Folder permissions - deny users, allow administrator

Giganews Newsgroups
Subject: Folder permissions - deny users, allow administrator
Posted by:  dima (di…@discussions.microsoft.com)
Date: Fri, 16 Nov 2007

Hi there,

I am trying to create folder with permissions, such that, all current and
future contents of the folder will allow for read-only access to all members
of the Users group, and allow full control to the Administrators group.

Here's a simplified version of my setup (running on Windows 2003 Server):

root_folder
    completed
        folder 1
        folder 2
        folder 3
        ...
    working
        folder 4
        folder 5
        folder 6
        ...

"root_folder" is shared, with full control given to Everyone. Security
permissions on the folder itself are full control for Administrators,
Creator/Owner, and Users (folder, subfolders, and files). Both "completed"
and "working" are set to inherit from "root_folder". In addition, "completed"
has an extra permission, set to deny everything except read access to Users.
What I find is that, this deny permission also applies to the Administrator
account, which is in no way a member of the Users group.

I want to be able to move any folder from "working" into "completed"
(regardless of who the folder owner/creator is), and by doing so,
automatically make the folder read-only to members of the Users group. From
what I know about NTFS permissions, this basically forces me to use explicit
Deny permissions. If I simply remove the Users group from the permission
entries of "completed", then any folder created by a member of the Users
group will still be under full control of that user, even after being moved
to "completed". I also do not want to re-apply all child permissions every
time I move a folder into "completed".

I hope I made sense. I would appreciate any help anyone can give me.

Thanks in advance.

--
dima

Replies