W2K AD Domain Allow Folder creation/rename but deny deletion
Hi. I have a small problem with an admin equivalent who occasionally drags their mouse when multiple windows are open and picks a job folder up and deposits it who knows where. They often do not notice that this has occurred. I can not remove their admin privileges for political reasons.
I've tried hours of playing with NTFS rights, but to date if they can rename the folder then they can delete it ( anybody can create a folder: they simply can't rename it. Thus you end up with Folder1, Folder2, etc )
Has anybody been able to accomplish this?
Thanks
Paul
I've tried hours of playing with NTFS rights, but to date if they can rename the folder then they can delete it ( anybody can create a folder: they simply can't rename it. Thus you end up with Folder1, Folder2, etc )
Has anybody been able to accomplish this?
Thanks
Paul
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HOW TO: Enable and Use the "Run As" Command When Running Programs in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;294676
http://support.microsoft.com/default.aspx?scid=kb;en-us;294676
ASKER
Jorgen:
Thanks for the suggestions, however I am stuck with this political situation. They WILL have admin rights. Period. Working with this handicap, I am trying to find a way to remove the right to delete a folder ( Data protection is job 1 <g> ) while allowing users and admins to name folders.
Trywaredk:
I appreciate the references, however I've been doing nothing but read white papers and try experiments for weeks now. NONE of the references I've printed, tried or even heard of address this problem. It appears that you have to have the right to delete a folder in order to name it!
I doubt many will run into this type of situation, however it is fairly common amongst small businesses. MOST will let themselves be talked into limiting admin or other powerful accounts for reasons of security: a few will not. This one is of the later category. :}
Thanks
Paul
Thanks for the suggestions, however I am stuck with this political situation. They WILL have admin rights. Period. Working with this handicap, I am trying to find a way to remove the right to delete a folder ( Data protection is job 1 <g> ) while allowing users and admins to name folders.
Trywaredk:
I appreciate the references, however I've been doing nothing but read white papers and try experiments for weeks now. NONE of the references I've printed, tried or even heard of address this problem. It appears that you have to have the right to delete a folder in order to name it!
I doubt many will run into this type of situation, however it is fairly common amongst small businesses. MOST will let themselves be talked into limiting admin or other powerful accounts for reasons of security: a few will not. This one is of the later category. :}
Thanks
Paul
Well - then noone can help you. Being member of domain admins group means what it says. Everything you try, they can undo.
If you use the Advanced button in NTFS security-settings, chooses the domain admins group, and chooses the View/Edit button you can choose deny delete
Maybee you can pursuade your fellow domain admins not to change that deny delete setting for domain admins???
Remember to add your own domainuseraccount with full control before deny delete for domain admins
If you use the Advanced button in NTFS security-settings, chooses the domain admins group, and chooses the View/Edit button you can choose deny delete
Maybee you can pursuade your fellow domain admins not to change that deny delete setting for domain admins???
Remember to add your own domainuseraccount with full control before deny delete for domain admins
ASKER
I'm not concerned about them intentionally going in and changing settings. For the most part (!) they do not have any idea where to go. They are not allowed to do so and auditing should catch anyone who does so or tries.
no, my question is just can I set a user or group up to allow folder renaming without allowing folder deletion? No other contingencies need be considered. IF I can set the permissions up to reflect this policy then I have the rest worked out: I'm just unable to find a combination of rights and inherited rights to perform in this manner.
The answer probably IS no, but I thought to check here as the people seem to deal with more detailed problems than at a site like Tek-tips.
Thanks anyway.
Paul
no, my question is just can I set a user or group up to allow folder renaming without allowing folder deletion? No other contingencies need be considered. IF I can set the permissions up to reflect this policy then I have the rest worked out: I'm just unable to find a combination of rights and inherited rights to perform in this manner.
The answer probably IS no, but I thought to check here as the people seem to deal with more detailed problems than at a site like Tek-tips.
Thanks anyway.
Paul
"If you use the Advanced button in NTFS security-settings, chooses the domain admins group, and chooses the View/Edit button you can choose deny delete"
But they can change it again, if they want
But they can change it again, if they want
ASKER
True, but I can audit any intentional behavior. I'm concerned about accidental deletions in this instance.
As to the 'Delete' box, yes and no.
I had written up notes on trying various settings .. there are two that don't do quite what one expects them to... they are Delete, and Delete Subfolders & Files. As they didn't do what I thought they would I did a few hours of experiments and noted the results. Then promptly lost that set of pages. ( yes, stupid is as stupid does )
Thus I've started again, and this time I'm doing screen shots cropped down to the property box settings in Advanced only, with notes under or next to each trial... saved on my server at work and backed up nightly. ( Did I mention I was a little angry at myself? ) however to date everything I've tried seems to confirm Microsofts thought that if a person has the right to rename a folder then they have the right to delete it. And that the two can not be seperated.
I haven't given up yet, but time grows short for this project. Actually I'm working tonight on the Run As idea.. to see if I can create a super-user whose sole function is to allow folder creation/naming and have people log on as that person when they wish to create a new sub folder.
Sort of makes me wish for Netware 4 and things like 'Copy Inhibit'. :}
Thanks: will post an update soon.
Paul
As to the 'Delete' box, yes and no.
I had written up notes on trying various settings .. there are two that don't do quite what one expects them to... they are Delete, and Delete Subfolders & Files. As they didn't do what I thought they would I did a few hours of experiments and noted the results. Then promptly lost that set of pages. ( yes, stupid is as stupid does )
Thus I've started again, and this time I'm doing screen shots cropped down to the property box settings in Advanced only, with notes under or next to each trial... saved on my server at work and backed up nightly. ( Did I mention I was a little angry at myself? ) however to date everything I've tried seems to confirm Microsofts thought that if a person has the right to rename a folder then they have the right to delete it. And that the two can not be seperated.
I haven't given up yet, but time grows short for this project. Actually I'm working tonight on the Run As idea.. to see if I can create a super-user whose sole function is to allow folder creation/naming and have people log on as that person when they wish to create a new sub folder.
Sort of makes me wish for Netware 4 and things like 'Copy Inhibit'. :}
Thanks: will post an update soon.
Paul
Administration of NTFS Resources Part 1
http://studynotes.net/70part2.htm
1. RightClick the folder in Explorer
2. Choose Properties
3. Choose Security
4. Choose Advanced
5. Remove the selection of "Allow inheritable permissions from parent to porpagate to this object"
6. Choose Copy
7. Choose the domain group again
8. Choose View/Edit
9. Choose Apply onto: "This folder, subfolders and files"
10. Remove the selection of Allow for "Delete Subfolders and Files"
11. Choose the selection of Deny for "Delete Subfolders and Files"
12. Remove the selection of Allow for "Delete"
13. Choose the selection of Deny for "Delete"
14. OK * 3
File Delete Child Directory Permission in NTFS
http://support.microsoft.com/default.aspx?scid=kb;en-us;152763
About the runas command read my answer of 04/23/2003 01:44PM PST to EWALL on https://www.experts-exchange.com/questions/20576959/Domain-Users-in-Local-Admin-Group.html
http://studynotes.net/70part2.htm
1. RightClick the folder in Explorer
2. Choose Properties
3. Choose Security
4. Choose Advanced
5. Remove the selection of "Allow inheritable permissions from parent to porpagate to this object"
6. Choose Copy
7. Choose the domain group again
8. Choose View/Edit
9. Choose Apply onto: "This folder, subfolders and files"
10. Remove the selection of Allow for "Delete Subfolders and Files"
11. Choose the selection of Deny for "Delete Subfolders and Files"
12. Remove the selection of Allow for "Delete"
13. Choose the selection of Deny for "Delete"
14. OK * 3
File Delete Child Directory Permission in NTFS
http://support.microsoft.com/default.aspx?scid=kb;en-us;152763
About the runas command read my answer of 04/23/2003 01:44PM PST to EWALL on https://www.experts-exchange.com/questions/20576959/Domain-Users-in-Local-Admin-Group.html
HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech
ASKER
Jorgen:
Thanks for the explicit instrutions.
This appears to still leave that user without the ability to rename a folder. ( sub-folders are the only thing being restricted ) If you deny delete and delete subfolders and files they will Not be able to rename the folders.
I have to ask if you and i are speaking about the same thing here? As stated above, I wish to allow sub folder renaming while denying sub folder deletions. Nothing more.
Paul
Thanks for the explicit instrutions.
This appears to still leave that user without the ability to rename a folder. ( sub-folders are the only thing being restricted ) If you deny delete and delete subfolders and files they will Not be able to rename the folders.
I have to ask if you and i are speaking about the same thing here? As stated above, I wish to allow sub folder renaming while denying sub folder deletions. Nothing more.
Paul
:o) Sorry - You're quite right about the subfolders.
But one only finds out if testing it, instead of reading the stuff under advanced tab.
But one only finds out if testing it, instead of reading the stuff under advanced tab.
ASKER
Agreed <g>
That's why I was able to answer your suggestion without trying it. I can't speak to the interaction of most of the other 'rights' available under advanced, but am becoming fluent in the denial routine.
Sort of like dating again.
g,d,rlh
That's why I was able to answer your suggestion without trying it. I can't speak to the interaction of most of the other 'rights' available under advanced, but am becoming fluent in the denial routine.
Sort of like dating again.
g,d,rlh
Maybe you should date DSPOOLE having the same problem, but made an screwy workaround for his own question on 11/08/2002 03:10PM PST
https://www.experts-exchange.com/Operating_Systems/Win2000/qShow.jsp?qid=20392123&sub=3#1
https://www.experts-exchange.com/Operating_Systems/Win2000/qShow.jsp?qid=20392123&sub=3#1
ASKER
Took a look but doens't seem to apply here.
I spent the weekend playing with/learning about the RunAs command syntax you mentioned. It does everything I wish except that if you wish to access a share on a DC using another account it accepts the Runas information then does zip, nada, zilch. The desktop/screen flickers when you hit OK but Windows Explorer does not come up.
Might you know of a way to allow a user to use Runas to access files on a network share?
If not, my best choice left is to have this alternate account able to create and delete folders only, lock a roaming profile down so that the desktop REALLY looks different and having them log off and log on as this user. Many won't do it as it takes 30 seconds, but....
Thanks
Paul
I spent the weekend playing with/learning about the RunAs command syntax you mentioned. It does everything I wish except that if you wish to access a share on a DC using another account it accepts the Runas information then does zip, nada, zilch. The desktop/screen flickers when you hit OK but Windows Explorer does not come up.
Might you know of a way to allow a user to use Runas to access files on a network share?
If not, my best choice left is to have this alternate account able to create and delete folders only, lock a roaming profile down so that the desktop REALLY looks different and having them log off and log on as this user. Many won't do it as it takes 30 seconds, but....
Thanks
Paul
You can't use unc-path in command-prompt:
runas /user:YourDomainName\YourU
You must map a drive letter for \\YourServerName\YourShare
net use Z: \\YourServerName\YourShare
runas /user:YourDomainName\YourU
when finished
net use Z: /delete
runas /user:YourDomainName\YourU
You must map a drive letter for \\YourServerName\YourShare
net use Z: \\YourServerName\YourShare
runas /user:YourDomainName\YourU
when finished
net use Z: /delete
If you want to spend money to a solution then try
http://www.connectix.com/products/vpc5w.html
With this you can logon as DomainUser, and start VirtualPc in a window, and in this windows, you can logon as administrator.
http://www.connectix.com/products/vpc5w.html
With this you can logon as DomainUser, and start VirtualPc in a window, and in this windows, you can logon as administrator.
:o) Glad I could help you - thank you for the points
http://www.windowsitlibrary.com/Content/592/1.html
Default NTFS Permissions in Windows 2000:
http://support.microsoft.com/?kbid=244600
Troubleshooting File Management Issues if You Cannot Delete a File or a Folder on NTFS:
http://www.labmice.net/Windows2000/FileMgmt/troubleshooting.htm