June 28th, 2005, 01:35 PM
Server 2003 'Deny Delete' Questions
New to the forum, hope this isn't a repost.
I'm a SysAdmin for a Windows 2003 Server platform. I want the users - who are all within a domain group - to be able to create a new folder with underlying subfolders/files, then have them set permissions such that underlying subfolders/files can be added/deleted/modified, but the new folder itself cannot be deleted by the domain group (including the originator).
This seemed like it should be simple - after removing permission inheritance (copying the inherited permissions), edit the domain group permission entry to set 'deny delete - this folder only'. However, this doesn't work - the users can still delete not only the underlying stuff, but the new folder as well.
I've tried about every combination of permission settings possible, and just can't get the desired result. Is what I'm trying to do even possible? Does anybody know why 'deny delete' has no apparent effect? Any suggestions on what might work?
June 28th, 2005, 07:50 PM
IIRC if you don't force the "deny delete" down through the subtree it won't apply to the existing subfolders but it will on any folders that you subsequently add to that folder and their children.
IOW inheritance is not automatic nor dynamic for existing children but only for subsequent children of the folder.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
June 29th, 2005, 03:51 PM
Tiger Shark, I appreciate the info. I didn't fully understand how inheritance affects existing vs. subsequent child objects.
However, my real question - which I may have stated poorly in my original post - remains: Can a domain group member create a folder and then set that folder's permissions such that:
- domain group members (including the originator) cannot delete the folder
- domain group members (including the originator) can add/delete folder children (subfolders and/or files)?
June 29th, 2005, 07:54 PM
You can do most of what you want with the advanced permissions. Of course as long as your user that created the original folder is still the owner of it, he can do anything he wants with it.
Click advanced and add the group, then view/edit it and select whether to apply to this folder, or subfolders and such. Its much more granular in the advanced section.