1

I think I'm having some difficulty understanding NTFS permissions. My understanding is that when possible you want to avoid assigning a specific user account to NTFS and instead use a group. So I set up a folder with the owner as the administrators group. I removed all user accounts on the folder and added the administrators group with full control.

I'm logged into the computer as user that belongs to the administrators group. But when I open the security properties on the folder is says, "you must have read permissions to view the properties of this object." I can click Advanced and Continue and edit the properties, but unless I specifically add my user account to the permissions or make my user account the owner, I get the above message. Yet my account is part of the administrators group. Shouldn't those permissions propogate? Why would I have to assign my user account specifically, when I've assigned a group that my account belongs to? Thanks!

skinneejoe
  • 274
  • 2
  • 8
  • 20
  • 2
    Do you have User Account Control enabled on the client computer where you were testing? UAC strips your "Administrators" group membership. – Evan Anderson Jul 22 '14 at 15:26
  • Turned off UAC, rebooted, still no go. – skinneejoe Jul 22 '14 at 15:54
  • Have you tried using the Effective Permissions tab to see what permissions your user account has been granted? – dbr Jul 22 '14 at 16:34
  • Yes, and it says my account has full control. It seems like this behavior is by design, which is disappointing. – skinneejoe Jul 22 '14 at 19:16
  • 4 years later, this is still valid question. Maybe it is by design, but I don't understand the logic. User in a security group with full control should be able to see without having to explicitly be added as a user. – Brad Bamford Oct 04 '18 at 17:35

1 Answers1

0

One possibility is The File has been Marked for Deletion.

File delete on Windows is asynchronous. A call to DeleteFile() marks a file for deletion and returns. The OS completes the deletion operation later. Usually it is instant, but in some situations there may be noticeable delay. A simple example is a server environment where remote users may have open file handles (e.g. SMB/CIFS) on the to-be-deleted file. The delete will be deferred until all open handles have been closed. In the meantime, the directory entry will remain present but any new I/O operations on the file will fail. The result in this situation is a file that even the Administrator can’t read, modify perms/ACLs, nor take ownership of. As soon as all remote users close the file, the delete will complete.

To view (and even force-close) open handles see e.g. System Tools...Shared Folders...Open Files in the Computer Management tool (compmgmt.msc)

usrlocalben
  • 1