|Subject:||Folder permissions - deny users, allow administrator|
|Posted by:||dima (di…@discussions.microsoft.com)|
|Date:||Fri, 16 Nov 2007|
I am trying to create folder with permissions, such that, all current and
future contents of the folder will allow for read-only access to all members
of the Users group, and allow full control to the Administrators group.
Here's a simplified version of my setup (running on Windows 2003 Server):
"root_folder" is shared, with full control given to Everyone. Security
permissions on the folder itself are full control for Administrators,
Creator/Owner, and Users (folder, subfolders, and files). Both "completed"
and "working" are set to inherit from "root_folder". In addition, "completed"
has an extra permission, set to deny everything except read access to Users.
What I find is that, this deny permission also applies to the Administrator
account, which is in no way a member of the Users group.
I want to be able to move any folder from "working" into "completed"
(regardless of who the folder owner/creator is), and by doing so,
automatically make the folder read-only to members of the Users group. From
what I know about NTFS permissions, this basically forces me to use explicit
Deny permissions. If I simply remove the Users group from the permission
entries of "completed", then any folder created by a member of the Users
group will still be under full control of that user, even after being moved
to "completed". I also do not want to re-apply all child permissions every
time I move a folder into "completed".
I hope I made sense. I would appreciate any help anyone can give me.
Thanks in advance.