Tuesday, March 19, 2013 10:30 PM
We are running 2008r2 file servers and we are mapping users to a share, using ABE so they can only see what they have access to. The problem is that users sometimes delete entire top level folders. I thought this would be an easy one. The only permissions at the top level folder are traverse folder/list folder/read attributes and read permissions. All of these settings are for "this folder only". I also included separate DENY permissions for delete/delete subfolder and files permissions and set that for "this folder and all subfolders and files" I then broke inheritance and removed the deny permissions on subfolders and gave the users modify access there. What happens is my test user account cannot delete the top level folder, but the delete command does go through and it does delete all the subfolders/files, where the users do "need" to have the ability to delete. Is there any way to stop those top-level deletions from getting through to folders where they do have permissions to delete? Turning off inheritance does not seem to work and I spent half a day on this. summary below
1. Top level folder is set with traverse folder/execute file, list folder/read data, read attributes, read extended attributes, and read permissions for "this folder only"
2. Top level has deny permissions for delete and delete subfolder/flies set for "this folder, subfolders, and files"
3. Removed inheritance, and inherited permissions, from subfolders and added modify permissions for the users there.
Result - Users cannot delete the top level folders, but the delete command works on all subfolder/files through the top level folder. What we need to to block actions at top level, but allow actions at lower levels.