Server 2003 'Deny Delete' Questions
Results 1 to 4 of 4

Thread: Server 2003 'Deny Delete' Questions

  1. #1
    Junior Member
    Join Date
    Jun 2005
    Posts
    2

    Question Server 2003 'Deny Delete' Questions

    New to the forum, hope this isn't a repost.

    I'm a SysAdmin for a Windows 2003 Server platform. I want the users - who are all within a domain group - to be able to create a new folder with underlying subfolders/files, then have them set permissions such that underlying subfolders/files can be added/deleted/modified, but the new folder itself cannot be deleted by the domain group (including the originator).

    This seemed like it should be simple - after removing permission inheritance (copying the inherited permissions), edit the domain group permission entry to set 'deny delete - this folder only'. However, this doesn't work - the users can still delete not only the underlying stuff, but the new folder as well.

    I've tried about every combination of permission settings possible, and just can't get the desired result. Is what I'm trying to do even possible? Does anybody know why 'deny delete' has no apparent effect? Any suggestions on what might work?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    IIRC if you don't force the "deny delete" down through the subtree it won't apply to the existing subfolders but it will on any folders that you subsequently add to that folder and their children.

    IOW inheritance is not automatic nor dynamic for existing children but only for subsequent children of the folder.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Jun 2005
    Posts
    2
    Tiger Shark, I appreciate the info. I didn't fully understand how inheritance affects existing vs. subsequent child objects.

    However, my real question - which I may have stated poorly in my original post - remains: Can a domain group member create a folder and then set that folder's permissions such that:
    - domain group members (including the originator) cannot delete the folder
    - domain group members (including the originator) can add/delete folder children (subfolders and/or files)?

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    You can do most of what you want with the advanced permissions. Of course as long as your user that created the original folder is still the owner of it, he can do anything he wants with it.

    Click advanced and add the group, then view/edit it and select whether to apply to this folder, or subfolders and such. Its much more granular in the advanced section.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides