect at all? I
    doubt that the permission system is buggy, so how do I change this? Running
    SP4 btw.

    Thanks for the help!
    --
    jb


    (replace y with x if you want to reply by e-mail)
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    First make sure that the everyone group does not have full permissions to the
    root/drive folder. Usually you want everyone and users to have no more than
    read/list/execute permissions to the root folder including in advanced permissions.
    If you don't need owner creator try removing it. Otherwise go into advanced
    permissions for the top folder you are configuring and in advanced permissions give
    owner creator the exact permissions you want it to have to see if that helps. ---
    Steve


    "Jakob Bieling" <netsurf@gmy.net> wrote in message
    news:cclemg$1qe$07$1@news.t-online.com...
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:36iGc.28402$IQ4.16009@attbi_s02...
    > > Try removing the creator owner as it seems you do not need it in your
    > situation. ---
    >
    > Hi Steve
    >
    > thanks for the suggestion, but the same problem still persists: I create
    > a new subfolder in a folder where I have all write and read permissions, but
    > no execute and change-permission permissions and I *am* able to change the
    > permissions. I also tried using the creator owner and only having it
    > explicitly deny the execute permission, but even that does not work. Why
    > does it seem like the creator owner permissions have no effect at all? I
    > doubt that the permission system is buggy, so how do I change this? Running
    > SP4 btw.
    >
    > Thanks for the help!
    > --
    > jb
    >
    >
    > (replace y with x if you want to reply by e-mail)
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:QxzHc.49487$%_6.17954@attbi_s01...
    > First make sure that the everyone group does not have full permissions to
    the
    > root/drive folder. Usually you want everyone and users to have no more
    than
    > read/list/execute permissions to the root folder including in advanced
    permissions.
    > If you don't need owner creator try removing it. Otherwise go into
    advanced
    > permissions for the top folder you are configuring and in advanced
    permissions give
    > owner creator the exact permissions you want it to have to see if that
    helps. ---
    > Steve


    Well, the everyone group exists at root level, but not for many other
    directories. Not too sure exactly where I have permissions for everyone and
    where not, but I do know that it is always read/execute for the everyone
    group.

    One thing that caught my eye was the SYSTEM group, though. It does have
    full access, but only because it was there from the beginning. It looks like
    I should not remove it (just by the name ;)) .. but what exactly is it for
    and (where?) do I need it? Other than that, I only have the admins with full
    control ..

    Thanks!
    --
    jb

    (replace y with x if you want to reply by e-mail)
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    System, basically means the operating system and you want to leave it at full control
    as you do administrators. I mention the everyone group because I remember a while
    back that there was a user with an issue implementing user permissions in a subfolder
    to the root and even though he gave the user explicit permissions, they did not work
    as expected. I tried the same scenario an it turned out that as long as the everyone
    group had full control of the drive/root folder that subfolder explicit permissions
    did not restrict users properly. Weird but that is what seemed to be the
    roblem. --- Steve


    "Jakob Bieling" <netsurf@gmy.net> wrote in message
    news:ccn0qg$95h$02$1@news.t-online.com...
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:QxzHc.49487$%_6.17954@attbi_s01...
    > > First make sure that the everyone group does not have full permissions to
    > the
    > > root/drive folder. Usually you want everyone and users to have no more
    > than
    > > read/list/execute permissions to the root folder including in advanced
    > permissions.
    > > If you don't need owner creator try removing it. Otherwise go into
    > advanced
    > > permissions for the top folder you are configuring and in advanced
    > permissions give
    > > owner creator the exact permissions you want it to have to see if that
    > helps. ---
    > > Steve
    >
    >
    > Well, the everyone group exists at root level, but not for many other
    > directories. Not too sure exactly where I have permissions for everyone and
    > where not, but I do know that it is always read/execute for the everyone
    > group.
    >
    > One thing that caught my eye was the SYSTEM group, though. It does have
    > full access, but only because it was there from the beginning. It looks like
    > I should not remove it (just by the name ;)) .. but what exactly is it for
    > and (where?) do I need it? Other than that, I only have the admins with full
    > control ..
    >
    > Thanks!
    > --
    > jb
    >
    > (replace y with x if you want to reply by e-mail)
    >
    >
Ask a new question

Read More

Security Microsoft Permissions Windows