Understanding windows 7 permission inheritance


  • I'm a little confused on how permissions are applied in windows 7.

    I noticed that like some folders in Program Files, an install directory from a program (in this case the Oracle client), have no options under their 'New' context menu other than to create a folder.  In order to restore the context menu items I had to take ownership of the folder AND give my user account full control despite being a member of the local administrators group which also has full control.  Why isn't access inherited from Administrators enough here?

    At the same time, I've found that I can create a file with a command prompt with "run as administrator" using echo hello>test.txt without having direct permissions.

    Other folders have only administrators on it and I can access the "new" menu just fine. 

    What mechanisms are at play here?  What is the flow for checking permissions?  I'd like to definitively understand this so I can effectively troubleshoot it.  I'm guessing that user access control is the variable I'm missing but that's a guess.

    Monday, February 13, 2012 11:05 PM

All replies

  • Hi,

    Please check the parent folder's inheritance setting, refer to the following link. 

    Also, the following article is for your reference. 

    Juke Chou

    TechNet Community Support

    Wednesday, February 15, 2012 8:28 AM
  • One of those articles involves something along Opalis Integration Server Client and the other describes a fairly simplistic senario of where a child object has a different permission than the parent - not much mystery there.  My question revolves around group vs user permissions. 

    Again, there are no permissions applied directly to the user, but instead the administrators group (which the user is a member of).  Yet the 'New' context menu's only option  is 'new folder'.  As soon as I add the user directly to the folder, the other options appear under 'New.'  is there some special permissions mechanism for the 'New' menu that doesn't look at group memebership?

    Wednesday, February 15, 2012 8:36 PM
  • Hi,

    Please check the deny permission for this user or the groups this user belongs to.

    Denied permissions are always checked before allowed, if System finds that the user matchs a denied rules when doing security checks, it will stop security check and deny the user's request despite this user in the other allowed rules.

    Juke Chou

    TechNet Community Support

    Monday, February 20, 2012 2:28 AM
  • There are no deny rules are assigned to any of the groups the user is a member of.
    Monday, February 20, 2012 2:51 PM