Question from self-paced book that confuses me

NozzaC

This is paraphrases to avoid copyright issues but is accurate in the facts I believe:

Created a "Client Accounts" Folder
Removed the Everyone group
Added "Users" group with Full Control
Made part-timers members of "Part Time" group
Made contractors members of "Contractors" group
Assigned the Deny Full Control permission to the "Part Time" and "Contractors" groups for the files that need to be protected.

1. Will users of the Part Time and Contractirs groups be able to open the files?
2. If they cannot access the file, there is is risk they will delete it why?

The answers

1. No
2. Full Control includes the Delete Subfolders and files special permission. This permission overrides the file permissions.

I get 1. - when you click the deny it automatically denies all the permissions.
But when I try 2 out on my test rig I find I cannot delete anything. What gives?!

Thanks
N

TravR1

Deny anything is usually a wrong answer on MS tests, I've read.

It's considered bad practice and only should be used when no other way of denying access is available. The reason is it makes permission trouble shooting difficult.

Deny Full Control is considered first whenever used. Other permissions will not be used when Deny is in effect.

I'm pretty sure at why at least.

skrpune

TravR1 wrote: »

Deny anything is usually a wrong answer on MS tests, I've read.

It's considered bad practice and only should be used when no other way of denying access is available. The reason is it makes permission trouble shooting difficult.

Deny Full Control is considered first whenever used. Other permissions will not be used when Deny is in effect.

I'm pretty sure at why at least.

I agree, but in this case, the question is stating that Deny Full Control is assigned to certain files within a folder. So what's being asked is what the effective permissions are, and I'm a little confused as well as to why there is a risk of deleting files that have Deny Full Control assigned to the Part Time & Contractors groups.

Denies trump allows, so even though Users are allowed Full Control, Part Time & Contractor members shouldn't be able to delete the files that were protected with a Deny Full Control permission.

HOWEVER, if those users were assigned Deny Full Control for only some of the files within that folder, and if there are other files in that folder, then there is the possibility that they can delete OTHER files in that folder. But with the info as is stated in the original post, I agree with the OP - there shouldn't be a risk of deletion of the protected files.

Maybe there's some more detail that we're missing here? Or maybe it's just a mistake in the book - have you checked the published errata?

NozzaC

The given answer is that Full Control includes the Delete Subfolders And Files special permission for POSIX compliance. This special permission allows a user to delete files in the root of a folder to which the user has been assigned Full Control permission. This overrides the file permissions.

Still don't get it.

NozzaC

Ah - after writing that I see that the point is that the Folder permissions are overriding the File permissions

TravR1

NozzaC wrote: »

Ah - after writing that I see that the point is that the Folder permissions are overriding the File permissions

I thought file permissions override folder and directory permissions.

gravyjoe

This is what it sounds like, but I may be wrong.

If you went into the folder, where the file is, and try to delete it from there... it won't delete.

If you attempt to delete the folder that the file is in, it will delete the folder, thus deleting the file in it.