I have a setup where there's a directory junction in a network share which points at a directory outside of the share. No matter what permissions I set, the user is able to delete the junction pointer.
The folder is structure is as follows:
c:\Share\ (The shared directory)
c:\Other\
c:\Share\Other\ (A directory junction to c:\Other\)
The user needs to be able to write to c:\Share\ but only read from c:\Other\.
The most basic permissions I can break this down to are (for the user):
c:\Share\ - Allow - Modify - This directory, sub folders, and files
c:\Share\Other\ - Allow - Read - This directory only
c:\Share\Other\ - Deny - Delete - This directory only
c:\Other - Allow - Read - This directory, sub folders, and files
All directories are set to do not inherit, though Share and Other are set to propagate.
The only other permissions set on any of these is Administrator has full to everything (and the test user is not an Administrator).
With this setup, and the user mounted to the Share directory, they can delete the link to Other.
If I remove the Allow/Read on the link, then they cannot delete the link, but they also cannot access it.
I've tried a lot of other combinations, but these seems to be the most 'pure' permissions. It basically all works until the Allow/Read is added to the link, which then seems to override the Deny/Delete which contradicts all the rules! Maybe I've stumbled into some obscure bug?
This is both in 2008 R2 and 2012.
