Please help with folder permissions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

This might not be possible but in windows 2000 can you make a folder
(lets say data) available for everyone to see and create folders in,
but once a folder has been created only the owner can read/write in
it?

Thanks
 
Hi,

This might not be possible but in windows 2000 can you make a folder
(lets say data) available for everyone to see and create folders in,
but once a folder has been created only the owner can read/write in
it?
Click to expand...


Give "Full control" for "Sub-folders only" to "CREATOR OWNER" and to
"Everyone" you give special permissions, Traverse folder, List folder,
Read Attributes, Read Extended Attributes, Create Folders and Read
Permissions for "This folder only".
 
Give "Full control" for "Sub-folders only" to "CREATOR OWNER" and to
"Everyone" you give special permissions, Traverse folder, List folder,
Read Attributes, Read Extended Attributes, Create Folders and Read
Permissions for "This folder only".
Click to expand...


Thank you for the prompt reply!!

It seemed to work at first but I now have the problem that when you
add permissions to Creator Owner and click ok your ticks (where you
added the permissions) just disappear. Also im not sure if it's
connected but when you clcik ok the PC's administrators group appears
in the list but with no rights.

Do you have any ideas why the rights I assign to Creator Owner just
vanish?

Thanks
 
Thank you for the prompt reply!!

It seemed to work at first but I now have the problem that when you
add permissions to Creator Owner and click ok your ticks (where you
added the permissions) just disappear. Also im not sure if it's
connected but when you clcik ok the PC's administrators group appears
in the list but with no rights.
Click to expand...


There should be rights assigned, you just have to click the "Advanced"
button to see them.
Do you have any ideas why the rights I assign to Creator Owner just
vanish?
Click to expand...


Yes, "Creator Owner" is not an object used in actual access control for
files, it can only be translated into an owner object and that way used
to control access. So when "Creator Owner" is assigned to a new file it
is translated to the owner of that file, in this case the Administrators
group.
 
Hi,

If I might inject here . . .
Olaf is quite correct in what he has outlined.
The Creator Owner permissions, after you have defined them and
clicked OK, are automatically adjusted to a grant for Subfolders
and Files, making it display outside of the Advanced view as
a Special grant.

What I really wanted to add was that, where Olaf suggested a
grant to Everyone for "This folder only", you might in fact want
to also allow reading of files in the topmost directory, which
that grant does not include. It all depends on what you are after.
If they should be able to read files at the top, then also add a
grant of Read and use the Advanced view to adjust it to Files
Only. Also, it may not matter in some circumstances, but I tend
to never use Everyone (old habit perhaps) but instead would
use a custom group , or Domain Users, or even Authenticated
users, choosing what is most narrow but inclusing of those that
ought have the grant.
 
Thanks for the replies. The Creator Owner bit makes sense now!

However I'm still having problems :-(

I have a folder called data. That folder has the following settings:

Allow inheritable permissions.... Off (no tick)

Domain admins group has full control.

Creator Owner has full control (from ticking every box) applying to
subfolders only

Everyone has Traverse folder, List folder, Read Attributes, Read
Extended Attributes, Create Folders and Read Permissions set on this
folder only.

If I login as a user I can create a folder no problem. I can create a
file (i.e. a txt file) but the problem is I cannot edit the file or
save it.

Any ideas?

Cheers
 
Just to add to this I have sort of figured out what it is.

All the domain users are a member of the local administrators group.

It would seem that when a user creates a folder the creater owner
becomes the local admin group not the user!!

If I remove domain users from local administrators it all works fine!
The user becomes the owner not the local admin group.

The problem now though is the users have to be a member of the local
admin group.

Any help or suggestions on this would be much appretiated!
 
I am not intending to encourage use of admin by all of the local logins,
but given that you have said they must be, then you might want to check
out the policy, in the security options section, under system objects,
"Default owner for objects created by members of the Administrators group"

Given that all are admins, the separation of access that is being
effected by all of this effort is more in appearance than in any
sort of actual fact.
 
Back
Top