NTFS permissions - child items being deleted when user tries to delete the parent folder
Hi Arthur, Thanks for the reply. You may have missed what I am looking to do thou. The sub folders are not personal folders. Folders may be called 'Projects' 'Documentation' etc... Within the IS department group, all staff would have access to all sub folders under ..\IS\ The 'How it works' link is a useful read but still doesn't explain why a user that only has 'read only' permissions to the parent folder (when looking at it from the granparent folder) is able to delete the contents of that folder (which they do have delete permissions for). I would have expected that the permissions on the parent folder be checked, noting that the user only has read access, and the system would not then enumerate the full contents of the folder and start deleting them. This seems like a flaw in how permissions are checked within windows. Unless of course anyone knows of a simple way to prevent this. Regards, Baz
October 3rd, 2012 4:44am

HI all, I need some help please with setting ntfs advanced security settings. Problem: Users browse a file share and select a department folder and try to delete it. User does not have ntfs delete permissions to the parent folder, but do have delete permissions to the sub folders and files. As a result, all sub content is deleted even thou the user can't delete the parent folder. E.g. user is in fqdn\fileshare\ and selects \IS\ and tries to delete it. \IS\ remains but all sub content gets deleted. Environment: Windows 2008 R2 file server. DFS namespace and shared folders using ABE. Windows XP and 7 clients connected via a single mapped drive letter (allows the users access to multiple folders based on their group membership (using ABE)). All users are in 2 department groups - a read only group and a modify group (Eg. group-IS-read & group-IS-Modify). The readonly group is assigned ntfs security rights to the department folder ( \IS\ ) while the modify group is assigned ntfs security rights to the sub-folders ( ..\IS\folder1\ & ..\IS\folder2\ ). IS dept create the department folders and the first level sub-folders (eg see below \IS\folder1\). Within a department folder, users cannot create files or folders at that level but have modify access to all files and folders below that. Example File structure: DFS namespace - fqdn\fileshare\ ABE shared folders - fqdn\fileshare\general\ - fqdn\fileshare\finance\ - fqdn\fileshare\IS\folder1\ - fqdn\fileshare\IS\folder2\ Outcome: I'd like to be able to assign all permissions mainly to the department fodlers only ( \IS\ ) if possible. Else I can apply the modify group settings to the sub-folders when creating them (as currently being done).I want to stop the sub content being deleted when a user tries to delete the department folder. User should also be unable to delete the top level sub folders ( \IS\folder1\ etc).User should only be able to delete sub content within ..\folder1\ when the user is in that folder (and not from any of the parent folders). Other things I've tried: plenty of searches on ntfs permissions. Spent a day trying different combinations of very granular ntfs permissions. Plenty of hair pulling :) Any help is very much welcome. Thanks, Baz
Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2012 11:59am

Hi, I would like to suggest you create other sub folders for each user under the current sub folder and give the modify permission to the personal sub folders only. For the detailed information, please refer to the following Microsoft TechNet article: How IT works: NTFS Permissions http://technet.microsoft.com/en-us/magazine/2005.11.howitworksntfs.aspx For the permissions settings for these personal sub folders, you may refer to the following link: Security Considerations when Configuring Folder Redirection http://technet.microsoft.com/en-us/library/cc775853(v=WS.10).aspx Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Arthur Li TechNet Community Support
October 4th, 2012 1:47am

Hi, You may be interest in the following article: Permissions for files and folders: http://technet.microsoft.com/en-us/library/cc787794(v=WS.10).aspx Regards, DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2012 9:49am

Hi, You may be interest in the following article: Permissions for files and folders: http://technet.microsoft.com/en-us/library/cc787794(v=WS.10).aspx Regards, DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 19th, 2012 9:49am

Solution to above: Apply all permissions at the IS folder level as below. New query: The above setup works well. How do I change the permissions to allow a group of power users within the department (or even the IS helpdesk) to create and delete sub-department folders only while still being able to fully modify the content of any sub folder (providing they have access to that department)? I have tried adding them to the IS folder level, but this presents the same issue as the original post (power user could click delete on the IS folder and delete all contents without actually deleting the IS folder itself). Any ideas? Thanks, Baz
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2012 8:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics