+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Windows Server 2008 R2 Thread, Deny Delete permission not working in Technical; Im trying to set up some folders with customised permissions in order to create a work 'hand in' area. It ...
  1. #1
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    723
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40

    Deny Delete permission not working

    Im trying to set up some folders with customised permissions in order to create a work 'hand in' area.

    It works perfectly except for one thing.

    This is the basic folder structure where the problem lies...

    Folder1 - studentuser1 has modify permission for subfolders and files.
    --subfolder1 - Inheritance has been broken. studentuser1 has read and execute. Delete is denied.


    Here's the problem. Studentuser1 can still delete subfolder1 if its empty. If there is a file in there, they cannot delete the file and therefore the folder. I thought that an explicit deny took precedence over an explicit allow.

    Am I missing something really obvious?? How do I stop studentuser1 from deleting subfolder1 whilst allowing them to create and delete files and folders in Folder1?

    Thanks

    James

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Seems to be working fine here.

    Unless I'm missing some permissions you've set (As based on the above they wouldn't be able to write into the folder etc)

    But if I give a student access as follows:

    StudentFolder - Modify
    SubFolder - Block inheritance + Read/Execute, and deny delete

    It stops them deleting it.

    1.png
    2.png
    3.png

    That's how you mean right?

    What other permissions do you have set though, as that wouldn't give write access to the folders etc

    Steve

  3. #3

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    If you use the Advanced dialog you can set a Deny Delete permission on Folder1 and apply it to subfolders only. I think that should achieve what you need.

  4. #4

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Quote Originally Posted by AngryTechnician View Post
    If you use the Advanced dialog you can set a Deny Delete permission on Folder1 and apply it to subfolders only. I think that should achieve what you need.
    I may be being dumb, but that would give same outcome surely? If for whatever reason one is being overriden, wouldn't it most likely be a full-control or something being inherited from higher up?

    Surely a deny on a folder, or a deny on subfolders one level up is identical? (As I said, I may be being dumb )

    Steve

  5. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785

    Re: Deny Delete permission not working

    Quote Originally Posted by Steve21 View Post
    I may be being dumb, but that would give same outcome surely? If for whatever reason one is being overriden, wouldn't it most likely be a full-control or something being inherited from higher up?

    Surely a deny on a folder, or a deny on subfolders one level up is identical? (As I said, I may be being dumb )

    Steve
    Deny overrides allow though so a full control would not cause it.

  6. #6

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Quote Originally Posted by SYNACK View Post
    Deny overrides allow though so a full control would not cause it.
    Not on a higher level. Having full control on Student1 Folder, would override deny on Subfolder?

    Steve

  7. #7

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Example to the above:

    4.png
    5.png
    6.png
    7.png

    Doesn't matter what permission you put on the subfolder, as you have full control on the higher folder, so can delete anything below it.

    Steve

  8. Thanks to Steve21 from:

    Admiral208 (21st January 2013)

  9. #8

    Join Date
    Dec 2012
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by SYNACK View Post
    Deny overrides allow though so a full control would not cause it.
    No ... The normal hierarchy for NTFS permissions is:


    • Explicit Deny
    • Explicit Allow
    • Inherited Deny
    • Inherited Allow


    Those rules are checked (from top to bottom) and the first match it finds are the permissions that get applied to the affected object(s).

    The *ONE* exception to normal behaviour, is if they've been granted FULL CONTROL of the parent folder, which is where your problem is stemming from.

    (Since they've been given full control of the (parent) directory, any child permissions are basically irrelevant because they've got full access to modify the underlying permissions anyway)

    You don't want students being able to modify/change security permissions (which Full Control obviously allows them to do) so should *NEVER* grant students Full Control of *ANYTHING* ...

    Granting them MODIFY access gives them full control over everything *EXCEPT* changing security permissions, which is what you should be setting instead.

    It also solves the problem you're having with them being able to delete things which they're not supposed to.


    Last edited by DavidTomic; 21st January 2013 at 02:12 PM.

  10. #9

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Quote Originally Posted by DavidTomic View Post
    The *ONE* exception to normal behaviour, is if they've been granted FULL CONTROL of the parent folder, which is where your problem is stemming from.

    (Since they've been given full control of the (parent) directory, any child permissions are basically irrelevant because they've got full access to modify the underlying permissions anyway)
    Which is what I said?

    If you have full control on Student1 folder, the permissions on the subfolder don't matter.

    As per MS:
    IMPORTANT: Groups or users who are granted Full Control on a folder can delete any files in that folder regardless of the permissions that protect the file.
    Steve

  11. #10

    Join Date
    Dec 2012
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Steve21 View Post

    If you have full control on Student1 folder, the permissions on the subfolder don't matter.
    Which is exactly why you *DON'T* grant Full Control permissions in the first place ...

    EDIT - I just updated my last post to (hopefully) make things a little bit clearer. Does that help at all?
    Last edited by DavidTomic; 21st January 2013 at 02:01 PM.

  12. #11

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Quote Originally Posted by DavidTomic View Post
    Which is exactly why you *DON'T* grant Full Control permissions in the first place ...
    I think you're misunderstanding the whole point to what I said above...

    If you read what I said I'm explaining that it shouldn't matter if you deny permissions on a folder, or do it to the parent via subfolder deny, as long as it's not overrided by any full control.

  13. #12

    Join Date
    Dec 2012
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Steve21 View Post
    I think you're misunderstanding the whole point to what I said above...

    If you read what I said I'm explaining that it shouldn't matter if you deny permissions on a folder, or do it to the parent via subfolder deny, as long as it's not overrided by any full control.
    Sorry ... I understand EXACTLY what you're saying, and you're absolutely correct.

    When I read your post I had you mixed up with the OP who was actually having the problem to begin with.

  14. #13

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Quote Originally Posted by DavidTomic View Post
    Sorry ... I understand EXACTLY what you're saying, and you're absolutely correct.

    When I read your post I had you mixed up with the OP who was actually having the problem to begin with.
    Ah lol.

    No idea if there are any Full Controls etc involved on Admirals end, but that's only way I can see for it to not be working as expected. Unless there's some extra permissions coming into play from "somewhere" or just my test missing something obvious.

    Guess we'll have to wait for Admiral

    Steve

  15. #14
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    723
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40
    Thanks guys. so when i said they have modify permissions, what I actually meant was they have special permissions which I thought was equivalent to modify.

    It appears that the permissions are not quite the same. They are set to allow delete subfolders and files rather than delete, like you would get in Modify.

    perms1.PNG

    Ive set it like this to protect Folder1 from being deleted also.

    Any suggestions?

  16. #15

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,824
    Thank Post
    372
    Thanked 544 Times in 507 Posts
    Rep Power
    184
    Quote Originally Posted by Admiral208 View Post
    Thanks guys. so when i said they have modify permissions, what I actually meant was they have special permissions which I thought was equivalent to modify.

    It appears that the permissions are not quite the same. They are set to allow delete subfolders and files rather than delete, like you would get in Modify.

    perms1.PNG

    Ive set it like this to protect Folder1 from being deleted also.


    Any suggestions?
    If you set that on Folder1 (Not sub) it'd stll let the subfolder be deleted though, which I'm assuming you don't want?

    Steve



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Shared Calendars - Permissions Not Working!
    By MyBrainHurts in forum Enterprise Software
    Replies: 4
    Last Post: 5th April 2011, 12:23 PM
  2. Moodle - Permissions are not working
    By Achandler in forum Virtual Learning Platforms
    Replies: 6
    Last Post: 27th April 2010, 11:28 AM
  3. Permissions not working?
    By Jambo_C in forum Windows Server 2000/2003
    Replies: 7
    Last Post: 9th April 2010, 12:14 PM
  4. Replies: 3
    Last Post: 16th February 2006, 01:36 PM
  5. Permissions not working
    By mark in forum Windows
    Replies: 5
    Last Post: 19th October 2005, 01:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •