Set Windows permissions such that group members can edit and others can only read & execute
I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x
permissions on a file in a POSIX system.
I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.
Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:
For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?
windows permissions file-permissions
|
show 1 more comment
I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x
permissions on a file in a POSIX system.
I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.
Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:
For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?
windows permissions file-permissions
Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.
– Doug Deden
Jan 31 at 20:05
@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?
– jez
Jan 31 at 21:28
@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.
– Ramhound
Jan 31 at 21:32
@Ramhound Thanks. That would mean that there's simply no way of emulatingrwxrwxr-x
behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.
– jez
Jan 31 at 21:41
@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.
– jez
Feb 2 at 1:44
|
show 1 more comment
I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x
permissions on a file in a POSIX system.
I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.
Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:
For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?
windows permissions file-permissions
I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x
permissions on a file in a POSIX system.
I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.
Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:
For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?
windows permissions file-permissions
windows permissions file-permissions
edited Feb 1 at 16:51
jez
asked Jan 31 at 19:52
jezjez
1286
1286
Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.
– Doug Deden
Jan 31 at 20:05
@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?
– jez
Jan 31 at 21:28
@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.
– Ramhound
Jan 31 at 21:32
@Ramhound Thanks. That would mean that there's simply no way of emulatingrwxrwxr-x
behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.
– jez
Jan 31 at 21:41
@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.
– jez
Feb 2 at 1:44
|
show 1 more comment
Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.
– Doug Deden
Jan 31 at 20:05
@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?
– jez
Jan 31 at 21:28
@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.
– Ramhound
Jan 31 at 21:32
@Ramhound Thanks. That would mean that there's simply no way of emulatingrwxrwxr-x
behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.
– jez
Jan 31 at 21:41
@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.
– jez
Feb 2 at 1:44
Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.
– Doug Deden
Jan 31 at 20:05
Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.
– Doug Deden
Jan 31 at 20:05
@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?
– jez
Jan 31 at 21:28
@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?
– jez
Jan 31 at 21:28
@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.
– Ramhound
Jan 31 at 21:32
@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.
– Ramhound
Jan 31 at 21:32
@Ramhound Thanks. That would mean that there's simply no way of emulating
rwxrwxr-x
behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.– jez
Jan 31 at 21:41
@Ramhound Thanks. That would mean that there's simply no way of emulating
rwxrwxr-x
behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.– jez
Jan 31 at 21:41
@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.
– jez
Feb 2 at 1:44
@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.
– jez
Feb 2 at 1:44
|
show 1 more comment
1 Answer
1
active
oldest
votes
OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400733%2fset-windows-permissions-such-that-group-members-can-edit-and-others-can-only-rea%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).
add a comment |
OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).
add a comment |
OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).
OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).
answered Feb 11 at 17:11
jezjez
1286
1286
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400733%2fset-windows-permissions-such-that-group-members-can-edit-and-others-can-only-rea%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.
– Doug Deden
Jan 31 at 20:05
@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?
– jez
Jan 31 at 21:28
@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.
– Ramhound
Jan 31 at 21:32
@Ramhound Thanks. That would mean that there's simply no way of emulating
rwxrwxr-x
behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.– jez
Jan 31 at 21:41
@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.
– jez
Feb 2 at 1:44