On a file server, a base folder contain user's folders:
This base folder is protected against user's actions (deletion, rename, dump of files, etc), users can only read and traverse it:
To protect each user's root folder, I explicitly deny them the right to delete their own folder:
This imply to add a deny on each folder.
Doing it on the base folder does not work: deny to the group Users to delete sub-folders, for This foler only --> they still can delete their own folder, because inherited permissions (deny to delete) have less precedence than explicit permissions (allow to modify).
With my method, users can still hide their own root folder. This is not a problem, but it show the folder is not 100% protected against actions.
- do I use the "canonical" method?
- how to prevent the users to hide their own folder? Or whatever other annoying things
- any suggestions?
It appears to be the "This folder" in the applies to....
The deny...
The Specials.
This folder, once owner is returned to administrator (Just quicker in my environment to d on my desktop), can be seen, traversed, added to, modified below, but cannot be hidden or deleted by user QUADWORD.
It is denied delete on the folder explicit, denied reading attributes by not being granted, and the permissions you want are set from that point down.
On the plus side, they can create and delete data from that point down, but cannot hide it there either :-)
Edit (More detail): Allow me to elaborate further... It appears that you would like the parent folder (The users' folders) to be treated differently than all the subfolders thereof. So you have to specify settings for "this folder only" and then have more control form that point down. So you effectively need to be explicit on what you want for that "one folder", then be explicit on what you want for "all child objects of this folder", being different. And you have to make sure that the user has neither permissions to change that, or is by proxy allowed to by being owner or a member of any group that can.". In NTFS a delete always overrides a deny, you can test this by making two identical ACLs one with delete the other with allow, and it matters not what order you put them in they will enumerate deletes first, and ignore allows after. Whether or not that ACL is inherited or not is not relevant. It is a resolved level of access from all ACLs that apply to that object. With one exception, no matter what you set, the "Owner" can retake ownership and change. Otherwise you can create mistakes you cannot fix, as owner you can cosmetically lock even yourself out, but you would have the power to go change that (Useful sometimes) ;)
And remember The "effective access" tab is your friend!
1. do I use the "canonical" method?
You use the most straightforward and less error-prone method: the allow item is usual, and the deny item is only one check-mark.
2. how to prevent the users to hide their own folder? Or whatever other annoying things
The fact that users can hide their own folder is related to the fact they also can modify other desirable attributes (but very few do it). I never seen anyone fighting against this, probably because this never cause problems.
3. any suggestions?
Lots of admins prefer to create a share for every "root folder". This can be handy, but this can reveal private informations because shares are visible.