Question about NTFS permissions (MSpress bbk)

Hello,
I'm doing a case scenario in the MS press book in the Files & Folders chapter. I am trying to figure out a permissions issue. I'll try to make this brief and understandable if possible.
In my lab, I'm logged in as a user who belongs to the Managers group. The group is allowed the NTFS modify permission on a shared Web folder on the server. I understand what the lab was trying to teach, configured the share permissions and , the user was able to create a new Webpage while logged in from another machine on the network.
The problem I have is the last part of the lab. It wants you to lock down NTFS permissions so that users don't have the special permission - in the advanced section of the ACL - to create folders/append data and write data but, it still wants the managers to be able to modify. There was no way to remove the special permission so, I when into the special permission and set both values to deny. When I did this, the original user - who is part of the managers group - can no longer create a webpage.
I understand why he cannot (at least I think I do ), it's because he's also a member of the users group and, deny permissions take precedence over allow. I even tried setting his primary group as the managers group and removing him from the users group but, it didn't work. When I remove the deny permission on the users group he is able to create the webpage. I also tried not allowing inherited permissions from the parent folder.
Is there a way to do this? or is this just a mistake in the book? I hope I explained this well enough for any of you to understand.

Thanks

Find more posts tagged with

Comments

undomiel

You correct in the problem being that deny permissions take precedence. The way for you to be able to remove the special permissions is when you go into modifying the properties you need to uncheck "Include inheritable permissions from this object's parent" and have it copy down the current permissions. At that point you will be able to go in and remove the special permissions from the users group.

qnet

undomiel wrote: »

You correct in the problem being that deny permissions take precedence. The way for you to be able to remove the special permissions is when you go into modifying the properties you need to uncheck "Include inheritable permissions from this object's parent" and have it copy down the current permissions. At that point you will be able to go in and remove the special permissions from the users group.

Thanks, I had actually tried that before and it didn't work. I just tried it again and it worked. I think it may have not worked before because, I was logged in on the XP machine as the user - who was a member of the managers group - and I still had the window opened were I was trying to save the web page to the server. It was grayed out and, wouldn't let me remove the group.

Thanks again. I'm doing some last minute studying and am scheduled to take the test Monday.