File System permissions

  • Thread starter Thread starter hallstein
  • Start date Start date
H

hallstein

I'm trying to make
C:\ (and subfolders) - only admins can make dirs
C:\WORK - all users and admins have FULL access


Object Name Permission Audit
%SystemDrive%\ <Propagate inheritable permissions to all
subfolders and files>
%SystemDrive%\WORK <Propagate inheritable permissions to all subfolders
and files>


It seems to me that the first entry will make the second un-working.
That means that C:\WORK still has the settings as C:\
How can I make this work?
 
For Work, go into the advanced settings for the security. Make sure "Allow
inheritable permissions from the parent to propagate to this object" is
unchecked. That will make it a protected set of security settings which
should fix your problem.

Also, it sounds like you want to change the propagation to "Replace existing
permissions on all subfolders and files with inheritable permissions" so
that everyone has the same access.

N
 
No this wont work. I've tried this.

I wonder how those file permissions are applied. Is there a way of
knowing which was done first? I wonder if C:\WORK settings are
propagated, and THEN the C:\ is overwriting it all. Because I constantly
see that C:\WORK get those settings, and I've tried to toggle different
settings!
 
I fixed it to some extent..

I made two group policies. First the one that applied to C:\WORK
(default settings)
Then another one that applied to C:\ (default settings). I recon its
important that the C:\WORK settings are applied first in my domain.

However I'm facing another problem.. I cannot prevent people from
deleting C:\WORK ! How can I prevent this?
 
In responce to you're wondering what the order that the file permissions
would be set, I will say that there is a defined order. It doesn't matter
what order you define the options in the UI. When the engine is configuring
your template, it creates a representation of all the file permissions in
memory. As it's configuring this, it starts at the root directory and works
its way down. So if you had c:\work listed first in the UI and then c:\,
the engine would configure c:\ first and then c:\work as it is drilling down
through the subdirectories.

If you created two group policies, that's effectively the same as creating
one after all of the GPO merging occurs. If you created the same entries in
a single GPO, you should get the same configuration occuring.

You should try editing the individual permissions on that object in the
Advanced settings. Uncheck the two Delete permissions and people shouldn't
be able to delete anymore.

N
 
I post an update to this..

I've given users full access to C:\WORK.
But how can I prevent a user for Removing that folder?
I've tried to make a sub-dir called "C:\WORK\Directory Holder" and
prevent any access into that folder, but users can still remove the
C:\WORK (even if they do not have access in the WORK\Directory Holder).
So... How do I fix this? I would not like to prevent users from removing
files/subfolders inside WORK.
 
Back
Top