On Thu, 24 Jul 2003 14:02:37 +1000, Matthew McKinnon
wrote:

> Hey;
>
> I need to create an Account that has admin rights to the system, but
> cannot
> have access to ONE directory on the DATA volume.
>
> Is this possible?
>
> Everytime we give trustee rights to the context them go to the volume and
> deny rights to this one directoy, the inherint rights still filter down
> and
> give the account access form the context.
>
> So can I still create a user with Admin Rights but deny the account
> access
> to one
> directory?
>
In the traditional NetWare file system, you could not revoke the Supervisor
right in the file system anywhere below the point it was awarded. This was
due to a bug introduced in NetWare 3 which was found to be useful, and so
never fixed (bug becomes feature).

In NetWare 5.0, Novell introduced the NetWare Storage Service (NSS), which
was a made-from-scratch storage system. Because it was made-from-scratch,
it did not carry the bug; the Supervisor right in the file system COULD be
blocked with an Inherited Rights Filter (IRF). This means that a Supervisor
account COULD be locked out of a single directory under NSS (with great
care, since it could leave a directory permanently unmanageable).

I seem to recall this behavior remained under NetWare 5.1 NSS, but I never
checked how NetWare 6 (which is all NSS) handles it.

So, to answer your question, it really depends on whether the volume is an
NSS volume or not.

MY suggestion, though, is to create the account with all rights EXCEPT
Supervisor, so you can manage the account as much as needed without the
worries.



--
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer_@_frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region.
If you would like to discuss an opportunity with me, please e-mail (remove
the underscores).