none
Maintaining file/folder permissions

    Question

  • Hi --

    I created a folder tree on an SBS 2003 server with rather restrictive permissions. Only two people currently have unrestricted read/write access to this folder tree; a larger subset of users has read-only access. This particular folder tree is not shared; rather, it resides within a shared folder. It is not inheriting permissions from its parent.

    A problem that's cropping up is that when one of these unrestricted users copies or moves files or folders into this folder tree from elsewhere, those files and folders come in with whatever permissions they had. These copies or moves are usually done via drag-and-drop or cut/copy-and-paste from a Windows workstation.

    I need anything moved or copied into this folder tree to immediately take on the permission structure of the root folder (in other words:  read-only to group A, full control to group B, inaccessible to the rest).

    What's the best way to do this?

    Thanks
    CL 

    Tuesday, March 06, 2012 4:00 PM

Answers

  • Hi,

    By default, an object inherits permissions from its parent object, either at the time of creation or when it is copied or moved to its parent folder. The only exception to this rule occurs when you move an object to a different folder on the same volume. In this case, the original permissions are retained.

    Additionally, note the following rules:

    •The Everyone group is granted Allow Full Control permissions to the root of each NTFS drive.
    •Deny permissions always take precedence over Allow permissions.
    •Explicit permissions take precedence over inherited permissions.
    •If NTFS permissions conflict -- for example, if group and user permissions are contradictory -- the most liberal permissions take precedence.
    •Permissions are cumulative.
    •To preserve permissions when files and folders are copied or moved, use the Xcopy.exe utility with the /O or the /X switch. The object’s original permissions will be added to inheritable permissions in the new location.
    •To add an object's original permissions to inheritable permissions when you copy or move an object, use the Xcopy.exe utility with the –O and –X switches.
    •To preserve existing permissions without adding inheritable permissions from the parent folder, use the Robocopy.exe utility

    To modify how Windows Explorer handles permissions when objects are copied, please refer to the following Microsoft KB article for the detailed steps:

    How permissions are handled when you copy and move files and folders
    http://support.microsoft.com/kb/310316

    Regards,


    Arthur Li

    TechNet Community Support

    Wednesday, March 07, 2012 6:30 AM

All replies

  • What happens if a user logs off and on following the moving of the files.  Try both a restricted user and a non restricted user and let us know.

    Larry Struckmeyer[SBS-MVP]

    Wednesday, March 07, 2012 12:16 AM
  • The screwy permissions stay ...

    The office admin who's been moving these folders into this library folder logs out at least once if not twice every day. All the users there do.

    I received a report that users were able to delete files from this library folder, and it took me a while to figure out what was going on. Because the root of the folder tree, and most of the folders in it, had the proper permissions. But there were several folders I didn't immediately recognize that had permissions of their own. And when I asked the office admin about them, I found out that they had been moved into this library from elsewhere on the server. They had been moved some time (weeks) earlier, which means that everyone has logged off and on multiple times since.

    I fixed the immediate problem by resetting the permissions on the entire folder tree, which brought these oddball folders and files in line. But I don't know how to stop this from happening again. I wasn't expecting this to happen at all ...

    CL

    Wednesday, March 07, 2012 12:42 AM
  • Hi,

    By default, an object inherits permissions from its parent object, either at the time of creation or when it is copied or moved to its parent folder. The only exception to this rule occurs when you move an object to a different folder on the same volume. In this case, the original permissions are retained.

    Additionally, note the following rules:

    •The Everyone group is granted Allow Full Control permissions to the root of each NTFS drive.
    •Deny permissions always take precedence over Allow permissions.
    •Explicit permissions take precedence over inherited permissions.
    •If NTFS permissions conflict -- for example, if group and user permissions are contradictory -- the most liberal permissions take precedence.
    •Permissions are cumulative.
    •To preserve permissions when files and folders are copied or moved, use the Xcopy.exe utility with the /O or the /X switch. The object’s original permissions will be added to inheritable permissions in the new location.
    •To add an object's original permissions to inheritable permissions when you copy or move an object, use the Xcopy.exe utility with the –O and –X switches.
    •To preserve existing permissions without adding inheritable permissions from the parent folder, use the Robocopy.exe utility

    To modify how Windows Explorer handles permissions when objects are copied, please refer to the following Microsoft KB article for the detailed steps:

    How permissions are handled when you copy and move files and folders
    http://support.microsoft.com/kb/310316

    Regards,


    Arthur Li

    TechNet Community Support

    Wednesday, March 07, 2012 6:30 AM
  • The user responsible for maintaining this library share is not going to use XCOPY or any CLI command to move the files. And right now, almost all of the material she's moving into that share resides on the same volume as the share itself. I'm looking at the possibility of moving that share to another drive, but my options on that server are very limited in that regard.

    I had suggested to the user that, instead of moving a folder into this share, that she create a new folder inside the share and then move the individual files into this new folder. I was hoping that creating the new folder inside the share would cause it to inherit the share's permissions, and that whatever new files were then created in that folder would have the correct permissions. But if I read your answer correctly, even this isn't going to work as expected, right?

    Right now I'm just correcting file permissions at the root of that share every few nights to catch whatever new files have been added to it. Is there any way to automate this?

    Thanks
    CL

    Friday, March 16, 2012 1:48 AM