1

I have a setup where there's a directory junction in a network share which points at a directory outside of the share. No matter what permissions I set, the user is able to delete the junction pointer.

The folder is structure is as follows:

c:\Share\ (The shared directory)
c:\Other\
c:\Share\Other\ (A directory junction to c:\Other\)

The user needs to be able to write to c:\Share\ but only read from c:\Other\.

The most basic permissions I can break this down to are (for the user):

c:\Share\ - Allow - Modify - This directory, sub folders, and files
c:\Share\Other\ - Allow - Read - This directory only
c:\Share\Other\ - Deny - Delete - This directory only
c:\Other - Allow - Read - This directory, sub folders, and files

All directories are set to do not inherit, though Share and Other are set to propagate. The only other permissions set on any of these is Administrator has full to everything (and the test user is not an Administrator).

With this setup, and the user mounted to the Share directory, they can delete the link to Other.

If I remove the Allow/Read on the link, then they cannot delete the link, but they also cannot access it.

I've tried a lot of other combinations, but these seems to be the most 'pure' permissions. It basically all works until the Allow/Read is added to the link, which then seems to override the Deny/Delete which contradicts all the rules! Maybe I've stumbled into some obscure bug?

This is both in 2008 R2 and 2012.

mattdwen
  • 353
  • 1
  • 7
  • 20
  • I haven't read your question, hence a comment instead of an answer: why not simply use DFS to organize this mess? just a thought. – Noor Khaldi Aug 28 '13 at 12:12
  • It's actually for an app which is building a lot of these shares, custom per user. I've managed to break the problem down to the bare minimum at a Windows level which is why I've posted it as above. – mattdwen Aug 28 '13 at 20:23

0 Answers0