Archived from groups: microsoft.public.win2000.security (
More info?)
I like that method! It does certainly simplify the task. Simple is good.
Thanks. --- Steve
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OT5yNo0BFHA.3096@TK2MSFTNGP14.phx.gbl...
>I am in total agreement on always finding a way to avoid using
> a deny if at all possible.
>
> There is something of an art in finding out how to set advanced,
> aka special, permissions with the least frustration and re-attempts.
> In example of this post, using only Users group for example, I would
> 1. set a grant of Modify for Users
> 2. go to Advanced and change the Modify grant to Files only
> 3. OK/Apply back to the generic permissions view, and there
> set a grant of List folders
> There are cases where doing the same things in a different order
> causes what has been done to get wiped out because it is implied
> in an ACE through which one only temporarily passes if using the
> generic permissions dialogue. It can be very frustrating until one
> catches on, but so can making sure all the individual checkboxes
> of an advanced edit view are in place.
>
> --
> Roger
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:umI5CsyBFHA.3416@TK2MSFTNGP09.phx.gbl...
>> It looks like you pretty much did what I suggested with two different
>> groups though I believe I misunderstood your original post thinking that
>> you wanted to let users create/modify folders but not files for whatever
>> reason. You will find that you have great flexibility with advanced
>> permissions and I usually try to accomplish a configuration without using
>> deny permissions which tend to complicate things, particularly since an
>> explicit allow overrides an inherited deny. --- Steve
>>
>>
>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
>> news:97E9C963-07EF-4771-91AC-2F56A38AE3DB@microsoft.com...
>>> to all: thanks for the quick responses.
>>> I had selected the constraint of Files only, but then my users were not
>>> permitted to traverse any subfolders.
>>>
>>> I had missed the fact that users could be listed in the Advanced page
>>> more
>>> than once. I shall have to try that.
>>>
>>> My solution:
>>> Authenticated Users: Traverse Folder / List access - This folder,
>>> subfolders
>>> and files
>>> Folder Admins: Modify - This folder, subfolders and files
>>> Folder Users: Modify - Files only
>>>
>>> Then I reset it for all objects below.
>>> Now, when for each folder, the files have the permissions required. A
>>> user
>>> can add, delete, modify any files. But to traverse the folders, they
>>> are
>>> using the Authenticated Users permissions.
>>>
>>> Thanks
>>>
>>> "Steven L Umbach" wrote:
>>>
>>>> This should work. On the main security page give the group
>>>> read/list/execute
>>>> to the folder. Then go into "advanced" permissions and add the group
>>>> again.
>>>> Then select "folder and subfolder" in the apply onto box and check all
>>>> the
>>>> permissions other than full control and change permissions. What many
>>>> seem
>>>> to miss is that a user or group can be listed multiple times in
>>>> advanced
>>>> permissions. --- Steve
>>>>
>>>>
>>>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
>>>> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
>>>> >I want to restrict access to users to be able to create, delete,
>>>> >modify
>>>> > files, but not folders.
>>>> > The security options are not granular enough that I can tell.
>>>> > If I unselect Delete Subfolders and Files AND Delete, then folders
>>>> > cannot
>>>> > be
>>>> > deleted, but either can files.
>>>> > If I unselect just Delete Subfolders and Files, and leave Delete,
>>>> > then
>>>> > both
>>>> > can be deleted. Same is true if just Delete Subfolders and Files is
>>>> > selected.
>>>> >
>>>> > Any recommendations is requested and appreciated.
>>>> >
>>>> > Thank you.
>>>> >
>>>> > Tom Gibson
>>>>
>>>>
>>>>
>>
>>
>
>