NTFS permission MODIFY - Delete subfolders and files

Grigsby

I ran into a practice test that I answered a question incorrectly on. The MS prep material actually.

Does the NTFS Modify permission not include "delete subfolders and files"? Every account I have tried with just the modify permission on a folder is able to delete files within it. I guess I could be inheriting a permission from somewhere else, but it did not seem like it.

Does anyone know what the deal is with this?

Im confused.

Webmaster

Yes, the difference between the default permissions for the Users group (Read & Execute, List Folder Contents, and Read permissions) and the Modify permission is the ability to delete.

From the NTFS and Share Permissions TechNotes I plan to finish today:

MODIFY
Modify permission allows the same as Read, Write and Read and Execute combined, but additionally allows deleting.

Grigsby

Thats what I thought.

But I am taking a practice test with the Readiness Review Suite, which is that software that comes with the MS Press Review Suite. Specifically the material for 70-290, and I quote;

"The Delete Subfolders and Files permission is not included in the Modify Permission set."

I guess this could just be a simple discrepancy, but they looked like they were pretty sure of themselves.

So in the question I had, even though the domain local group had inherited the Modify permission from the parent folder, I had to explicitly allow the delete subfolders and files on the child folder in order to achieve the objective, which was to just be able to delete files.

I'm with you though. I think they are wrong, but hey I also want to pass the exam.

sprkymrk

Actually they are correct. Test this yourself by going to the security properties of a folder. On the advanced tab, deselect the "Inherit from parent..." and select COPY when prompted. Now go back to the Security Tab:

1. Add a user that does not currently have rights and give them Modify rights.
2. Click Apply.
3. Click Advanced.
4. Highlight the user and click Edit.

Now scroll through the list of permissions. Notice they CAN "delete", but they cannot:
*Delete subfolders and files.
*Take ownership.
*Change permissions.

Webmaster

Oh, I'm sorry I see I was a bit too hasty with my reply.

If you have Modify permission on a file or folder, you can delete the file or folder itself because you get the special permission 'Delete'. But since its inherited by child objects by default, you the effective permissions for child objects is also Modify (hence includes Delete).

The special permission 'Delete Subfolders and Files' overrides the Delete. So if you don't have Delete permissions on a particular file or subfolder (i.e. when it's not inherited or explicitly configured/overriden), but you are assigned the permission 'Delete Subfolders and Files' for the parent folder, you can still delete the file/folder.

sprkymrk

Webmaster wrote:

If you have Modify permission on a file or folder, you can delete the file or folder itself because you get the special permission 'Delete'. But since its inherited by child objects by default, you the effective permissions for child objects is also Modify (hence includes Delete).

The special permission 'Delete Subfolders and Files' overrides the Delete. So if you don't have Delete permissions on a particular file or subfolder (i.e. when it's not inherited or explicitly configured/overriden), but you are assigned the permission 'Delete Subfolders and Files' for the parent folder, you can still delete the file/folder.

Exactly. The case where I see this most is when several users have "modify" permissions for a directory, but when someone creates a subdirectory they become the "Creator/Owner". Other users who had "Modify" rights on the parent directory will not have Delete rights on this new directory, only those with Full Control will.

Grigsby

Ahh...ok. Yeah I see that now.

Thanks guys.

So I wonder then, what is the difference between delete and delete subfolders and files?

Grigsby

Oops sorry, he answered that already. I didnt read close enough.