 |
|
|
|
Next: System Crashes with 2G Memory
|
| Author |
Message |
External
Since: Feb 13, 2008
Posts: 7
|
(Msg. 1) Posted: Wed Feb 13, 2008 8:09 pm
Post subject: Junction Points and ACL 'protection' - how?
Archived from groups: microsoft>public>win2000>file_system (more info?)
|
|
|
I've set up a couple of Junction Points (reparse points), in order to gain more
space on my C: drive, redirecting the Documents and Settings folder and the
Program Files folder.
Microsoft highly recommends using an ACL to prevent these Junction Points
from being inadvertently deleted from Explorer, etc.
How can I protect only the Junction Point from modification/deletion, using
ACL permissions? Setting the Write or Modify permissions on the Junction Point
also prevents writing and modifying of any 'children' of the junction point, even
if the target-folder's permissions are set to allow writing and modifying.
I've set the security settings via the junction point's Properties, changing the
permissions, removing (unchecking) the 'Modify' and the 'Write' permissions,
for 'Everyone'. I then looked at the 'target' folder to see if those specific
permissions were affected on the target folders, and they weren't.
With the permissions set this way however, I can only write/make changes to
the target folder's files if I go directly to the target-folder, and not if I access it via
the junction point. In other words, setting the junction point's permissions to not
allow Writing or Modifying of the Junction Point also sets the permissions for the
child of the junction point when accessed through the junction point, but when 'going
around' the junction point, accessing the target-folder directly, the changed permissions
are not in force.
What am I missing? What's the right way to protect only the junction-point so it
can't be deleted or renamed (even by an administrator with a failing memory).
Thanks for any input on this, I can use all the help I can get.
--
Cwebb
(if emailing reply, use this address:
blinds-94050 at mypacks net |
|
| Back to top |
|
 | |
External
Since: Feb 13, 2008
Posts: 7
|
(Msg. 2) Posted: Thu Feb 14, 2008 3:40 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
After some trial and error, it looks as though Win2k (SP4) by default, is
protecting _folders_ that are accessed through the Junction Point, but
not the Junction Point itself.... I can delete the Junction Point through Explorer,
but cannot delete folders that are 'inside' the J.P. However, I _can_ delete
files that are 'inside' the Junction Point.
iow: I've found that I'm unable to delete any folders that I access _through_ the
J.P. using Explorer, although files are fair game, and can be deleted. Yet,
it's no problem deleting these folders with Explorer from the Junction Point's
actual target folder.
I still would like to know how to keep Junction Points safe from errant users...
Anyone know about this?
--
Cwebb
(if emailing reply, use this address:
blinds-94050 at mypacks net
On Wed, 13 Feb 2008 20:09:43 -0500 in Meesage-ID <rp27r3dov2qsedqcrg1vsfebc2j0g3261o.DeleteThis@4ax.com> Cwebb
wrote:
>I've set up a couple of Junction Points (reparse points), in order to gain more
>space on my C: drive, redirecting the Documents and Settings folder and the
>Program Files folder.
>
>Microsoft highly recommends using an ACL to prevent these Junction Points
>from being inadvertently deleted from Explorer, etc.
>
>How can I protect only the Junction Point from modification/deletion, using
>ACL permissions? Setting the Write or Modify permissions on the Junction Point
>also prevents writing and modifying of any 'children' of the junction point, even
>if the target-folder's permissions are set to allow writing and modifying.
>
>I've set the security settings via the junction point's Properties, changing the
>permissions, removing (unchecking) the 'Modify' and the 'Write' permissions,
>for 'Everyone'. I then looked at the 'target' folder to see if those specific
>permissions were affected on the target folders, and they weren't.
>
>With the permissions set this way however, I can only write/make changes to
>the target folder's files if I go directly to the target-folder, and not if I access it via
>the junction point. In other words, setting the junction point's permissions to not
>allow Writing or Modifying of the Junction Point also sets the permissions for the
>child of the junction point when accessed through the junction point, but when 'going
>around' the junction point, accessing the target-folder directly, the changed permissions
>are not in force.
>
>What am I missing? What's the right way to protect only the junction-point so it
>can't be deleted or renamed (even by an administrator with a failing memory).
>
>Thanks for any input on this, I can use all the help I can get. |
|
| Back to top |
|
| |
External
Since: Jun 05, 2004
Posts: 808
|
(Msg. 3) Posted: Thu Feb 14, 2008 6:54 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
My findings are not consistent with yours, if I properly protect the
target, the contents of the junction point or the junction point itself
cannot be deleted.
John
Cwebb wrote:
> After some trial and error, it looks as though Win2k (SP4) by default, is
> protecting _folders_ that are accessed through the Junction Point, but
> not the Junction Point itself.... I can delete the Junction Point through Explorer,
> but cannot delete folders that are 'inside' the J.P. However, I _can_ delete
> files that are 'inside' the Junction Point.
>
> iow: I've found that I'm unable to delete any folders that I access _through_ the
> J.P. using Explorer, although files are fair game, and can be deleted. Yet,
> it's no problem deleting these folders with Explorer from the Junction Point's
> actual target folder.
>
> I still would like to know how to keep Junction Points safe from errant users...
>
> Anyone know about this?
> >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Feb 13, 2008
Posts: 7
|
(Msg. 4) Posted: Thu Feb 14, 2008 10:00 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Well, the problem may be that I don't know what I'm doing!
I understand you to be saying that the permissions that are set on the
target folder propagate back to the junction point, is that what you're
seeing?
I'm using each folder's <Properties/Security-tab/Advanced> to modify the
permissions settings, and I'm changing the permission:
for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
leaving all other permissions at 'Allow'. I'm doing the same for both the
junction-point and the target folder, and leaving the parent-propagate
and child-propagate boxes unchecked in each case.
I've made sure the child-folders have all permissions set at 'Allow', after
I've set the parent folder permissions.
What is it that I'm missing?
Thanks.
--
CWebb
(if emailing reply, use this address:
blinds-94050 at mypacks net)
On Thu, 14 Feb 2008 18:54:57 -0400 in Meesage-ID <ui3Ajy1bIHA.1204.RemoveThis@TK2MSFTNGP03.phx.gbl> John John wrote:
>My findings are not consistent with yours, if I properly protect the
>target, the contents of the junction point or the junction point itself
>cannot be deleted.
>
>John
>
>Cwebb wrote:
>
>> After some trial and error, it looks as though Win2k (SP4) by default, is
>> protecting _folders_ that are accessed through the Junction Point, but
>> not the Junction Point itself.... I can delete the Junction Point through Explorer,
>> but cannot delete folders that are 'inside' the J.P. However, I _can_ delete
>> files that are 'inside' the Junction Point.
>>
>> iow: I've found that I'm unable to delete any folders that I access _through_ the
>> J.P. using Explorer, although files are fair game, and can be deleted. Yet,
>> it's no problem deleting these folders with Explorer from the Junction Point's
>> actual target folder.
>>
>> I still would like to know how to keep Junction Points safe from errant users...
>>
>> Anyone know about this?
>> >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Feb 13, 2008
Posts: 7
|
(Msg. 5) Posted: Thu Feb 14, 2008 10:43 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Another weird thing is that I can't delete any _folders_ in the
junction-point's target folder, but only if I go through the
junction-point to get to it (however, I can delete files).
But, as I said, I don't have any problems deleting the same
folder if I get to it via it's actual parent folder.
--
CWebb
(if emailing reply, use this address:
blinds-94050 at mypacks net
On Thu, 14 Feb 2008 18:54:57 -0400 in Messsage-ID <ui3Ajy1bIHA.1204 RemoveThis @TK2MSFTNGP03.phx.gbl> John John
wrote:
>My findings are not consistent with yours, if I properly protect the
>target, the contents of the junction point or the junction point itself
>cannot be deleted.
>
>John
>
>Cwebb wrote:
>
>> After some trial and error, it looks as though Win2k (SP4) by default, is
>> protecting _folders_ that are accessed through the Junction Point, but
>> not the Junction Point itself.... I can delete the Junction Point through Explorer,
>> but cannot delete folders that are 'inside' the J.P. However, I _can_ delete
>> files that are 'inside' the Junction Point.
>>
>> iow: I've found that I'm unable to delete any folders that I access _through_ the
>> J.P. using Explorer, although files are fair game, and can be deleted. Yet,
>> it's no problem deleting these folders with Explorer from the Junction Point's
>> actual target folder.
>>
>> I still would like to know how to keep Junction Points safe from errant users...
>>
>> Anyone know about this?
>> >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Jun 05, 2004
Posts: 808
|
(Msg. 6) Posted: Fri Feb 15, 2008 7:17 am
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I don't have extensive experience with Junction Points and ACL but that
is how it appears to be working for me here. I use Advanced permissions
and on the target directory I explicitly Deny two items to Everyone:
Delete Subfolders and Files
Delete
and from the Windows Explorer GUI I as an Administrator/Owner Creator
cannot delete files or folder in the target folder or in the Junction
Point, nor can I delete the Junction Point. In the Advanced Permissions
make sure that you don't have a check mark on "Apply these permissions
to objects and/or containers within this container only"
The only variable might be that I used the Sysinternal Junction tool
instead of the Resource Kit tools to create the symbolic link, I don't
think that would make a difference but maybe it does, I don't know for sure.
John
Cwebb wrote:
> Well, the problem may be that I don't know what I'm doing!
>
> I understand you to be saying that the permissions that are set on the
> target folder propagate back to the junction point, is that what you're
> seeing?
>
> I'm using each folder's <Properties/Security-tab/Advanced> to modify the
> permissions settings, and I'm changing the permission:
> for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
> leaving all other permissions at 'Allow'. I'm doing the same for both the
> junction-point and the target folder, and leaving the parent-propagate
> and child-propagate boxes unchecked in each case.
>
> I've made sure the child-folders have all permissions set at 'Allow', after
> I've set the parent folder permissions.
>
> What is it that I'm missing?
>
> Thanks.
> >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Feb 13, 2008
Posts: 7
|
(Msg. 7) Posted: Sun Feb 17, 2008 4:50 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I'm baffled.
Though, it seems that you might be going for different results than
I am.
It sounds like you're setting the child-folders as well as the
junction-point to be delete-protected, is that right?
I'm hoping to simply protect the junction-point, so it isn't deleted
by mistake. I thinks that's all Microsoft means when they
say to:
- Use NTFS ACLs to protect junction points from inadvertent deletion.
- Use NTFS ACLs to protect files and directories that are targeted by
junction points from inadvertent deletion or other file system operations.
Since I've used a junction-point to be able to move my Documents and
Settings folder, I don't want to protect, for example, my desktop, so I
need to Allow deletes on folders and files contained in the targeted folders.
But, just to test, I tried setting all to Allow, except I set Deny on
'Delete' and 'Delete Subfolders and Files', and I'm still able to delete
either folder from Explorer.
And I too, am using Sysinternals' Junction utility...
????
I'm at a loss.
Thanks for your input John.
On Fri, 15 Feb 2008 07:17:47 -0400 in Messsage-ID <#bcvpR8bIHA.4968@TK2MSFTNGP02.phx.gbl> John John
wrote:
>I don't have extensive experience with Junction Points and ACL but that
>is how it appears to be working for me here. I use Advanced permissions
>and on the target directory I explicitly Deny two items to Everyone:
>
>Delete Subfolders and Files
>Delete
>
>and from the Windows Explorer GUI I as an Administrator/Owner Creator
>cannot delete files or folder in the target folder or in the Junction
>Point, nor can I delete the Junction Point. In the Advanced Permissions
>make sure that you don't have a check mark on "Apply these permissions
>to objects and/or containers within this container only"
>
>The only variable might be that I used the Sysinternal Junction tool
>instead of the Resource Kit tools to create the symbolic link, I don't
>think that would make a difference but maybe it does, I don't know for sure.
>
>John
>
>Cwebb wrote:
>
>> Well, the problem may be that I don't know what I'm doing!
>>
>> I understand you to be saying that the permissions that are set on the
>> target folder propagate back to the junction point, is that what you're
>> seeing?
>>
>> I'm using each folder's <Properties/Security-tab/Advanced> to modify the
>> permissions settings, and I'm changing the permission:
>> for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
>> leaving all other permissions at 'Allow'. I'm doing the same for both the
>> junction-point and the target folder, and leaving the parent-propagate
>> and child-propagate boxes unchecked in each case.
>>
>> I've made sure the child-folders have all permissions set at 'Allow', after
>> I've set the parent folder permissions.
>>
>> What is it that I'm missing?
>>
>> Thanks.
>>
--
Cwebb
(if emailing reply, use this address:
blinds-94050 at mypacks net >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Jun 05, 2004
Posts: 808
|
(Msg. 8) Posted: Mon Feb 18, 2008 11:49 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I can do this at the Junction Point without inheritance. I can apply
different permissions to any or all of the folders or files. As soon as
one item within the container has a deny delete I cannot delete the
Junction point, the deny can be applied on the items in the symbolic
link or in the target, the results are the same, as soon as one item is
protected inside the container I cannot delete the Junction Point. Put
a dummy folder in there and explicitly deny "Everyone" delete rights on
it and you won't be able to delete the Junction Point.
John
Cwebb wrote:
> I'm baffled.
>
> Though, it seems that you might be going for different results than
> I am.
>
> It sounds like you're setting the child-folders as well as the
> junction-point to be delete-protected, is that right?
>
> I'm hoping to simply protect the junction-point, so it isn't deleted
> by mistake. I thinks that's all Microsoft means when they
> say to:
> - Use NTFS ACLs to protect junction points from inadvertent deletion.
> - Use NTFS ACLs to protect files and directories that are targeted by
> junction points from inadvertent deletion or other file system operations.
>
> Since I've used a junction-point to be able to move my Documents and
> Settings folder, I don't want to protect, for example, my desktop, so I
> need to Allow deletes on folders and files contained in the targeted folders.
>
> But, just to test, I tried setting all to Allow, except I set Deny on
> 'Delete' and 'Delete Subfolders and Files', and I'm still able to delete
> either folder from Explorer.
>
> And I too, am using Sysinternals' Junction utility...
>
> ????
>
> I'm at a loss.
>
> Thanks for your input John.
>
>
>
> On Fri, 15 Feb 2008 07:17:47 -0400 in Messsage-ID <#bcvpR8bIHA.4968@TK2MSFTNGP02.phx.gbl> John John
> wrote:
>
>
>>I don't have extensive experience with Junction Points and ACL but that
>>is how it appears to be working for me here. I use Advanced permissions
>>and on the target directory I explicitly Deny two items to Everyone:
>>
>>Delete Subfolders and Files
>>Delete
>>
>>and from the Windows Explorer GUI I as an Administrator/Owner Creator
>>cannot delete files or folder in the target folder or in the Junction
>>Point, nor can I delete the Junction Point. In the Advanced Permissions
>>make sure that you don't have a check mark on "Apply these permissions
>>to objects and/or containers within this container only"
>>
>>The only variable might be that I used the Sysinternal Junction tool
>>instead of the Resource Kit tools to create the symbolic link, I don't
>>think that would make a difference but maybe it does, I don't know for sure.
>>
>>John
>>
>>Cwebb wrote:
>>
>>
>>>Well, the problem may be that I don't know what I'm doing!
>>>
>>>I understand you to be saying that the permissions that are set on the
>>>target folder propagate back to the junction point, is that what you're
>>>seeing?
>>>
>>>I'm using each folder's <Properties/Security-tab/Advanced> to modify the
>>>permissions settings, and I'm changing the permission:
>>>for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
>>>leaving all other permissions at 'Allow'. I'm doing the same for both the
>>>junction-point and the target folder, and leaving the parent-propagate
>>>and child-propagate boxes unchecked in each case.
>>>
>>>I've made sure the child-folders have all permissions set at 'Allow', after
>>>I've set the parent folder permissions.
>>>
>>>What is it that I'm missing?
>>>
>>>Thanks.
>>>
>
> >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Feb 13, 2008
Posts: 7
|
(Msg. 9) Posted: Fri Feb 22, 2008 4:17 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I may have something missing with an update patch. I'll have to
get the 'Unofficial Service Pack 5' installed. Maybe that'll help.
Thanks for your suggestions John.
On Mon, 18 Feb 2008 23:49:50 -0400 in Messsage-ID <uIrXDqqcIHA.5208.RemoveThis@TK2MSFTNGP04.phx.gbl> John John
wrote:
>I can do this at the Junction Point without inheritance. I can apply
>different permissions to any or all of the folders or files. As soon as
>one item within the container has a deny delete I cannot delete the
>Junction point, the deny can be applied on the items in the symbolic
>link or in the target, the results are the same, as soon as one item is
>protected inside the container I cannot delete the Junction Point. Put
>a dummy folder in there and explicitly deny "Everyone" delete rights on
>it and you won't be able to delete the Junction Point.
>
>John
>
>Cwebb wrote:
>
>> I'm baffled.
>>
>> Though, it seems that you might be going for different results than
>> I am.
>>
>> It sounds like you're setting the child-folders as well as the
>> junction-point to be delete-protected, is that right?
>>
>> I'm hoping to simply protect the junction-point, so it isn't deleted
>> by mistake. I thinks that's all Microsoft means when they
>> say to:
>> - Use NTFS ACLs to protect junction points from inadvertent deletion.
>> - Use NTFS ACLs to protect files and directories that are targeted by
>> junction points from inadvertent deletion or other file system operations.
>>
>> Since I've used a junction-point to be able to move my Documents and
>> Settings folder, I don't want to protect, for example, my desktop, so I
>> need to Allow deletes on folders and files contained in the targeted folders.
>>
>> But, just to test, I tried setting all to Allow, except I set Deny on
>> 'Delete' and 'Delete Subfolders and Files', and I'm still able to delete
>> either folder from Explorer.
>>
>> And I too, am using Sysinternals' Junction utility...
>>
>> ????
>>
>> I'm at a loss.
>>
>> Thanks for your input John.
>>
>>
>>
>> On Fri, 15 Feb 2008 07:17:47 -0400 in Messsage-ID <#bcvpR8bIHA.4968@TK2MSFTNGP02.phx.gbl> John John
>> wrote:
>>
>>
>>>I don't have extensive experience with Junction Points and ACL but that
>>>is how it appears to be working for me here. I use Advanced permissions
>>>and on the target directory I explicitly Deny two items to Everyone:
>>>
>>>Delete Subfolders and Files
>>>Delete
>>>
>>>and from the Windows Explorer GUI I as an Administrator/Owner Creator
>>>cannot delete files or folder in the target folder or in the Junction
>>>Point, nor can I delete the Junction Point. In the Advanced Permissions
>>>make sure that you don't have a check mark on "Apply these permissions
>>>to objects and/or containers within this container only"
>>>
>>>The only variable might be that I used the Sysinternal Junction tool
>>>instead of the Resource Kit tools to create the symbolic link, I don't
>>>think that would make a difference but maybe it does, I don't know for sure.
>>>
>>>John
>>>
>>>Cwebb wrote:
>>>
>>>
>>>>Well, the problem may be that I don't know what I'm doing!
>>>>
>>>>I understand you to be saying that the permissions that are set on the
>>>>target folder propagate back to the junction point, is that what you're
>>>>seeing?
>>>>
>>>>I'm using each folder's <Properties/Security-tab/Advanced> to modify the
>>>>permissions settings, and I'm changing the permission:
>>>>for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
>>>>leaving all other permissions at 'Allow'. I'm doing the same for both the
>>>>junction-point and the target folder, and leaving the parent-propagate
>>>>and child-propagate boxes unchecked in each case.
>>>>
>>>>I've made sure the child-folders have all permissions set at 'Allow', after
>>>>I've set the parent folder permissions.
>>>>
>>>>What is it that I'm missing?
>>>>
>>>>Thanks.
>>>>
>>
>>
--
Cwebb
(if emailing reply, use this address:
blinds-94050 at mypacks net >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Feb 13, 2008
Posts: 7
|
(Msg. 10) Posted: Sat Feb 23, 2008 5:50 pm
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I've found a good alternative....
I've installed the latest version of DMEXbar, a great Explorer 'extension'. This version (v13) happens
to provide a 'protect Junction Points' feature, which won't allow a simple Explorer delete of a Junction
point.
I think I'll stick with this solution, for now.
Again, thanks John.
On Fri, 22 Feb 2008 16:17:37 -0500 in Messsage-ID <nqeur35ol7p54h2taqe8acon6r4u632cbi.TakeThisOut@4ax.com> Cwebb
wrote:
>I may have something missing with an update patch. I'll have to
>get the 'Unofficial Service Pack 5' installed. Maybe that'll help.
>
>Thanks for your suggestions John.
>
>On Mon, 18 Feb 2008 23:49:50 -0400 in Messsage-ID <uIrXDqqcIHA.5208.TakeThisOut@TK2MSFTNGP04.phx.gbl> John John
>wrote:
>
>>I can do this at the Junction Point without inheritance. I can apply
>>different permissions to any or all of the folders or files. As soon as
>>one item within the container has a deny delete I cannot delete the
>>Junction point, the deny can be applied on the items in the symbolic
>>link or in the target, the results are the same, as soon as one item is
>>protected inside the container I cannot delete the Junction Point. Put
>>a dummy folder in there and explicitly deny "Everyone" delete rights on
>>it and you won't be able to delete the Junction Point.
>>
>>John
>>
>>Cwebb wrote:
>>
>>> I'm baffled.
>>>
>>> Though, it seems that you might be going for different results than
>>> I am.
>>>
>>> It sounds like you're setting the child-folders as well as the
>>> junction-point to be delete-protected, is that right?
>>>
>>> I'm hoping to simply protect the junction-point, so it isn't deleted
>>> by mistake. I thinks that's all Microsoft means when they
>>> say to:
>>> - Use NTFS ACLs to protect junction points from inadvertent deletion.
>>> - Use NTFS ACLs to protect files and directories that are targeted by
>>> junction points from inadvertent deletion or other file system operations.
>>>
>>> Since I've used a junction-point to be able to move my Documents and
>>> Settings folder, I don't want to protect, for example, my desktop, so I
>>> need to Allow deletes on folders and files contained in the targeted folders.
>>>
>>> But, just to test, I tried setting all to Allow, except I set Deny on
>>> 'Delete' and 'Delete Subfolders and Files', and I'm still able to delete
>>> either folder from Explorer.
>>>
>>> And I too, am using Sysinternals' Junction utility...
>>>
>>> ????
>>>
>>> I'm at a loss.
>>>
>>> Thanks for your input John.
>>>
>>>
>>>
>>> On Fri, 15 Feb 2008 07:17:47 -0400 in Messsage-ID <#bcvpR8bIHA.4968@TK2MSFTNGP02.phx.gbl> John John
>>> wrote:
>>>
>>>
>>>>I don't have extensive experience with Junction Points and ACL but that
>>>>is how it appears to be working for me here. I use Advanced permissions
>>>>and on the target directory I explicitly Deny two items to Everyone:
>>>>
>>>>Delete Subfolders and Files
>>>>Delete
>>>>
>>>>and from the Windows Explorer GUI I as an Administrator/Owner Creator
>>>>cannot delete files or folder in the target folder or in the Junction
>>>>Point, nor can I delete the Junction Point. In the Advanced Permissions
>>>>make sure that you don't have a check mark on "Apply these permissions
>>>>to objects and/or containers within this container only"
>>>>
>>>>The only variable might be that I used the Sysinternal Junction tool
>>>>instead of the Resource Kit tools to create the symbolic link, I don't
>>>>think that would make a difference but maybe it does, I don't know for sure.
>>>>
>>>>John
>>>>
>>>>Cwebb wrote:
>>>>
>>>>
>>>>>Well, the problem may be that I don't know what I'm doing!
>>>>>
>>>>>I understand you to be saying that the permissions that are set on the
>>>>>target folder propagate back to the junction point, is that what you're
>>>>>seeing?
>>>>>
>>>>>I'm using each folder's <Properties/Security-tab/Advanced> to modify the
>>>>>permissions settings, and I'm changing the permission:
>>>>>for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
>>>>>leaving all other permissions at 'Allow'. I'm doing the same for both the
>>>>>junction-point and the target folder, and leaving the parent-propagate
>>>>>and child-propagate boxes unchecked in each case.
>>>>>
>>>>>I've made sure the child-folders have all permissions set at 'Allow', after
>>>>>I've set the parent folder permissions.
>>>>>
>>>>>What is it that I'm missing?
>>>>>
>>>>>Thanks.
>>>>>
>>>
>>>
--
Cwebb
(if emailing reply, use this address:
blinds-94050 at mypacks net >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
External
Since: Jun 05, 2004
Posts: 808
|
(Msg. 11) Posted: Sun Feb 24, 2008 11:58 am
Post subject: Re: Junction Points and ACL 'protection' - how? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
You're welcome, thanks for letting us know how you got around the problem.
John
Cwebb wrote:
> I've found a good alternative....
>
> I've installed the latest version of DMEXbar, a great Explorer 'extension'. This version (v13) happens
> to provide a 'protect Junction Points' feature, which won't allow a simple Explorer delete of a Junction
> point.
>
> I think I'll stick with this solution, for now.
>
> Again, thanks John.
>
> On Fri, 22 Feb 2008 16:17:37 -0500 in Messsage-ID <nqeur35ol7p54h2taqe8acon6r4u632cbi.TakeThisOut@4ax.com> Cwebb
> wrote:
>
>
>>I may have something missing with an update patch. I'll have to
>>get the 'Unofficial Service Pack 5' installed. Maybe that'll help.
>>
>>Thanks for your suggestions John.
>>
>>On Mon, 18 Feb 2008 23:49:50 -0400 in Messsage-ID <uIrXDqqcIHA.5208.TakeThisOut@TK2MSFTNGP04.phx.gbl> John John
>>wrote:
>>
>>
>>>I can do this at the Junction Point without inheritance. I can apply
>>>different permissions to any or all of the folders or files. As soon as
>>>one item within the container has a deny delete I cannot delete the
>>>Junction point, the deny can be applied on the items in the symbolic
>>>link or in the target, the results are the same, as soon as one item is
>>>protected inside the container I cannot delete the Junction Point. Put
>>>a dummy folder in there and explicitly deny "Everyone" delete rights on
>>>it and you won't be able to delete the Junction Point.
>>>
>>>John
>>>
>>>Cwebb wrote:
>>>
>>>
>>>>I'm baffled.
>>>>
>>>>Though, it seems that you might be going for different results than
>>>>I am.
>>>>
>>>>It sounds like you're setting the child-folders as well as the
>>>>junction-point to be delete-protected, is that right?
>>>>
>>>>I'm hoping to simply protect the junction-point, so it isn't deleted
>>>>by mistake. I thinks that's all Microsoft means when they
>>>>say to:
>>>>- Use NTFS ACLs to protect junction points from inadvertent deletion.
>>>>- Use NTFS ACLs to protect files and directories that are targeted by
>>>>junction points from inadvertent deletion or other file system operations.
>>>>
>>>>Since I've used a junction-point to be able to move my Documents and
>>>>Settings folder, I don't want to protect, for example, my desktop, so I
>>>>need to Allow deletes on folders and files contained in the targeted folders.
>>>>
>>>>But, just to test, I tried setting all to Allow, except I set Deny on
>>>>'Delete' and 'Delete Subfolders and Files', and I'm still able to delete
>>>>either folder from Explorer.
>>>>
>>>>And I too, am using Sysinternals' Junction utility...
>>>>
>>>>????
>>>>
>>>>I'm at a loss.
>>>>
>>>>Thanks for your input John.
>>>>
>>>>
>>>>
>>>>On Fri, 15 Feb 2008 07:17:47 -0400 in Messsage-ID <#bcvpR8bIHA.4968@TK2MSFTNGP02.phx.gbl> John John
>>>>wrote:
>>>>
>>>>
>>>>
>>>>>I don't have extensive experience with Junction Points and ACL but that
>>>>>is how it appears to be working for me here. I use Advanced permissions
>>>>>and on the target directory I explicitly Deny two items to Everyone:
>>>>>
>>>>>Delete Subfolders and Files
>>>>>Delete
>>>>>
>>>>>and from the Windows Explorer GUI I as an Administrator/Owner Creator
>>>>>cannot delete files or folder in the target folder or in the Junction
>>>>>Point, nor can I delete the Junction Point. In the Advanced Permissions
>>>>>make sure that you don't have a check mark on "Apply these permissions
>>>>>to objects and/or containers within this container only"
>>>>>
>>>>>The only variable might be that I used the Sysinternal Junction tool
>>>>>instead of the Resource Kit tools to create the symbolic link, I don't
>>>>>think that would make a difference but maybe it does, I don't know for sure.
>>>>>
>>>>>John
>>>>>
>>>>>Cwebb wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Well, the problem may be that I don't know what I'm doing!
>>>>>>
>>>>>>I understand you to be saying that the permissions that are set on the
>>>>>>target folder propagate back to the junction point, is that what you're
>>>>>>seeing?
>>>>>>
>>>>>>I'm using each folder's <Properties/Security-tab/Advanced> to modify the
>>>>>>permissions settings, and I'm changing the permission:
>>>>>>for Everyone - "This Folder Only" - changing from 'Allow' to 'Deny' Delete,
>>>>>>leaving all other permissions at 'Allow'. I'm doing the same for both the
>>>>>>junction-point and the target folder, and leaving the parent-propagate
>>>>>>and child-propagate boxes unchecked in each case.
>>>>>>
>>>>>>I've made sure the child-folders have all permissions set at 'Allow', after
>>>>>>I've set the parent folder permissions.
>>>>>>
>>>>>>What is it that I'm missing?
>>>>>>
>>>>>>Thanks.
>>>>>>
>>>>
>>>>
> >> Stay informed about: Junction Points and ACL 'protection' - how? |
|
| Back to top |
|
| |
| Related Topics: | File Protection Options - I have Win 2000 Pro SP 4 I encrypted very important personal files. I encrypted them and now I can not access them. Don't now what happened. 1. Can I password protect a whole folder or file? 2. Are there other options to fail proof protection..
offline folder syncronization - does offline folder synchronization create a log file?? Where is it located. I need this file to troubleshoot offline folder sync, as i have a couple of Laptop users that sometimes after a sync, the user logs back onto their Laptop and there are no..
Deleting files doesn't increase free disk space - I have a two-machine network such that I make disk images of Machine 1 and then copy them for archiving to Machine 2. The disk I copy them to on Machine 2 is an NTFS volume on Windows 2000. When I want to copy the most recent Machine 1 disk image, I....
200GB Harddisks only recognised 128GB? - I wonder what is the problem and if there is any solution. The Motherboard is Intel D865GLC and the BIOS reported the Harddisk as 200GB The 4 harddisks model are Seagate ST3200822A. All of them reported 128GB in Computer Management.
NTFS XML schema - Anyone know of a standard xml schema for representing NTFS permissions? I want to store permissions in a standard format including ACEs ACLs etc. Thanks Nick |
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
Win 2000/NT/98/ME