I have a directory shared via CIFS from a Windows 7 "server". No domain: just simple workgroup.
My clients access this directory via LAN via "Standard User" (no "Administrator") accounts on the server. They use this share for "personal storage", so they need full create/edit/delete on everything inside it.
The problem is: I server-side create a directory there. This single item shouldn't be editable in any way, just readable/browsable/listable (let's focus on the directory itself, not on the file within (there aren't any, sometimes)).
I'm working with NTFS permissions: I removed inherit from the must-not-delete-directory, so I can work on its permissions.
I removed the client account and, at this stage, only SYSTEM, Administrators and myself are present with theirs permissions. At this stage, clients can neither delete, nor open the folder.
If I add a Deny "full control" rule, nothing changes (as expected).
But if I modify that rule and allow just "List folder / read data", while keeping all the others on Deny... user can delete the folder!?!?!?
how is that possible? what am I misunderstanding?
Note: I double checked with a single file, not a directory: same problem!
This is Icacls output:
MUST NOT DELETE NT AUTHORITY\SYSTEM:(OI)(CI)(F) muletto\Zane:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) muletto\myNetworkUser:(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files