Modify rights to single file in a directory with only list permiss

Discussion in 'Server Security' started by tonyaldr, Sep 21, 2006.

  1. tonyaldr

    tonyaldr Guest

    We have a situation in which a user is only permitted to read and modify a
    single file in a directory on a Win2K server. Mgt doesn't want them to see
    any of the other files in that directory. I granted the user list
    permissions to the folder and full rights to the file in question, but when
    she tries to save she gets the message "The save failed due to out of memory
    or disk space. <path\file>"
    I granted write permissions to the folder and it still fails. Only granting
    modify (and the associated "read") allow her to save. Shouldn't the
    aforementioned method work without granting these extra rights to the folder?
    tonyaldr, Sep 21, 2006
    1. Advertisements

  2. The problem is not with what you have set for permissions, but with
    how the application the person uses is handling things.
    If you define a folder X and grant AcctsA List on the folder,
    and have a file X\file.ext and it has a grant of Modify for AcctsA,
    then for example, one of the AcctsA can open file.ext in notepad,
    change it, and save it. No problem.
    By comparison, Word would want to open a temp file in the same
    directory and upon save rename this.
    You could provide for that by a grant to AcctsA and another of at
    least Modify to Creator Owner, but then they would be able to
    save other files into the directory (and hence have access to more
    than just the one file.
    In short, this illustrates that it is more direct to isolate files needing
    different permissions into separate folders.
    Roger Abell [MVP], Sep 22, 2006
    1. Advertisements

  3. tonyaldr

    tonyaldr Guest

    You hit the nail on the head. It is indeed Word. But even though I went
    into Advanced rights on the folder and granted "Create Files/Write Data" and
    "Take Ownership" for the user it still fails. I don't see where you can add
    "Modify to Creator Owner" though.
    tonyaldr, Sep 22, 2006
  4. You could provide for that by a grant to AcctsA and another of at
    IOW you would need to add two grants.
    Follow the model used in XP for directors below root of a partition
    1. a grant to Creator Owner
    I suggested Modify, which is set on the generic NTFS dialog, not
    in the Advanced view. As soon as it is applied it "disappears" in
    the generic view (well, it changes to Special) because it is automatically
    changed to an Applies to Subfolders and Files only
    2. a grant to AcctA (or whatever your custom group) that allows them
    to create (and then the first grant takes over giving them the rest on
    what they create)
    For your use, this grant only needs to be a special (i.e. use Advanced)
    granting "Create files / write data" Now if you look elsewhere you
    will see "Create folders / append data"
    Roger Abell [MVP], Sep 23, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.