Sign in with
Sign up | Sign in
Your question

File permissons

Last response: in Windows 2000/NT
Share
Anonymous
February 9, 2005 4:08:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,
I need some help with setting the correct permissions on computers in a
domain.

My problem is the if Administrator user logs in and runs an app that creates
a file in C:\MyApp, and then Non-Admin user logs in on the same computer and
tries to access the file that was created the Non-Admin user has no file
permissions.

I've noticed that after the Admin user logs off, the advanced security
option on the file for "Inherit from parent the permission entries that
apply to child objects..." does not get turned on even though in the
advanced options for both C:\ and C:\MyApp folders have a tick in "Inherit
from parent the permission entries that apply to child objects. Include
these with..."

I looked at the permissons on both C:\ and C:\MyApp.
C:\
Administrators - Full Control
Creator Owner - Nothing
EveryOne - Nothing
System - Full Control
Users - Read & Execute but not Modify not Write

C:\MyApp
Non-Admin - Nothing
Administrators - Full Control
Creator Owner - Nothing
Domain Users - everything EXCEPT Full Control
System - Full Control
Domain Users - everything EXCEPT Full Control

I don't know where else to look for the option that would tell a file to
inherit permissions from its folder.

Thanks
Brian

More about : file permissons

Anonymous
February 9, 2005 10:16:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Try to give the user or a group the user is in explicit permissions to the
c:\myapp folder with appropriate permissions and make sure that the user is
not in a group that has deny permissions to that folder. --- Steve


"Brian Morris" <softcom@tstt.net.tt> wrote in message
news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> Hello,
> I need some help with setting the correct permissions on computers in a
> domain.
>
> My problem is the if Administrator user logs in and runs an app that
> creates
> a file in C:\MyApp, and then Non-Admin user logs in on the same computer
> and
> tries to access the file that was created the Non-Admin user has no file
> permissions.
>
> I've noticed that after the Admin user logs off, the advanced security
> option on the file for "Inherit from parent the permission entries that
> apply to child objects..." does not get turned on even though in the
> advanced options for both C:\ and C:\MyApp folders have a tick in "Inherit
> from parent the permission entries that apply to child objects. Include
> these with..."
>
> I looked at the permissons on both C:\ and C:\MyApp.
> C:\
> Administrators - Full Control
> Creator Owner - Nothing
> EveryOne - Nothing
> System - Full Control
> Users - Read & Execute but not Modify not Write
>
> C:\MyApp
> Non-Admin - Nothing
> Administrators - Full Control
> Creator Owner - Nothing
> Domain Users - everything EXCEPT Full Control
> System - Full Control
> Domain Users - everything EXCEPT Full Control
>
> I don't know where else to look for the option that would tell a file to
> inherit permissions from its folder.
>
> Thanks
> Brian
>
>
Anonymous
February 10, 2005 8:29:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

And this is only happening for new folders/files defined by
that one application?
You said you have correctly diagnosed the problem's cause as
> option on the file for "Inherit from parent the permission entries that
> apply to child objects..." does not get turned on even though in the
This setting is under the control of the application creating the
filesystem object, and, this is the settings that blocks inheritance, so
> on even though in the advanced options for
> both C:\ and C:\MyApp folders have a tick in "Inherit
> from parent the permission entries that apply to child objects.
they are ignored, or rather, blocked.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian Morris" <softcom@tstt.net.tt> wrote in message
news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> Hello,
> I need some help with setting the correct permissions on computers in a
> domain.
>
> My problem is the if Administrator user logs in and runs an app that
creates
> a file in C:\MyApp, and then Non-Admin user logs in on the same computer
and
> tries to access the file that was created the Non-Admin user has no file
> permissions.
>
> I've noticed that after the Admin user logs off, the advanced security
> option on the file for "Inherit from parent the permission entries that
> apply to child objects..." does not get turned on even though in the
> advanced options for both C:\ and C:\MyApp folders have a tick in "Inherit
> from parent the permission entries that apply to child objects. Include
> these with..."
>
> I looked at the permissons on both C:\ and C:\MyApp.
> C:\
> Administrators - Full Control
> Creator Owner - Nothing
> EveryOne - Nothing
> System - Full Control
> Users - Read & Execute but not Modify not Write
>
> C:\MyApp
> Non-Admin - Nothing
> Administrators - Full Control
> Creator Owner - Nothing
> Domain Users - everything EXCEPT Full Control
> System - Full Control
> Domain Users - everything EXCEPT Full Control
>
> I don't know where else to look for the option that would tell a file to
> inherit permissions from its folder.
>
> Thanks
> Brian
>
>
Related resources
Anonymous
February 13, 2005 3:39:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I can't say it does not happen for other apps because I don't know if other
apps do a similar thing, however no other app is giving problems.

When you say "This setting is under the control of the application creating
the" does this mean that I should in my code be able to set the behaviour?
Should this be the case? I would have thought not since it would mean that
I could write an app that would disregard the Windows security (like a virus
or something)
This is an MS access app and so far I can't find such options for the RENAME
filename function.

Thanks
Brian

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> And this is only happening for new folders/files defined by
> that one application?
> You said you have correctly diagnosed the problem's cause as
> > option on the file for "Inherit from parent the permission entries that
> > apply to child objects..." does not get turned on even though in the
> This setting is under the control of the application creating the
> filesystem object, and, this is the settings that blocks inheritance, so
> > on even though in the advanced options for
> > both C:\ and C:\MyApp folders have a tick in "Inherit
> > from parent the permission entries that apply to child objects.
> they are ignored, or rather, blocked.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brian Morris" <softcom@tstt.net.tt> wrote in message
> news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > Hello,
> > I need some help with setting the correct permissions on computers in a
> > domain.
> >
> > My problem is the if Administrator user logs in and runs an app that
> creates
> > a file in C:\MyApp, and then Non-Admin user logs in on the same computer
> and
> > tries to access the file that was created the Non-Admin user has no file
> > permissions.
> >
> > I've noticed that after the Admin user logs off, the advanced security
> > option on the file for "Inherit from parent the permission entries that
> > apply to child objects..." does not get turned on even though in the
> > advanced options for both C:\ and C:\MyApp folders have a tick in
"Inherit
> > from parent the permission entries that apply to child objects. Include
> > these with..."
> >
> > I looked at the permissons on both C:\ and C:\MyApp.
> > C:\
> > Administrators - Full Control
> > Creator Owner - Nothing
> > EveryOne - Nothing
> > System - Full Control
> > Users - Read & Execute but not Modify not Write
> >
> > C:\MyApp
> > Non-Admin - Nothing
> > Administrators - Full Control
> > Creator Owner - Nothing
> > Domain Users - everything EXCEPT Full Control
> > System - Full Control
> > Domain Users - everything EXCEPT Full Control
> >
> > I don't know where else to look for the option that would tell a file to
> > inherit permissions from its folder.
> >
> > Thanks
> > Brian
> >
> >
>
>
Anonymous
February 13, 2005 6:01:23 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Within the power of the account that is executing, an
application can manipulate the NTFS permissions of
filesystem objects (or registry for that matter).
It is a matter of what the application has been coded
to do. For example, if the file is being created in a
folder that has a grant of Creator Owner Full control,
then no matter what the account is that creates the file
it will be able to manipulate all and any of the security
settings of the file it has created. Similarly, if the account
running the application is the owner of a file or folder then
it can make any changes to that file or folder's NTFS settings.
Whether you have "switches" in the application depends on
whether the application was designed to make them available
to you when running the application.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian Morris" <softcom@tstt.net.tt> wrote in message
news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> I can't say it does not happen for other apps because I don't know if
other
> apps do a similar thing, however no other app is giving problems.
>
> When you say "This setting is under the control of the application
creating
> the" does this mean that I should in my code be able to set the behaviour?
> Should this be the case? I would have thought not since it would mean
that
> I could write an app that would disregard the Windows security (like a
virus
> or something)
> This is an MS access app and so far I can't find such options for the
RENAME
> filename function.
>
> Thanks
> Brian
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > And this is only happening for new folders/files defined by
> > that one application?
> > You said you have correctly diagnosed the problem's cause as
> > > option on the file for "Inherit from parent the permission entries
that
> > > apply to child objects..." does not get turned on even though in the
> > This setting is under the control of the application creating the
> > filesystem object, and, this is the settings that blocks inheritance, so
> > > on even though in the advanced options for
> > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > from parent the permission entries that apply to child objects.
> > they are ignored, or rather, blocked.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > Hello,
> > > I need some help with setting the correct permissions on computers in
a
> > > domain.
> > >
> > > My problem is the if Administrator user logs in and runs an app that
> > creates
> > > a file in C:\MyApp, and then Non-Admin user logs in on the same
computer
> > and
> > > tries to access the file that was created the Non-Admin user has no
file
> > > permissions.
> > >
> > > I've noticed that after the Admin user logs off, the advanced security
> > > option on the file for "Inherit from parent the permission entries
that
> > > apply to child objects..." does not get turned on even though in the
> > > advanced options for both C:\ and C:\MyApp folders have a tick in
> "Inherit
> > > from parent the permission entries that apply to child objects.
Include
> > > these with..."
> > >
> > > I looked at the permissons on both C:\ and C:\MyApp.
> > > C:\
> > > Administrators - Full Control
> > > Creator Owner - Nothing
> > > EveryOne - Nothing
> > > System - Full Control
> > > Users - Read & Execute but not Modify not Write
> > >
> > > C:\MyApp
> > > Non-Admin - Nothing
> > > Administrators - Full Control
> > > Creator Owner - Nothing
> > > Domain Users - everything EXCEPT Full Control
> > > System - Full Control
> > > Domain Users - everything EXCEPT Full Control
> > >
> > > I don't know where else to look for the option that would tell a file
to
> > > inherit permissions from its folder.
> > >
> > > Thanks
> > > Brian
> > >
> > >
> >
> >
>
>
Anonymous
February 14, 2005 2:20:43 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Brian,
Try starting notepad, typing something and saving into the
directory. If the permissions of the new file are not what
you expect, then post for us the results from running at a
cmd prompt
cacls <path of folder>
and then
cacls <full file pathname>
that we might see what is happening.


--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian Morris" <softcom@tstt.net.tt> wrote in message
news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> I can't say it does not happen for other apps because I don't know if
other
> apps do a similar thing, however no other app is giving problems.
>
> When you say "This setting is under the control of the application
creating
> the" does this mean that I should in my code be able to set the behaviour?
> Should this be the case? I would have thought not since it would mean
that
> I could write an app that would disregard the Windows security (like a
virus
> or something)
> This is an MS access app and so far I can't find such options for the
RENAME
> filename function.
>
> Thanks
> Brian
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > And this is only happening for new folders/files defined by
> > that one application?
> > You said you have correctly diagnosed the problem's cause as
> > > option on the file for "Inherit from parent the permission entries
that
> > > apply to child objects..." does not get turned on even though in the
> > This setting is under the control of the application creating the
> > filesystem object, and, this is the settings that blocks inheritance, so
> > > on even though in the advanced options for
> > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > from parent the permission entries that apply to child objects.
> > they are ignored, or rather, blocked.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > Hello,
> > > I need some help with setting the correct permissions on computers in
a
> > > domain.
> > >
> > > My problem is the if Administrator user logs in and runs an app that
> > creates
> > > a file in C:\MyApp, and then Non-Admin user logs in on the same
computer
> > and
> > > tries to access the file that was created the Non-Admin user has no
file
> > > permissions.
> > >
> > > I've noticed that after the Admin user logs off, the advanced security
> > > option on the file for "Inherit from parent the permission entries
that
> > > apply to child objects..." does not get turned on even though in the
> > > advanced options for both C:\ and C:\MyApp folders have a tick in
> "Inherit
> > > from parent the permission entries that apply to child objects.
Include
> > > these with..."
> > >
> > > I looked at the permissons on both C:\ and C:\MyApp.
> > > C:\
> > > Administrators - Full Control
> > > Creator Owner - Nothing
> > > EveryOne - Nothing
> > > System - Full Control
> > > Users - Read & Execute but not Modify not Write
> > >
> > > C:\MyApp
> > > Non-Admin - Nothing
> > > Administrators - Full Control
> > > Creator Owner - Nothing
> > > Domain Users - everything EXCEPT Full Control
> > > System - Full Control
> > > Domain Users - everything EXCEPT Full Control
> > >
> > > I don't know where else to look for the option that would tell a file
to
> > > inherit permissions from its folder.
> > >
> > > Thanks
> > > Brian
> > >
> > >
> >
> >
>
>
Anonymous
February 14, 2005 4:14:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger,
I understand what you say about the permissions. My code is not
manipulating the permissions so it should definitely (I think) have to do
with the folder settings

This is what I got...

cacls c:\MyApp
everyone:( 01)(CI)F
{I had them (my client) do it over the phone so we're not sure if its a zero
or an O}

cacls c:\MyApp\test.txt
everyone:F

cacls c:\MyApp\Temp.mdb
c:\MyApp\Temp.mdb softcom\brian:F
NT authority\system:F
builtin\adimistrators:F

I hope this tells you something.
Thanks a lot
Brian

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o 5e0izlEFHA.464@TK2MSFTNGP15.phx.gbl...
> Brian,
> Try starting notepad, typing something and saving into the
> directory. If the permissions of the new file are not what
> you expect, then post for us the results from running at a
> cmd prompt
> cacls <path of folder>
> and then
> cacls <full file pathname>
> that we might see what is happening.
>
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brian Morris" <softcom@tstt.net.tt> wrote in message
> news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > I can't say it does not happen for other apps because I don't know if
> other
> > apps do a similar thing, however no other app is giving problems.
> >
> > When you say "This setting is under the control of the application
> creating
> > the" does this mean that I should in my code be able to set the
behaviour?
> > Should this be the case? I would have thought not since it would mean
> that
> > I could write an app that would disregard the Windows security (like a
> virus
> > or something)
> > This is an MS access app and so far I can't find such options for the
> RENAME
> > filename function.
> >
> > Thanks
> > Brian
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > > And this is only happening for new folders/files defined by
> > > that one application?
> > > You said you have correctly diagnosed the problem's cause as
> > > > option on the file for "Inherit from parent the permission entries
> that
> > > > apply to child objects..." does not get turned on even though in the
> > > This setting is under the control of the application creating the
> > > filesystem object, and, this is the settings that blocks inheritance,
so
> > > > on even though in the advanced options for
> > > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > > from parent the permission entries that apply to child objects.
> > > they are ignored, or rather, blocked.
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > > Hello,
> > > > I need some help with setting the correct permissions on computers
in
> a
> > > > domain.
> > > >
> > > > My problem is the if Administrator user logs in and runs an app that
> > > creates
> > > > a file in C:\MyApp, and then Non-Admin user logs in on the same
> computer
> > > and
> > > > tries to access the file that was created the Non-Admin user has no
> file
> > > > permissions.
> > > >
> > > > I've noticed that after the Admin user logs off, the advanced
security
> > > > option on the file for "Inherit from parent the permission entries
> that
> > > > apply to child objects..." does not get turned on even though in the
> > > > advanced options for both C:\ and C:\MyApp folders have a tick in
> > "Inherit
> > > > from parent the permission entries that apply to child objects.
> Include
> > > > these with..."
> > > >
> > > > I looked at the permissons on both C:\ and C:\MyApp.
> > > > C:\
> > > > Administrators - Full Control
> > > > Creator Owner - Nothing
> > > > EveryOne - Nothing
> > > > System - Full Control
> > > > Users - Read & Execute but not Modify not Write
> > > >
> > > > C:\MyApp
> > > > Non-Admin - Nothing
> > > > Administrators - Full Control
> > > > Creator Owner - Nothing
> > > > Domain Users - everything EXCEPT Full Control
> > > > System - Full Control
> > > > Domain Users - everything EXCEPT Full Control
> > > >
> > > > I don't know where else to look for the option that would tell a
file
> to
> > > > inherit permissions from its folder.
> > > >
> > > > Thanks
> > > > Brian
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Anonymous
February 15, 2005 11:20:29 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Brian

It is an OI (two letters) for Object Inherit

So the text file is as one would expect, while the mdb
is totally different.

This looks like the mdb may have first been made in
some other location on the same partition, where the
permissions of the containing folder are
System Full, Administrators Full, Creator Owner Full
and then moved to the MyApp folder

Moving a file within a partition takes the permissions
along with it. Now, the file will eventually receive the
inhertable permissions of the move-to location if this
inheritance is not blocked, but that "eventually" takes a
triggering event for it to happen.

If moving of the mdb is not involved then it would be
something about how Access works (?) so you may
want to ask there.
Given what you posted there is no way a file simply
created in or copied into MyApp should have other than
the permissions like those on test.txt
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
news:%23GGIRnrEFHA.3536@TK2MSFTNGP15.phx.gbl...
> Roger,
> I understand what you say about the permissions. My code is not
> manipulating the permissions so it should definitely (I think) have to do
> with the folder settings
>
> This is what I got...
>
> cacls c:\MyApp
> everyone:( 01)(CI)F
> {I had them (my client) do it over the phone so we're not sure if its a
zero
> or an O}
>
> cacls c:\MyApp\test.txt
> everyone:F
>
> cacls c:\MyApp\Temp.mdb
> c:\MyApp\Temp.mdb softcom\brian:F
> NT authority\system:F
> builtin\adimistrators:F
>
> I hope this tells you something.
> Thanks a lot
> Brian
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o 5e0izlEFHA.464@TK2MSFTNGP15.phx.gbl...
> > Brian,
> > Try starting notepad, typing something and saving into the
> > directory. If the permissions of the new file are not what
> > you expect, then post for us the results from running at a
> > cmd prompt
> > cacls <path of folder>
> > and then
> > cacls <full file pathname>
> > that we might see what is happening.
> >
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > > I can't say it does not happen for other apps because I don't know if
> > other
> > > apps do a similar thing, however no other app is giving problems.
> > >
> > > When you say "This setting is under the control of the application
> > creating
> > > the" does this mean that I should in my code be able to set the
> behaviour?
> > > Should this be the case? I would have thought not since it would mean
> > that
> > > I could write an app that would disregard the Windows security (like a
> > virus
> > > or something)
> > > This is an MS access app and so far I can't find such options for the
> > RENAME
> > > filename function.
> > >
> > > Thanks
> > > Brian
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > > > And this is only happening for new folders/files defined by
> > > > that one application?
> > > > You said you have correctly diagnosed the problem's cause as
> > > > > option on the file for "Inherit from parent the permission entries
> > that
> > > > > apply to child objects..." does not get turned on even though in
the
> > > > This setting is under the control of the application creating the
> > > > filesystem object, and, this is the settings that blocks
inheritance,
> so
> > > > > on even though in the advanced options for
> > > > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > > > from parent the permission entries that apply to child objects.
> > > > they are ignored, or rather, blocked.
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > > > Hello,
> > > > > I need some help with setting the correct permissions on computers
> in
> > a
> > > > > domain.
> > > > >
> > > > > My problem is the if Administrator user logs in and runs an app
that
> > > > creates
> > > > > a file in C:\MyApp, and then Non-Admin user logs in on the same
> > computer
> > > > and
> > > > > tries to access the file that was created the Non-Admin user has
no
> > file
> > > > > permissions.
> > > > >
> > > > > I've noticed that after the Admin user logs off, the advanced
> security
> > > > > option on the file for "Inherit from parent the permission entries
> > that
> > > > > apply to child objects..." does not get turned on even though in
the
> > > > > advanced options for both C:\ and C:\MyApp folders have a tick in
> > > "Inherit
> > > > > from parent the permission entries that apply to child objects.
> > Include
> > > > > these with..."
> > > > >
> > > > > I looked at the permissons on both C:\ and C:\MyApp.
> > > > > C:\
> > > > > Administrators - Full Control
> > > > > Creator Owner - Nothing
> > > > > EveryOne - Nothing
> > > > > System - Full Control
> > > > > Users - Read & Execute but not Modify not Write
> > > > >
> > > > > C:\MyApp
> > > > > Non-Admin - Nothing
> > > > > Administrators - Full Control
> > > > > Creator Owner - Nothing
> > > > > Domain Users - everything EXCEPT Full Control
> > > > > System - Full Control
> > > > > Domain Users - everything EXCEPT Full Control
> > > > >
> > > > > I don't know where else to look for the option that would tell a
> file
> > to
> > > > > inherit permissions from its folder.
> > > > >
> > > > > Thanks
> > > > > Brian
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Anonymous
February 15, 2005 10:25:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger,
Yes you are right, I found that it 1st creates the new file in the
MyDocuments folder and then moves it to the C:\MyApp folder. I'll force it
to work in the C:\MyApp folder and see if that solves the whole problem.

What kind of events trigger "eventually"?

Thanks a lot
Brian

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o 5p1yF3EFHA.1524@TK2MSFTNGP09.phx.gbl...
> Hi Brian
>
> It is an OI (two letters) for Object Inherit
>
> So the text file is as one would expect, while the mdb
> is totally different.
>
> This looks like the mdb may have first been made in
> some other location on the same partition, where the
> permissions of the containing folder are
> System Full, Administrators Full, Creator Owner Full
> and then moved to the MyApp folder
>
> Moving a file within a partition takes the permissions
> along with it. Now, the file will eventually receive the
> inhertable permissions of the move-to location if this
> inheritance is not blocked, but that "eventually" takes a
> triggering event for it to happen.
>
> If moving of the mdb is not involved then it would be
> something about how Access works (?) so you may
> want to ask there.
> Given what you posted there is no way a file simply
> created in or copied into MyApp should have other than
> the permissions like those on test.txt
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
> news:%23GGIRnrEFHA.3536@TK2MSFTNGP15.phx.gbl...
> > Roger,
> > I understand what you say about the permissions. My code is not
> > manipulating the permissions so it should definitely (I think) have to
do
> > with the folder settings
> >
> > This is what I got...
> >
> > cacls c:\MyApp
> > everyone:( 01)(CI)F
> > {I had them (my client) do it over the phone so we're not sure if its a
> zero
> > or an O}
> >
> > cacls c:\MyApp\test.txt
> > everyone:F
> >
> > cacls c:\MyApp\Temp.mdb
> > c:\MyApp\Temp.mdb softcom\brian:F
> > NT authority\system:F
> > builtin\adimistrators:F
> >
> > I hope this tells you something.
> > Thanks a lot
> > Brian
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:o 5e0izlEFHA.464@TK2MSFTNGP15.phx.gbl...
> > > Brian,
> > > Try starting notepad, typing something and saving into the
> > > directory. If the permissions of the new file are not what
> > > you expect, then post for us the results from running at a
> > > cmd prompt
> > > cacls <path of folder>
> > > and then
> > > cacls <full file pathname>
> > > that we might see what is happening.
> > >
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > > > I can't say it does not happen for other apps because I don't know
if
> > > other
> > > > apps do a similar thing, however no other app is giving problems.
> > > >
> > > > When you say "This setting is under the control of the application
> > > creating
> > > > the" does this mean that I should in my code be able to set the
> > behaviour?
> > > > Should this be the case? I would have thought not since it would
mean
> > > that
> > > > I could write an app that would disregard the Windows security (like
a
> > > virus
> > > > or something)
> > > > This is an MS access app and so far I can't find such options for
the
> > > RENAME
> > > > filename function.
> > > >
> > > > Thanks
> > > > Brian
> > > >
> > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > > > > And this is only happening for new folders/files defined by
> > > > > that one application?
> > > > > You said you have correctly diagnosed the problem's cause as
> > > > > > option on the file for "Inherit from parent the permission
entries
> > > that
> > > > > > apply to child objects..." does not get turned on even though in
> the
> > > > > This setting is under the control of the application creating the
> > > > > filesystem object, and, this is the settings that blocks
> inheritance,
> > so
> > > > > > on even though in the advanced options for
> > > > > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > > > > from parent the permission entries that apply to child objects.
> > > > > they are ignored, or rather, blocked.
> > > > >
> > > > > --
> > > > > Roger Abell
> > > > > Microsoft MVP (Windows Security)
> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > > > > Hello,
> > > > > > I need some help with setting the correct permissions on
computers
> > in
> > > a
> > > > > > domain.
> > > > > >
> > > > > > My problem is the if Administrator user logs in and runs an app
> that
> > > > > creates
> > > > > > a file in C:\MyApp, and then Non-Admin user logs in on the same
> > > computer
> > > > > and
> > > > > > tries to access the file that was created the Non-Admin user has
> no
> > > file
> > > > > > permissions.
> > > > > >
> > > > > > I've noticed that after the Admin user logs off, the advanced
> > security
> > > > > > option on the file for "Inherit from parent the permission
entries
> > > that
> > > > > > apply to child objects..." does not get turned on even though in
> the
> > > > > > advanced options for both C:\ and C:\MyApp folders have a tick
in
> > > > "Inherit
> > > > > > from parent the permission entries that apply to child objects.
> > > Include
> > > > > > these with..."
> > > > > >
> > > > > > I looked at the permissons on both C:\ and C:\MyApp.
> > > > > > C:\
> > > > > > Administrators - Full Control
> > > > > > Creator Owner - Nothing
> > > > > > EveryOne - Nothing
> > > > > > System - Full Control
> > > > > > Users - Read & Execute but not Modify not
Write
> > > > > >
> > > > > > C:\MyApp
> > > > > > Non-Admin - Nothing
> > > > > > Administrators - Full Control
> > > > > > Creator Owner - Nothing
> > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > System - Full Control
> > > > > > Domain Users - everything EXCEPT Full Control
> > > > > >
> > > > > > I don't know where else to look for the option that would tell a
> > file
> > > to
> > > > > > inherit permissions from its folder.
> > > > > >
> > > > > > Thanks
> > > > > > Brian
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Anonymous
February 16, 2005 11:13:18 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The eventually is most often an editing of a security
descriptor down within that upon saving triggers the
repropagation of inheritables.
However, this eventuality would not have impact
here since the mdb is marked to block inheritance.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
news:u%23K47a7EFHA.208@TK2MSFTNGP12.phx.gbl...
> Roger,
> Yes you are right, I found that it 1st creates the new file in the
> MyDocuments folder and then moves it to the C:\MyApp folder. I'll force
it
> to work in the C:\MyApp folder and see if that solves the whole problem.
>
> What kind of events trigger "eventually"?
>
> Thanks a lot
> Brian
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o 5p1yF3EFHA.1524@TK2MSFTNGP09.phx.gbl...
> > Hi Brian
> >
> > It is an OI (two letters) for Object Inherit
> >
> > So the text file is as one would expect, while the mdb
> > is totally different.
> >
> > This looks like the mdb may have first been made in
> > some other location on the same partition, where the
> > permissions of the containing folder are
> > System Full, Administrators Full, Creator Owner Full
> > and then moved to the MyApp folder
> >
> > Moving a file within a partition takes the permissions
> > along with it. Now, the file will eventually receive the
> > inhertable permissions of the move-to location if this
> > inheritance is not blocked, but that "eventually" takes a
> > triggering event for it to happen.
> >
> > If moving of the mdb is not involved then it would be
> > something about how Access works (?) so you may
> > want to ask there.
> > Given what you posted there is no way a file simply
> > created in or copied into MyApp should have other than
> > the permissions like those on test.txt
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
> > news:%23GGIRnrEFHA.3536@TK2MSFTNGP15.phx.gbl...
> > > Roger,
> > > I understand what you say about the permissions. My code is not
> > > manipulating the permissions so it should definitely (I think) have to
> do
> > > with the folder settings
> > >
> > > This is what I got...
> > >
> > > cacls c:\MyApp
> > > everyone:( 01)(CI)F
> > > {I had them (my client) do it over the phone so we're not sure if its
a
> > zero
> > > or an O}
> > >
> > > cacls c:\MyApp\test.txt
> > > everyone:F
> > >
> > > cacls c:\MyApp\Temp.mdb
> > > c:\MyApp\Temp.mdb softcom\brian:F
> > > NT authority\system:F
> > > builtin\adimistrators:F
> > >
> > > I hope this tells you something.
> > > Thanks a lot
> > > Brian
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:o 5e0izlEFHA.464@TK2MSFTNGP15.phx.gbl...
> > > > Brian,
> > > > Try starting notepad, typing something and saving into the
> > > > directory. If the permissions of the new file are not what
> > > > you expect, then post for us the results from running at a
> > > > cmd prompt
> > > > cacls <path of folder>
> > > > and then
> > > > cacls <full file pathname>
> > > > that we might see what is happening.
> > > >
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > > > > I can't say it does not happen for other apps because I don't know
> if
> > > > other
> > > > > apps do a similar thing, however no other app is giving problems.
> > > > >
> > > > > When you say "This setting is under the control of the application
> > > > creating
> > > > > the" does this mean that I should in my code be able to set the
> > > behaviour?
> > > > > Should this be the case? I would have thought not since it would
> mean
> > > > that
> > > > > I could write an app that would disregard the Windows security
(like
> a
> > > > virus
> > > > > or something)
> > > > > This is an MS access app and so far I can't find such options for
> the
> > > > RENAME
> > > > > filename function.
> > > > >
> > > > > Thanks
> > > > > Brian
> > > > >
> > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > > > > > And this is only happening for new folders/files defined by
> > > > > > that one application?
> > > > > > You said you have correctly diagnosed the problem's cause as
> > > > > > > option on the file for "Inherit from parent the permission
> entries
> > > > that
> > > > > > > apply to child objects..." does not get turned on even though
in
> > the
> > > > > > This setting is under the control of the application creating
the
> > > > > > filesystem object, and, this is the settings that blocks
> > inheritance,
> > > so
> > > > > > > on even though in the advanced options for
> > > > > > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > > > > > from parent the permission entries that apply to child
objects.
> > > > > > they are ignored, or rather, blocked.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Security)
> > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > > > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > > > > > Hello,
> > > > > > > I need some help with setting the correct permissions on
> computers
> > > in
> > > > a
> > > > > > > domain.
> > > > > > >
> > > > > > > My problem is the if Administrator user logs in and runs an
app
> > that
> > > > > > creates
> > > > > > > a file in C:\MyApp, and then Non-Admin user logs in on the
same
> > > > computer
> > > > > > and
> > > > > > > tries to access the file that was created the Non-Admin user
has
> > no
> > > > file
> > > > > > > permissions.
> > > > > > >
> > > > > > > I've noticed that after the Admin user logs off, the advanced
> > > security
> > > > > > > option on the file for "Inherit from parent the permission
> entries
> > > > that
> > > > > > > apply to child objects..." does not get turned on even though
in
> > the
> > > > > > > advanced options for both C:\ and C:\MyApp folders have a tick
> in
> > > > > "Inherit
> > > > > > > from parent the permission entries that apply to child
objects.
> > > > Include
> > > > > > > these with..."
> > > > > > >
> > > > > > > I looked at the permissons on both C:\ and C:\MyApp.
> > > > > > > C:\
> > > > > > > Administrators - Full Control
> > > > > > > Creator Owner - Nothing
> > > > > > > EveryOne - Nothing
> > > > > > > System - Full Control
> > > > > > > Users - Read & Execute but not Modify not
> Write
> > > > > > >
> > > > > > > C:\MyApp
> > > > > > > Non-Admin - Nothing
> > > > > > > Administrators - Full Control
> > > > > > > Creator Owner - Nothing
> > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > > System - Full Control
> > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > >
> > > > > > > I don't know where else to look for the option that would tell
a
> > > file
> > > > to
> > > > > > > inherit permissions from its folder.
> > > > > > >
> > > > > > > Thanks
> > > > > > > Brian
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
Anonymous
February 16, 2005 11:16:20 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Brian,

an afterthought

If you cannot force it to create in MyApps to begin with,
then making it do the initial create on a different partition,
or making it copy into MyApps instead of moving would
solve your issue.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
news:u%23K47a7EFHA.208@TK2MSFTNGP12.phx.gbl...
> Roger,
> Yes you are right, I found that it 1st creates the new file in the
> MyDocuments folder and then moves it to the C:\MyApp folder. I'll force
it
> to work in the C:\MyApp folder and see if that solves the whole problem.
>
> What kind of events trigger "eventually"?
>
> Thanks a lot
> Brian
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o 5p1yF3EFHA.1524@TK2MSFTNGP09.phx.gbl...
> > Hi Brian
> >
> > It is an OI (two letters) for Object Inherit
> >
> > So the text file is as one would expect, while the mdb
> > is totally different.
> >
> > This looks like the mdb may have first been made in
> > some other location on the same partition, where the
> > permissions of the containing folder are
> > System Full, Administrators Full, Creator Owner Full
> > and then moved to the MyApp folder
> >
> > Moving a file within a partition takes the permissions
> > along with it. Now, the file will eventually receive the
> > inhertable permissions of the move-to location if this
> > inheritance is not blocked, but that "eventually" takes a
> > triggering event for it to happen.
> >
> > If moving of the mdb is not involved then it would be
> > something about how Access works (?) so you may
> > want to ask there.
> > Given what you posted there is no way a file simply
> > created in or copied into MyApp should have other than
> > the permissions like those on test.txt
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
> > news:%23GGIRnrEFHA.3536@TK2MSFTNGP15.phx.gbl...
> > > Roger,
> > > I understand what you say about the permissions. My code is not
> > > manipulating the permissions so it should definitely (I think) have to
> do
> > > with the folder settings
> > >
> > > This is what I got...
> > >
> > > cacls c:\MyApp
> > > everyone:( 01)(CI)F
> > > {I had them (my client) do it over the phone so we're not sure if its
a
> > zero
> > > or an O}
> > >
> > > cacls c:\MyApp\test.txt
> > > everyone:F
> > >
> > > cacls c:\MyApp\Temp.mdb
> > > c:\MyApp\Temp.mdb softcom\brian:F
> > > NT authority\system:F
> > > builtin\adimistrators:F
> > >
> > > I hope this tells you something.
> > > Thanks a lot
> > > Brian
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:o 5e0izlEFHA.464@TK2MSFTNGP15.phx.gbl...
> > > > Brian,
> > > > Try starting notepad, typing something and saving into the
> > > > directory. If the permissions of the new file are not what
> > > > you expect, then post for us the results from running at a
> > > > cmd prompt
> > > > cacls <path of folder>
> > > > and then
> > > > cacls <full file pathname>
> > > > that we might see what is happening.
> > > >
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > > > > I can't say it does not happen for other apps because I don't know
> if
> > > > other
> > > > > apps do a similar thing, however no other app is giving problems.
> > > > >
> > > > > When you say "This setting is under the control of the application
> > > > creating
> > > > > the" does this mean that I should in my code be able to set the
> > > behaviour?
> > > > > Should this be the case? I would have thought not since it would
> mean
> > > > that
> > > > > I could write an app that would disregard the Windows security
(like
> a
> > > > virus
> > > > > or something)
> > > > > This is an MS access app and so far I can't find such options for
> the
> > > > RENAME
> > > > > filename function.
> > > > >
> > > > > Thanks
> > > > > Brian
> > > > >
> > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > > > > > And this is only happening for new folders/files defined by
> > > > > > that one application?
> > > > > > You said you have correctly diagnosed the problem's cause as
> > > > > > > option on the file for "Inherit from parent the permission
> entries
> > > > that
> > > > > > > apply to child objects..." does not get turned on even though
in
> > the
> > > > > > This setting is under the control of the application creating
the
> > > > > > filesystem object, and, this is the settings that blocks
> > inheritance,
> > > so
> > > > > > > on even though in the advanced options for
> > > > > > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > > > > > from parent the permission entries that apply to child
objects.
> > > > > > they are ignored, or rather, blocked.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Security)
> > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > > > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > > > > > Hello,
> > > > > > > I need some help with setting the correct permissions on
> computers
> > > in
> > > > a
> > > > > > > domain.
> > > > > > >
> > > > > > > My problem is the if Administrator user logs in and runs an
app
> > that
> > > > > > creates
> > > > > > > a file in C:\MyApp, and then Non-Admin user logs in on the
same
> > > > computer
> > > > > > and
> > > > > > > tries to access the file that was created the Non-Admin user
has
> > no
> > > > file
> > > > > > > permissions.
> > > > > > >
> > > > > > > I've noticed that after the Admin user logs off, the advanced
> > > security
> > > > > > > option on the file for "Inherit from parent the permission
> entries
> > > > that
> > > > > > > apply to child objects..." does not get turned on even though
in
> > the
> > > > > > > advanced options for both C:\ and C:\MyApp folders have a tick
> in
> > > > > "Inherit
> > > > > > > from parent the permission entries that apply to child
objects.
> > > > Include
> > > > > > > these with..."
> > > > > > >
> > > > > > > I looked at the permissons on both C:\ and C:\MyApp.
> > > > > > > C:\
> > > > > > > Administrators - Full Control
> > > > > > > Creator Owner - Nothing
> > > > > > > EveryOne - Nothing
> > > > > > > System - Full Control
> > > > > > > Users - Read & Execute but not Modify not
> Write
> > > > > > >
> > > > > > > C:\MyApp
> > > > > > > Non-Admin - Nothing
> > > > > > > Administrators - Full Control
> > > > > > > Creator Owner - Nothing
> > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > > System - Full Control
> > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > >
> > > > > > > I don't know where else to look for the option that would tell
a
> > > file
> > > > to
> > > > > > > inherit permissions from its folder.
> > > > > > >
> > > > > > > Thanks
> > > > > > > Brian
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
Anonymous
February 17, 2005 8:46:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger,
We tested it today and it seems to work just fine now. Problem solved (for
good I hope).
Thanks a lot
Brian

"Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
news:u%23K47a7EFHA.208@TK2MSFTNGP12.phx.gbl...
> Roger,
> Yes you are right, I found that it 1st creates the new file in the
> MyDocuments folder and then moves it to the C:\MyApp folder. I'll force
it
> to work in the C:\MyApp folder and see if that solves the whole problem.
>
> What kind of events trigger "eventually"?
>
> Thanks a lot
> Brian
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o 5p1yF3EFHA.1524@TK2MSFTNGP09.phx.gbl...
> > Hi Brian
> >
> > It is an OI (two letters) for Object Inherit
> >
> > So the text file is as one would expect, while the mdb
> > is totally different.
> >
> > This looks like the mdb may have first been made in
> > some other location on the same partition, where the
> > permissions of the containing folder are
> > System Full, Administrators Full, Creator Owner Full
> > and then moved to the MyApp folder
> >
> > Moving a file within a partition takes the permissions
> > along with it. Now, the file will eventually receive the
> > inhertable permissions of the move-to location if this
> > inheritance is not blocked, but that "eventually" takes a
> > triggering event for it to happen.
> >
> > If moving of the mdb is not involved then it would be
> > something about how Access works (?) so you may
> > want to ask there.
> > Given what you posted there is no way a file simply
> > created in or copied into MyApp should have other than
> > the permissions like those on test.txt
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
> > news:%23GGIRnrEFHA.3536@TK2MSFTNGP15.phx.gbl...
> > > Roger,
> > > I understand what you say about the permissions. My code is not
> > > manipulating the permissions so it should definitely (I think) have to
> do
> > > with the folder settings
> > >
> > > This is what I got...
> > >
> > > cacls c:\MyApp
> > > everyone:( 01)(CI)F
> > > {I had them (my client) do it over the phone so we're not sure if its
a
> > zero
> > > or an O}
> > >
> > > cacls c:\MyApp\test.txt
> > > everyone:F
> > >
> > > cacls c:\MyApp\Temp.mdb
> > > c:\MyApp\Temp.mdb softcom\brian:F
> > > NT authority\system:F
> > > builtin\adimistrators:F
> > >
> > > I hope this tells you something.
> > > Thanks a lot
> > > Brian
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:o 5e0izlEFHA.464@TK2MSFTNGP15.phx.gbl...
> > > > Brian,
> > > > Try starting notepad, typing something and saving into the
> > > > directory. If the permissions of the new file are not what
> > > > you expect, then post for us the results from running at a
> > > > cmd prompt
> > > > cacls <path of folder>
> > > > and then
> > > > cacls <full file pathname>
> > > > that we might see what is happening.
> > > >
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > > > > I can't say it does not happen for other apps because I don't know
> if
> > > > other
> > > > > apps do a similar thing, however no other app is giving problems.
> > > > >
> > > > > When you say "This setting is under the control of the application
> > > > creating
> > > > > the" does this mean that I should in my code be able to set the
> > > behaviour?
> > > > > Should this be the case? I would have thought not since it would
> mean
> > > > that
> > > > > I could write an app that would disregard the Windows security
(like
> a
> > > > virus
> > > > > or something)
> > > > > This is an MS access app and so far I can't find such options for
> the
> > > > RENAME
> > > > > filename function.
> > > > >
> > > > > Thanks
> > > > > Brian
> > > > >
> > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > > > > > And this is only happening for new folders/files defined by
> > > > > > that one application?
> > > > > > You said you have correctly diagnosed the problem's cause as
> > > > > > > option on the file for "Inherit from parent the permission
> entries
> > > > that
> > > > > > > apply to child objects..." does not get turned on even though
in
> > the
> > > > > > This setting is under the control of the application creating
the
> > > > > > filesystem object, and, this is the settings that blocks
> > inheritance,
> > > so
> > > > > > > on even though in the advanced options for
> > > > > > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > > > > > from parent the permission entries that apply to child
objects.
> > > > > > they are ignored, or rather, blocked.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Security)
> > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > > > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > > > > > Hello,
> > > > > > > I need some help with setting the correct permissions on
> computers
> > > in
> > > > a
> > > > > > > domain.
> > > > > > >
> > > > > > > My problem is the if Administrator user logs in and runs an
app
> > that
> > > > > > creates
> > > > > > > a file in C:\MyApp, and then Non-Admin user logs in on the
same
> > > > computer
> > > > > > and
> > > > > > > tries to access the file that was created the Non-Admin user
has
> > no
> > > > file
> > > > > > > permissions.
> > > > > > >
> > > > > > > I've noticed that after the Admin user logs off, the advanced
> > > security
> > > > > > > option on the file for "Inherit from parent the permission
> entries
> > > > that
> > > > > > > apply to child objects..." does not get turned on even though
in
> > the
> > > > > > > advanced options for both C:\ and C:\MyApp folders have a tick
> in
> > > > > "Inherit
> > > > > > > from parent the permission entries that apply to child
objects.
> > > > Include
> > > > > > > these with..."
> > > > > > >
> > > > > > > I looked at the permissons on both C:\ and C:\MyApp.
> > > > > > > C:\
> > > > > > > Administrators - Full Control
> > > > > > > Creator Owner - Nothing
> > > > > > > EveryOne - Nothing
> > > > > > > System - Full Control
> > > > > > > Users - Read & Execute but not Modify not
> Write
> > > > > > >
> > > > > > > C:\MyApp
> > > > > > > Non-Admin - Nothing
> > > > > > > Administrators - Full Control
> > > > > > > Creator Owner - Nothing
> > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > > System - Full Control
> > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > >
> > > > > > > I don't know where else to look for the option that would tell
a
> > > file
> > > > to
> > > > > > > inherit permissions from its folder.
> > > > > > >
> > > > > > > Thanks
> > > > > > > Brian
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
Anonymous
February 18, 2005 9:27:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
news:%23Y3qMzTFFHA.2156@TK2MSFTNGP10.phx.gbl...
> Roger,
> We tested it today and it seems to work just fine now. Problem solved
(for
> good I hope).
> Thanks a lot
> Brian
>

That is good to hear.
Later,
--
Roger

> "Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
> news:u%23K47a7EFHA.208@TK2MSFTNGP12.phx.gbl...
> > Roger,
> > Yes you are right, I found that it 1st creates the new file in the
> > MyDocuments folder and then moves it to the C:\MyApp folder. I'll force
> it
> > to work in the C:\MyApp folder and see if that solves the whole problem.
> >
> > What kind of events trigger "eventually"?
> >
> > Thanks a lot
> > Brian
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:o 5p1yF3EFHA.1524@TK2MSFTNGP09.phx.gbl...
> > > Hi Brian
> > >
> > > It is an OI (two letters) for Object Inherit
> > >
> > > So the text file is as one would expect, while the mdb
> > > is totally different.
> > >
> > > This looks like the mdb may have first been made in
> > > some other location on the same partition, where the
> > > permissions of the containing folder are
> > > System Full, Administrators Full, Creator Owner Full
> > > and then moved to the MyApp folder
> > >
> > > Moving a file within a partition takes the permissions
> > > along with it. Now, the file will eventually receive the
> > > inhertable permissions of the move-to location if this
> > > inheritance is not blocked, but that "eventually" takes a
> > > triggering event for it to happen.
> > >
> > > If moving of the mdb is not involved then it would be
> > > something about how Access works (?) so you may
> > > want to ask there.
> > > Given what you posted there is no way a file simply
> > > created in or copied into MyApp should have other than
> > > the permissions like those on test.txt
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Brian Morris" <softcom@tstt.net.tt-nojunk> wrote in message
> > > news:%23GGIRnrEFHA.3536@TK2MSFTNGP15.phx.gbl...
> > > > Roger,
> > > > I understand what you say about the permissions. My code is not
> > > > manipulating the permissions so it should definitely (I think) have
to
> > do
> > > > with the folder settings
> > > >
> > > > This is what I got...
> > > >
> > > > cacls c:\MyApp
> > > > everyone:( 01)(CI)F
> > > > {I had them (my client) do it over the phone so we're not sure if
its
> a
> > > zero
> > > > or an O}
> > > >
> > > > cacls c:\MyApp\test.txt
> > > > everyone:F
> > > >
> > > > cacls c:\MyApp\Temp.mdb
> > > > c:\MyApp\Temp.mdb softcom\brian:F
> > > > NT authority\system:F
> > > > builtin\adimistrators:F
> > > >
> > > > I hope this tells you something.
> > > > Thanks a lot
> > > > Brian
> > > >
> > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > news:o 5e0izlEFHA.464@TK2MSFTNGP15.phx.gbl...
> > > > > Brian,
> > > > > Try starting notepad, typing something and saving into the
> > > > > directory. If the permissions of the new file are not what
> > > > > you expect, then post for us the results from running at a
> > > > > cmd prompt
> > > > > cacls <path of folder>
> > > > > and then
> > > > > cacls <full file pathname>
> > > > > that we might see what is happening.
> > > > >
> > > > >
> > > > > --
> > > > > Roger Abell
> > > > > Microsoft MVP (Windows Security)
> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > > news:enRspyeEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > > > > > I can't say it does not happen for other apps because I don't
know
> > if
> > > > > other
> > > > > > apps do a similar thing, however no other app is giving
problems.
> > > > > >
> > > > > > When you say "This setting is under the control of the
application
> > > > > creating
> > > > > > the" does this mean that I should in my code be able to set the

> > > > behaviour?
> > > > > > Should this be the case? I would have thought not since it
would
> > mean
> > > > > that
> > > > > > I could write an app that would disregard the Windows security
> (like
> > a
> > > > > virus
> > > > > > or something)
> > > > > > This is an MS access app and so far I can't find such options
for
> > the
> > > > > RENAME
> > > > > > filename function.
> > > > > >
> > > > > > Thanks
> > > > > > Brian
> > > > > >
> > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > > news:o ZcjRB9DFHA.4004@tk2msftngp13.phx.gbl...
> > > > > > > And this is only happening for new folders/files defined by
> > > > > > > that one application?
> > > > > > > You said you have correctly diagnosed the problem's cause as
> > > > > > > > option on the file for "Inherit from parent the permission
> > entries
> > > > > that
> > > > > > > > apply to child objects..." does not get turned on even
though
> in
> > > the
> > > > > > > This setting is under the control of the application creating
> the
> > > > > > > filesystem object, and, this is the settings that blocks
> > > inheritance,
> > > > so
> > > > > > > > on even though in the advanced options for
> > > > > > > > both C:\ and C:\MyApp folders have a tick in "Inherit
> > > > > > > > from parent the permission entries that apply to child
> objects.
> > > > > > > they are ignored, or rather, blocked.
> > > > > > >
> > > > > > > --
> > > > > > > Roger Abell
> > > > > > > Microsoft MVP (Windows Security)
> > > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > > "Brian Morris" <softcom@tstt.net.tt> wrote in message
> > > > > > > news:uOeeevsDFHA.3452@TK2MSFTNGP09.phx.gbl...
> > > > > > > > Hello,
> > > > > > > > I need some help with setting the correct permissions on
> > computers
> > > > in
> > > > > a
> > > > > > > > domain.
> > > > > > > >
> > > > > > > > My problem is the if Administrator user logs in and runs an
> app
> > > that
> > > > > > > creates
> > > > > > > > a file in C:\MyApp, and then Non-Admin user logs in on the
> same
> > > > > computer
> > > > > > > and
> > > > > > > > tries to access the file that was created the Non-Admin user
> has
> > > no
> > > > > file
> > > > > > > > permissions.
> > > > > > > >
> > > > > > > > I've noticed that after the Admin user logs off, the
advanced
> > > > security
> > > > > > > > option on the file for "Inherit from parent the permission
> > entries
> > > > > that
> > > > > > > > apply to child objects..." does not get turned on even
though
> in
> > > the
> > > > > > > > advanced options for both C:\ and C:\MyApp folders have a
tick
> > in
> > > > > > "Inherit
> > > > > > > > from parent the permission entries that apply to child
> objects.
> > > > > Include
> > > > > > > > these with..."
> > > > > > > >
> > > > > > > > I looked at the permissons on both C:\ and C:\MyApp.
> > > > > > > > C:\
> > > > > > > > Administrators - Full Control
> > > > > > > > Creator Owner - Nothing
> > > > > > > > EveryOne - Nothing
> > > > > > > > System - Full Control
> > > > > > > > Users - Read & Execute but not Modify not
> > Write
> > > > > > > >
> > > > > > > > C:\MyApp
> > > > > > > > Non-Admin - Nothing
> > > > > > > > Administrators - Full Control
> > > > > > > > Creator Owner - Nothing
> > > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > > > System - Full Control
> > > > > > > > Domain Users - everything EXCEPT Full Control
> > > > > > > >
> > > > > > > > I don't know where else to look for the option that would
tell
> a
> > > > file
> > > > > to
> > > > > > > > inherit permissions from its folder.
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Brian
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>
!