2
I have a folderA. I'd like a user (let's call him darth) to be able to do anything (create,read,write,delete) folders/files inside folderA , BUT darth should NOT be able to delete folderA itself. To achieve this I applied the following permissions.
C:\>icacls foldera
foldera DHI-VM1\darth:(DENY)(D)
DHI-VM1\darth:(RX,W,WDAC,WO,DC)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(S,WD,AD)
CREATOR OWNER:(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
I know Deny takes precedence over Allow , but in this case the Deny & Allow are for different objects (deny delete on parent folder , allow on child folder). I'm still unable to delete anything inside folderA despite the perission DC (in 2nd line after WO). Why so ?
OS - Windows Server 2008 R2
Dhiwakar Ravikumar
Posted 2014-09-23T04:51:21.957
Reputation: 1 551
can you run icacls on a file in
foldera? – Louis – 2014-09-23T05:11:15.410C:\folderA>icacls logcopy.py logcopy.py NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files. – Dhiwakar Ravikumar – 2014-09-23T05:29:04.190
I think these files were created by administrator so darth is unable to delete them, however Darth is able to delete files he created. I thought DC would've taken precedence here – Dhiwakar Ravikumar – 2014-09-23T05:30:21.637