Results 1 to 4 of 4
  1. #1
    New Lounger
    Join Date
    Feb 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    NTFS "write attribute" permissions

    So I'm working with NTFS permissions, trying to get granular control....and I'm not really seeing it. For instance, I've run across a situation where I want to stop users who have modify rights (Traverse folder/execute file; List folder/ read data; Read attributes; Read extended attributes; Create Files/write data; create folder/append data; write attributes; write extended attributes; delete subfolders and files; delete; read permissions) to this folder, subfolders, and files from changing the attributes on the files and/or folders, specifically the hidden attribute. So, I uncheck the "write attributes" box, which from what I've read, should do the trick. What does it do? It makes it so they can't modify the attributes, sure, but it also makes it so they cannot modify the files or folders. They are all locked in read only mode. So it seems that in disabling the write attributes permission, it also disables their ability to write to the file entirely. Is this just the way it is? Or am I missing something? I can duplicate this on my own workstation at home which is a Windows 7 client. Any help is appreciated, I'm lost. Thanks.

    Note: This is a Server 2008 R2/Windows 7 environment
    Last edited by mjkcal; 2013-02-08 at 21:29.

  2. #2
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,721
    Thanks
    7
    Thanked 236 Times in 224 Posts
    NTFS is not that granular. If you allow users to write to a folder they can pretty much do what they want. The only thing I refuse to grant users is Full Control because I don't want them to play with permissions - they always stuff it up.

    cheers, Paul

  3. #3
    New Lounger
    Join Date
    Feb 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for replying. I suppose I don't even understand the point of having the check box for it then, if the functionality doesn't work without impacting other access. I suppose it is what it is, though.

  4. #4
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,721
    Thanks
    7
    Thanked 236 Times in 224 Posts
    I suspect that the limit on what NTFS allows doesn't translate into what Windows thinks it can do. That's why I always tell users that they can have either of two things, do anything or read only. Anything else is just too hard to implement and the users end up not understanding what they can and can't do. The one exception to that rule is a blind write folder, where you can write but not read - useful for transferring data into a common location whilst maintaining confidentiality of the data.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •