Windows 2000 file permission problems

[CarlH]

Hi,

I want to create a folder on the c: of a Windows 2000 workstation and make it so any user can create a folder in there but once they do, only they can read/write in that folder.

I created the folder, went to it’s security settings and turned off inheritable permissions.

I then set it so the everyone group could:

Traverse folder

List folder

Read Attributes

Read Extended Attributes

Create Folders

Read

But for ‘this folder only’

I then gave the creator owner group full permissions for ‘subfolders only’

If I login as a user, go to the folder I can create a new folder no problem. However if I try create a file (e.g a txt file) it creates the file but then I cannot edit that file or open it.

I cannot see anything wrong in my method but if anybody can help that would be fantastic!!!!

Regards

Carl

[CarlH]

Just to add to this I have sort of figured out what it is.

All the domain users are a member of the local administrators group.

It would seem that when a user creates a folder the creater owner becomes the local admin group not the user!!

If I remove domain users from local administrators it all works fine! The user becomes the owner not the local admin group.

The problem now though is the users have to be a member of the local admin group.

Any help or suggestions on this would be much appretiated!

Carl

[cluberti]

Is there a specific reason your users need to be Administrators, instead of something like a Power User or a regular User with system modifications to allow them to do whatever it is they need to do, be that registry and/or filesystem changes? Because this is expected behavior when a user is in the Administrators group, and cannot be changed.

[CarlH]

Is there a specific reason your users need to be Administrators, instead of something like a Power User or a regular User with system modifications to allow them to do whatever it is they need to do, be that registry and/or filesystem changes? Because this is expected behavior when a user is in the Administrators group, and cannot be changed.

Thanks for taking the time to reply, much appretiated!

Everybody being in the administrators group was setup before I worked here. It's something to do with some bespoke software running at various sites. It's never been a problem until this because if a user messed up the PC we would just re-image it withing 10 minutes.

I will have to look into what need's modifying on the power user. I was kind of hoping for some sort of %username% in a registry key instead of the admins group.

The fact you've said it's expect is great as it saves me a lot of time flogging a dead horse!!

Cheers

[nmX.Memnoch]

It's something to do with some bespoke software running at various sites.

*sigh*

It's always fun when someone says "But this applications requires Administrator privileges to work properly!".

The correct answer usually is "No, it usually just requires write access into areas of the file system and/or registry that regular users don't normally have". And this is only because the developer coded and tested the application with admin privs on their development workstation, instead of coding it properly to use the user profiles like they're intended for (developer hint: this is what Application Data is for and why it has it's own system/user variable %APPDATA% and it's also why %TEMP% points to the user profile).

Find out what areas of the system the application requires write access to and then use a GPO to enforce those settings. Then you can use a GPO to restrict who belongs to the local Administrators group.

[CarlH]

Thanks.

Looking at it, other than the ability to delete folders in Program files and WINNT the Power User group seems identical to the admins group on a folder level. Is that correct?

Also, we do not run any group policy's through the domain as we are a mixed Novell/Microsoft environment. Where can I assign (ar at least look at) rights to the registry on the PC itself?