Set permissions for a folder for everyone except the owner

1

I created a folder in my workplace's domain. I am not the Administrator, so if I set any restrictions for Everyone it applies to me too. If I create another set of permissions for Owner (me), the restrictions are overridden by the ones applied to Everyone.

Is it possible to set permissions for "everyone except owner"? I am ultimately trying to prevent anyone but me from deleting things from the folder.

Mike

Posted 2015-08-27T23:45:56.303

Reputation: 115

If everyone is more permissive than owner then it doesn't matter, however everyone doesn't need more permission than owner if you are the owner. – Tyson – 2015-08-28T00:33:20.983

How do I make "everyone" less permissive than "owner"? It doesn't seem to be that way by default... – Mike – 2015-08-28T00:42:55.047

Do you have another account to test? There is no way to test what happening unless you can be everyone instead of owner. – Tyson – 2015-08-28T00:44:51.570

I do have another account to test – Mike – 2015-08-28T15:03:13.163

Answers

1

If I set any restrictions for "everyone", it applies to me too.

This is correct. Deny permissions always override allow permissions, regardless of the user or group to which they apply. The only way you could employ deny permissions to prevent "everyone but you" from deleting items from your folder would be to create a security group that every user account on the domain is a member of except you. Unless you have a very small domain this isn't feasible. The correct way to solve your problem is to not grant the unwanted permissions to other users in the first place.

I am ultimately trying to prevent anyone but me from deleting things from the folder.

Set your permissions as follows:

Everyone: Read & Execute
You: Full Control

If you literally want others to do everything except delete items from the folder (e.g. allow them to create items), in addition to granting yourself Full Control, set your permissions for the Everyone identity as follows:

  • Traverse folder / execute files
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create files / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Read permissions

I say Reinstate Monica

Posted 2015-08-27T23:45:56.303

Reputation: 21 477

I don't quite follow. You seem to imply that I would HAVE to create a security group that includes everyone except me to accomplish what I want (which makes sense since deny overrides allow and I'm part of "everyone"). But below you give me directions for setting permissions without that special security group. – Mike – 2015-08-28T15:03:01.210

@Mike No, you would only have to create such a group if you insisted on using Deny permissions, which, as I noted Unless you have a very small domain this isn't feasible. I didn't give you those directions because that's an incredible obtuse way of solving the problem, made worse by the fact there's no way to dynamically manage that group's membership, i.e. when a new user is added to the network someone has to remember to add them to this "everyone but you" group. The solution I gave you is not only the best-practice approach, but once configured it's bullet-proof. – I say Reinstate Monica – 2015-08-28T15:11:38.640

But the solution you gave removed the ability to delete from everyone, which overrides full control for myself, right? I just tried it anyways and now my folder is invisible (or deleted, I don't know which). It's just a test folder though so it's not a big deal but I'm not sure why that happened. – Mike – 2015-08-28T15:18:45.830

Double post.. Tried it again (folder didn't get deleted this time) and as you implied above, I am unable to delete items I created in the folder. – Mike – 2015-08-28T15:24:57.540

@Mike Not correct. Only Deny permissions "override" other permissions. Granted permissions are additive, so if you gave yourself Full Control as specified in my answer, you'll have permission to do anything, including delete. If you're not getting this result, your permissions aren't correct. Are there other permissions in play on this folder? – I say Reinstate Monica – 2015-08-28T15:26:06.293

@Mike I've updated my answer to clarify that if you're using the second set of permissions (those which grant the Everyone identity the ability to create items) you still need to grant yourself Full Control. Sorry if that's the reason for the confusion. – I say Reinstate Monica – 2015-08-28T15:28:06.517

Hmm something is not going right for me. Here is a picture of the set of permissions http://imgur.com/S9nNbZz. All of them have full control, except the Everyone at the top has delete, ownership, and change permissions denied. This set does not allow me to delete anything even though Michael C (me) is granted full control. I am not an administrator.

– Mike – 2015-08-28T15:35:58.993

@Mike You're still using Deny permissions. You cannot do that. Get rid of the Deny...Everyone permission (top), and change the Allow...Everyone...Full Control permission at the bottom to Allow...Everyone...Read and Execute (You'll need to uncheck the Include inheritable permission... checkbox). Trust that if you do not grant a permission (e.g. grant Everyone the Delete permission), then users will not have that right. You don't need to deny what was never granted in the first place. – I say Reinstate Monica – 2015-08-28T15:39:04.620

Let us continue this discussion in chat.

– I say Reinstate Monica – 2015-08-28T15:41:34.793

1Ohh I see what you meanow. I am unable to do that as only the admin has permission to change allow permissions for Everyone. I'll work things out with him about it. Thank you! – Mike – 2015-08-28T15:45:13.410

Asked: 2015-08-27T23:45:56.303

Viewed: 1 417 times

Active: 2015-08-28T15:27:11.720