I have a very strange NTFS rights phenomenon on a fileserver and I cannot find my mistake, pulling my hair out for hours now. What am I missing?
My goal is:
- User from Group-A should be able to write new files/foldes into a folder ("add files"). They should also be able to edit those newly added files.
- At night the newly added files should be "protected" from further editing/deleting by Group-A. The right to read the files and the right to add more new files should remain.
Here is what I did:
- Create Group-A, add users
- Give Group-A (F)ull access to the folder
- Create a script that
- deletes the inheritance bit of the files in the folder
- removes (F)ull access to the files, leavinf read-only rights
The problem is, my user(s) can edit and delete files like they have full access. Even if the 'effective permissions' show no right to edit, the still can.
The script works fine and looks like this:
icacls d:\folder\Bild1.jpg /inheritance:d
icacls d:\folder\Bild1.jpg /remove:g Group-A"
After the script has run, The NTFS permission on file.jpg looks like this (looks correct to me):
So does the icacls output:
d:\folder>icacls Bild1.jpg
Bild1.jpg WM\DomainAdmin:(F)
WM\Domänen-Admins:(F)
WM\Group-A:(RX)
The effective permissions tab of that file shows exactly the same (right) thing:
The permissions for the parent folder, users should be able to add files here, look like this:
Artweger WM\Group-A:(I)(OI)(CI)(F)
WM\Domänen-Admins:(I)(OI)(CI)(F)
If this User logs on (he is just in two groups, Domain-Users and Group-A), he can edit, delete, rename and move the file bild1.jpg. How is this possible? What does NTFS do with my glorious plans?