+ Reply to Thread
Results 1 to 8 of 8
  1. Member
    Join Date
    Jul 2006
    Posts
    69

    Certifications
    CCNA, MCP 70-290, BSCI, BCMSN
    #1

    Default NTFS permission MODIFY - Delete subfolders and files

    I ran into a practice test that I answered a question incorrectly on. The MS prep material actually.

    Does the NTFS Modify permission not include "delete subfolders and files"? Every account I have tried with just the modify permission on a folder is able to delete files within it. I guess I could be inheriting a permission from somewhere else, but it did not seem like it.

    Does anyone know what the deal is with this?

    Im confused.
    Reply With Quote Quote  

  2. SS -->
  3. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #2
    Yes, the difference between the default permissions for the Users group (Read & Execute, List Folder Contents, and Read permissions) and the Modify permission is the ability to delete.

    From the NTFS and Share Permissions TechNotes I plan to finish today:

    MODIFY
    Modify permission allows the same as Read, Write and Read and Execute combined, but additionally allows deleting.
    Reply With Quote Quote  

  4. Member
    Join Date
    Jul 2006
    Posts
    69

    Certifications
    CCNA, MCP 70-290, BSCI, BCMSN
    #3
    Thats what I thought.

    But I am taking a practice test with the Readiness Review Suite, which is that software that comes with the MS Press Review Suite. Specifically the material for 70-290, and I quote;

    "The Delete Subfolders and Files permission is not included in the Modify Permission set."

    I guess this could just be a simple discrepancy, but they looked like they were pretty sure of themselves.

    So in the question I had, even though the domain local group had inherited the Modify permission from the parent folder, I had to explicitly allow the delete subfolders and files on the child folder in order to achieve the objective, which was to just be able to delete files.

    I'm with you though. I think they are wrong, but hey I also want to pass the exam.
    Reply With Quote Quote  

  5. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #4
    Actually they are correct. Test this yourself by going to the security properties of a folder. On the advanced tab, deselect the "Inherit from parent..." and select COPY when prompted. Now go back to the Security Tab:

    1. Add a user that does not currently have rights and give them Modify rights.
    2. Click Apply.
    3. Click Advanced.
    4. Highlight the user and click Edit.

    Now scroll through the list of permissions. Notice they CAN "delete", but they cannot:
    *Delete subfolders and files.
    *Take ownership.
    *Change permissions.
    Reply With Quote Quote  

  6. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #5
    Oh, I'm sorry I see I was a bit too hasty with my reply.

    If you have Modify permission on a file or folder, you can delete the file or folder itself because you get the special permission 'Delete'. But since its inherited by child objects by default, you the effective permissions for child objects is also Modify (hence includes Delete).

    The special permission 'Delete Subfolders and Files' overrides the Delete. So if you don't have Delete permissions on a particular file or subfolder (i.e. when it's not inherited or explicitly configured/overriden), but you are assigned the permission 'Delete Subfolders and Files' for the parent folder, you can still delete the file/folder.
    Reply With Quote Quote  

  7. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #6
    Quote Originally Posted by Webmaster
    If you have Modify permission on a file or folder, you can delete the file or folder itself because you get the special permission 'Delete'. But since its inherited by child objects by default, you the effective permissions for child objects is also Modify (hence includes Delete).

    The special permission 'Delete Subfolders and Files' overrides the Delete. So if you don't have Delete permissions on a particular file or subfolder (i.e. when it's not inherited or explicitly configured/overriden), but you are assigned the permission 'Delete Subfolders and Files' for the parent folder, you can still delete the file/folder.
    Exactly. The case where I see this most is when several users have "modify" permissions for a directory, but when someone creates a subdirectory they become the "Creator/Owner". Other users who had "Modify" rights on the parent directory will not have Delete rights on this new directory, only those with Full Control will.
    Reply With Quote Quote  

  8. Member
    Join Date
    Jul 2006
    Posts
    69

    Certifications
    CCNA, MCP 70-290, BSCI, BCMSN
    #7
    Ahh...ok. Yeah I see that now.

    Thanks guys.

    So I wonder then, what is the difference between delete and delete subfolders and files?
    Reply With Quote Quote  

  9. Member
    Join Date
    Jul 2006
    Posts
    69

    Certifications
    CCNA, MCP 70-290, BSCI, BCMSN
    #8
    Oops sorry, he answered that already. I didnt read close enough.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks