Set Windows permissions such that group members can edit and others can only read & execute





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x permissions on a file in a POSIX system.



I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.



Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:



screenshot of properties->security->advanced pane for the enclosing folder



For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?










share|improve this question

























  • Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.

    – Doug Deden
    Jan 31 at 20:05











  • @DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?

    – jez
    Jan 31 at 21:28











  • @jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.

    – Ramhound
    Jan 31 at 21:32











  • @Ramhound Thanks. That would mean that there's simply no way of emulating rwxrwxr-x behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.

    – jez
    Jan 31 at 21:41













  • @Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.

    – jez
    Feb 2 at 1:44


















0















I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x permissions on a file in a POSIX system.



I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.



Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:



screenshot of properties->security->advanced pane for the enclosing folder



For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?










share|improve this question

























  • Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.

    – Doug Deden
    Jan 31 at 20:05











  • @DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?

    – jez
    Jan 31 at 21:28











  • @jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.

    – Ramhound
    Jan 31 at 21:32











  • @Ramhound Thanks. That would mean that there's simply no way of emulating rwxrwxr-x behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.

    – jez
    Jan 31 at 21:41













  • @Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.

    – jez
    Feb 2 at 1:44














0












0








0








I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x permissions on a file in a POSIX system.



I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.



Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:



screenshot of properties->security->advanced pane for the enclosing folder



For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?










share|improve this question
















I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x permissions on a file in a POSIX system.



I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.



Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:



screenshot of properties->security->advanced pane for the enclosing folder



For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?







windows permissions file-permissions






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 1 at 16:51







jez

















asked Jan 31 at 19:52









jezjez

1286




1286













  • Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.

    – Doug Deden
    Jan 31 at 20:05











  • @DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?

    – jez
    Jan 31 at 21:28











  • @jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.

    – Ramhound
    Jan 31 at 21:32











  • @Ramhound Thanks. That would mean that there's simply no way of emulating rwxrwxr-x behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.

    – jez
    Jan 31 at 21:41













  • @Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.

    – jez
    Feb 2 at 1:44



















  • Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.

    – Doug Deden
    Jan 31 at 20:05











  • @DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?

    – jez
    Jan 31 at 21:28











  • @jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.

    – Ramhound
    Jan 31 at 21:32











  • @Ramhound Thanks. That would mean that there's simply no way of emulating rwxrwxr-x behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.

    – jez
    Jan 31 at 21:41













  • @Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.

    – jez
    Feb 2 at 1:44

















Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.

– Doug Deden
Jan 31 at 20:05





Even though you might be a member of Snap08Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.

– Doug Deden
Jan 31 at 20:05













@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?

– jez
Jan 31 at 21:28





@DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?

– jez
Jan 31 at 21:28













@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.

– Ramhound
Jan 31 at 21:32





@jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.

– Ramhound
Jan 31 at 21:32













@Ramhound Thanks. That would mean that there's simply no way of emulating rwxrwxr-x behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.

– jez
Jan 31 at 21:41







@Ramhound Thanks. That would mean that there's simply no way of emulating rwxrwxr-x behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.

– jez
Jan 31 at 21:41















@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.

– jez
Feb 2 at 1:44





@Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.

– jez
Feb 2 at 1:44










1 Answer
1






active

oldest

votes


















0














OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).






share|improve this answer
























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400733%2fset-windows-permissions-such-that-group-members-can-edit-and-others-can-only-rea%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).






    share|improve this answer




























      0














      OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).






      share|improve this answer


























        0












        0








        0







        OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).






        share|improve this answer













        OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 11 at 17:11









        jezjez

        1286




        1286






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400733%2fset-windows-permissions-such-that-group-members-can-edit-and-others-can-only-rea%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            RAC Tourist Trophy