delete vs. delete subfolders & files

w^rl0rdw^rl0rd Member Posts: 329
I thought I understood this, but when I got a question on a practice test for 70-290 I got it wrong.

Users w/ modify permissions do not have the "delete subfolders and files" permission, but have the "delete" permissoin.

Why is it that when I log on w/ a user acct that has Modify permission for a folder, I can delete everything?

What is the difference?
What would be the advantage of having the "delete subfolders and files" permission?

Comments

  • SmallguySmallguy Member Posts: 597
    on my network when I go into a folder and look at the permissions I have a user woh has modify when I click on Advanced

    then double click the user to see the advanced permssions I cna se "Delete subfolders" is not selected.


    do you see the same thing?

    I think what mgiht have happed is if you created the subfolder with that user... that user became the Creator owner of the folder so that qwould allow them ot deletye the subfolder since they're effectively that oflders admin.

    try creating a folder and then a subfolder with the admin account... giving a user modify then go in and see if the user is allowed to delete the folder.

    I tihkn it might be a creator owner issue though.
  • w^rl0rdw^rl0rd Member Posts: 329
    Smallguy wrote:
    on my network when I go into a folder and look at the permissions I have a user woh has modify when I click on Advanced

    then double click the user to see the advanced permssions I cna se "Delete subfolders" is not selected.


    do you see the same thing?

    I think what mgiht have happed is if you created the subfolder with that user... that user became the Creator owner of the folder so that qwould allow them ot deletye the subfolder since they're effectively that oflders admin.

    try creating a folder and then a subfolder with the admin account... giving a user modify then go in and see if the user is allowed to delete the folder.

    I tihkn it might be a creator owner issue though.


    Yes. I actually did all of the above. I created a folder and file structure w/ the admin account and logged on as a user with Modify. I was able to delete anything and everything.

    I just don't see the difference between the two permissons.
  • D-boyD-boy Member Posts: 595
    Standard File and Folder Permissions
    Read(R) - View attributes, contents, and permissions. Can synchronize.
    Write(W) - Can change attributes, and file contents. Can create files or folders. Can synchronize.
    Read(R) and Execute(E) - Can change sub folders, perform read operations, and execute a file.
    List Folder Contents - Can perfrom read and execute permissions on folders. Can view folder contents, attributes, permissions. Can synchronize and change to subfolders.
    Modify - Perform Read, Execute, and Write permissions along with ability to delete.
    Full Control - Can perform Modify functions (above), take ownership, and modify permissions.
    Permissions assigned to directories are inherited (default) by all files and subdirectories that are contained in the directory. The inheritance option, selected by default, may be deselected. Each file or directory has an Access Control List (ACL). To set permissions for additional users or groups, they are added to the ACL of the file or directory. Windows Explorer or the Cacls command line utility can be used to set permissions.

    Special File and Folder Permissions
    On the file or folder properties dialog, click the "Security" tab and the "Advanced" button to assign special file or folder permissions.

    Traverse Folder/Execute File - .
    List Folder/Read Data - .
    Read Attributes - The user can read the attributes (archive, compress, hidden, etc.) of the file, but not read the contents of the file.
    Read Extended Attributes - .
    Create Files/Write Data - .
    Create Folders/Append Data - .
    Write Attributes - .
    Write Extended Attributes - .
    Delete Subfolders and Files - .
    Delete - The user can delete the file.
    Read Permissions - The user can read the file.
    Change Permissions - Lets the user change permissions for the file, but not view or change the contents of the file.
    Take Ownership - The user can take ownership of the file, but can't give it back.

    These permissions can be applied to directories, files, and subdirectories with one of the following selections:

    This folder, subfolders and files
    This folder only
    This folder and subfolders
    This folder and files
    Subfolders and files only
    Subfolders only
    Files only
  • w^rl0rdw^rl0rd Member Posts: 329
    I appreciate your help D-Boy but I'm not sure what you are trying to tell me with that. icon_rolleyes.gif
  • D-boyD-boy Member Posts: 595
    Ok sorry let me clear this up... icon_wink.gif

    NTFS file and folder permissions for the most part are a sufficient way to secure your resources on a network. Where they do not provide the level of granularity required, you can use Special Access Permissions.

    **Delete Subfolders and Files**

    This allows or denies the deleting of files and subfolder within the parent folder. It also true that if this permission is assigned files and subfolders can be deleted even if the Delete special access permission has not been granted.

    **Delete**

    This allows or denies the deleting of files and folders. If the user does not have this permission assigned but does have the Delete Subfolders and Files permission, she can still delete.
  • w^rl0rdw^rl0rd Member Posts: 329
    D-boy wrote:
    Delete Subfolders and Files

    Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (applies to folders)

    Honestly, I appreciate your help but I don't think you read my post.
    I understand what technet says, but if you read my post you would see that even with the "delete" permisson which is granted through modify, I can delete subfolders and files. I am struggling with the difference here.
  • D-boyD-boy Member Posts: 595
    w^rl0rd wrote:
    D-boy wrote:
    Delete Subfolders and Files

    Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (applies to folders)

    Honestly, I appreciate your help but I don't think you read my post.
    I understand what technet says, but if you read my post you would see that even with the "delete" permisson which is granted through modify, I can delete subfolders and files. I am struggling with the difference here.

    Sorry read my post again I made some edit's.....
  • w^rl0rdw^rl0rd Member Posts: 329
    I guess what I dont get is this:

    If the delete permission is granted to a user for the parent folder, won't it be inherited by the child folders making them deletable as well? How would that be any different than the delete subfolders and files permission?
  • D-boyD-boy Member Posts: 595
    Did you set the **Delete** permission to "Deny"? You can Allow or Deny a Special Permission.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    This is going nowhere fast, or so it seems. icon_lol.gif

    Okay, maybe looking at it a little different will help. When you give a user or group "Modify" permission to a directory, by default inheritance will also give them "Modify" to all folders and files below. So unless you turned off inheritance, they also have the "delete" on every folder and file below as well because they have "Modify", which includes "delete". They don't need the "delete subfolders" permission, because inheritance gave them Modify all the way down.

    If you have "Modify" on folder "Alpha", then someone creates a subfolder called "Beta", guess what? It doesn't matter that Modify doesn't allow you to "delete subfolders" explicitly, because you now also have "Modify" on the "Beta" folder, you have the right to "delete" it. And so on down with folders "Charlie", "Delta", and "Echo", etc.


    Edit:
    Also, not sure if this helps, but keep in mind that "Modify" permission is just shy of "Full Control". The differences being that with Modify you cannot "Take Ownership", and you cannot change the permissions. Everything else is fair game.
    All things are possible, only believe.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    w^rl0rd wrote:
    I guess what I dont get is this:

    If the delete permission is granted to a user for the parent folder, won't it be inherited by the child folders making them deletable as well? How would that be any different than the delete subfolders and files permission?

    The difference there is only apparent when you turn off inheritance. Otherwise you're right, it's the same thing.
    All things are possible, only believe.
  • RoundHeadedKidRoundHeadedKid Member Posts: 1 ■□□□□□□□□□
    edited August 2021

    Level 1:    Full Control folder                       Modify folder                   Read only folder
                               /  \                                                   / \                                       / \
    Level 2:    Read only folder & file            Read  only folder & file       Read only folder & file

    From level 1, the user can delete the Full Control folder and its subfolder contents.  Can't do that with the Level 1 Modify folder or Read folder.  
    The reason is that the Full Control gives "delete subfolders and files" permission.  Modify and Read do not.

    And from level 2, the user will not be able to delete the any of the Read only folder and files, even if the user has Full Control on Level 1.

    If the L1 Modify folder didn't have any read-only L2 contents then the user would be able to delete the L1 Modify folder and its subfolder.  Modify gives "delete" permission and no "delete subfolders and files" permission is needed.

    L1:       Modify folder                              Modify folder
                               /  \                                                   / \                                   
    L2:    Read only folder & file            Modify folder & file      



  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    @RoundHeadedKid, you do realize the Windows Server 2003 exams have been long retired?

Sign In or Register to comment.