windows folder permissions: deny delete - allow rename

I understand the above method does not work. I am not asking why


QUESTION is: how to do this.

that wont be an issue.we dont have melicius users, just illitirate ones

I've requested that this question be closed as follows:

Accepted answer: 0 points for esskayb2d's comment #38059802

for the following reason:

Customer is right. please answer the question, not debate it:)

Question was answered. OP doesn't like the answer of "you can't do that".

Actually, "You can't do that" is a valid answer.

**Edited text to remove off-topic comments** -JARmod101

I am looking for something like


1st Security - which I used in the past

it is a 3rd party application which can restrict access. I have not tested it with networks which is why I ask in this payed forum from professionals.

**Edited text to remove off-topic comments** -JARmod101

I contest your opinion JARmod101.

with the example that I have give, it CAN be done. I have used that program on individual computers years ago.
Just because the 3 people responding do not know any solution for it does not mean it does not exist.

Please allow me to close this and open a fresh question

Perhaps there is a way to delete a file only after it has been coppied

That might work for a folder, but not for a file.

The only way that would work is to submit a request to someone with permissions to be able to delete the file and get them to do it, or get someone to write a script to be able to achieve this with the relevant permissions.

Either way - your question has been answered and should be closed, awarding points to the Experts who advised you that this can't be done accordingly.

If you want to open up a new question and ask for someone to help you to devise such a script to get around the NTFS limitations of renaming a file, then that would be the appropriate action to take and then you can add the question to the correct zones.

Alan

The question was: "how do i allow people to rename folders and files without allowing them to delete files and folders"

Not how do i do this using windows native commands or functions.

This has not been answered

Maybe if i add a scenario and rephrase the question this will help.

We have Techs bring their cameras with jobsite photos to the SHOP computer(s).
(Sometimes the photos are a month old or more)

the folders on the photo server have a heirarchy which looks like this
//Photos / y / m / d / job / empl / picture.ext
IE:
2010
2011
2012
 -jan
 -feb
 -...
 -july
    --01
    --02
       ---workorder 123456
       ------employee 336
                    ---picture1.jpg
                    ---picture2.jpg
                    ---picture3.jpg

when an employee comes they should not be able to delete older photos


when they create a new folder however, it is always titled 'New Folder'
and must be renamed accordingly to the tech's name, date, etc...


How can this be done

If the employee is the one denied the Delete File / Folder permissions, then the employee is not going to be able to rename the New Folder - end of story.

If you get someone without the Deny Delete permission to Create and Rename the folder, then the employee can use the relevant folder after it has been renamed accordingly.

This will involve two people.  One with Delete File / Folder permissions and the employee without.  No other way around it if you deny employees the ability to delete files / folders.

Perhaps you can have an area where employees CAN delete files / folders and then once they have uploaded the photos, the files are copied to the area where the Employees can't delete the Files / Folders?

it has to be one person doing it. they are understaffed. there is also no onsite IT

Okay - then for the umpteenth time - it can't be done.

I understand that it is problematic. if it was easy i would of had it done myself by now.


this site is for solutions.

i want  a "Solution"  

 I cannot accept 'dont add security' as a solution

The issue arrises when techs delete the folders
there are up to 80 techs a day uploading pictures
for mutiple jobsites. We cannot trust each one to be loyal or smart

It isn't problematic - it is impossible.

You can't do what you want to do and that is something you need to come to terms with.

Whilst you may not accept that this is a solution, as far as Experts Exchange is concerned, that is the solution.  "It cannot be done" is and always has been a valid solution and as such, this question should be closed accordingly awarding points to the experts who advised you that it can't be done.

You can rephrase the question, ask it in a different way, whatever you wish to try and find a different answer, but the answer is always going to be the same - it isn't possible.

I have told you this, Lee has told you this, the Moderators have told you this, other Experts have told you this - the only one here not accepting this is you.

What is it going to take for you to take this on board?

then give each tech an individual dedicated folder to upload the pictures and YOU can run can batch job to move them into a folder that the techs do not have delete permissions. This batch job can be automated with task scheduler.

An alternative solution. Something that will enforce a sort of security.

Is there a way to restricdelete on older files
Example: files or forder created older than one day ago

no again you can't do that.. just do what I suggested, and give everyone that doesn't need to modify files just READ access to the photo library.

@ve3ofa
1st suggestion:  I have thought of that, but as you can see in the outlined list above, there are too many folders. techs with bad memory will forget which folders they uploaded yesterday or last week.
i have proposed this idea months ago, it does not suit the situation.


2nd suggestion:  Shop computers are all always logged into a user named SHOP
Techs have no personal access to the network. The computers stay on, they connect the camers via usb or chip readers.
Also, techs come and go like revolving doors. adding new users for techs will be a full time job in itself.




Sorry for the frustration guys, but how long has it been since someone really picked your brain?

If it was an easy task, I would not poste it. As you can see by my profile, I only ask hard stumping questions


i do think that your first suggestion is the best I seen so far. Most others here are not acting professionally. Thanks for your suggestions ve3ofa

Either way have them upload the pictures to a different folder and not THE PICTURE LIBRARY and have this filemover move the files as their uploaded (again using task scheduler and a bit of scripting.. make a folder on the deskop "upload photos here"

Its a good concept and would work for 'todays workorders' since they can all be dumped inone folder.

What of people who have a week worth of pics

how would they have them organized on their thumb drive? They could double click on the icon which would give them an explorer window and they could do as per normal and drag and drop as they are used to..  remember this is just going to a temporary staging area..  every so often the task will wake up and clean up the folder .. say every 5 minutes or you could make a simple app that has a big "done" button, you could even ask for the date / job number /location etc.. and make the directories for them..  once the "done' button is done then the files are moved into the photo library.

Ill give you an example where this seems tough

John Doe has been taking pictures 4 days
His camera has several workorders
These pics should be sent to these folders:
C:/2012/12/30/98881 MCds/john doe/
C:/2012/12/31/98881 MCds/john doe/
C:/2012/12/30/98882 hsbc/john doe/
C:/2013/01/01/98881 cvs/john doe/
C:/2013/01/01/98885 wallmart/john doe/
C:/2013/01/02/98887 bmw/john doe/

Each folder holds 14-30 pictures

also.  The people working are physical labor tech not IT people. (Plumbers, construction, drivers, electricians.. etc)

What is it Estimated Completion Date\ordernumber\contractname\contractor

And the tradesperson is supposed to remember which picture goes where after being in the field for a few days??  picture using camera or phone (or whatever they have onhand?) :->

Theres paperwork that says when they been to a jobsite, and all photos have timestamps on them

If the paper said they fixed homedepot on the 3rd between 7-10 and the pics have a matching time and date, thats the folder they go into

The directory is like this drive:/yr/mo/day/workorder#&location/techname/

Folders get created by the tech. Sometimes techs dont take photos because there are 20 techs working, so generating empty folders is not practical

This whole mess you're outlining is avoidable. Here's the issues I see from what you've described so far:

So, one solution isn't going to fit.
First off, stop using shared accounts. They remove all accountability. Yes, it's a PITA to create new accounts all the time. Too bad.
Second, have a process in place for the contractors and techs and follow it. People who don't get written up and let go as needed.
Third, you need to analyze the folder structure and get it into some kind of order. I'd recommend WorkOrder > YYYYMMDD only. Techname and location should be readily available through a central workorder DB anyway.
Fourth: Get SharePoint. It'll make managing this a hell of a lot easier for those on the road by requiring only an internet connection and browser. Additionally, you should be using a scripted solution to move the files around, likely outside of normal business hours.

The folder system works better than wo-->yymmdd

Because, if they need to see work done last tuesday it will be in  c:/ 2012/june/23

custom accounts will not work. There is one computer with 20 people standing around uploading pictures between jobs sometimes. There is no time to log on and logg off

I would suggest then within the parameters you've outlined, there is no solution. This is as good as it's going to get.

All you can do is use a custom app or script that will move the files from the 'staging' area  (as I  mentioned in #38181178) into your protected area. Other than that I see no solution

So, if no one knows, id like to close this with no answer

I've requested that this question be closed as follows:

Accepted answer: 0 points for esskayb2d's comment #38197085

for the following reason:

No one can help

Multiple people have been helping with what's turned into multiple questions in a single already-answered one (to which the answer was, "You can't do that"), only to get the answer back from OP "I don't want to do that".

I recommend delete with no refund.

concur

Thats not a solution

I think it can be done somehow, and dont want to mark off the wrong answer.

I mean securing a network cant be done is absurd

According to the research, the demand actually cannot be done with NTFS File system. If a user want to rename a folder, he/she should have the "Delete" NTFS permission on the folder or file. Removing delete permission from the user or group brings a limitation that the user will not be able to rename the folder. This is because of the reason that the "rename" operation is also included within the "Delete" permission, which is by design.

It is possible if you add Owner Rights as well as the user, then that user can create and delete there own files but not others. You have to enable modify on Owner Rights.
Source
The problem is that creating users and having users logon /logoff is too much of a problem for your site. This site restriction lowers the security by a thousand fold.

Security and ease of use have always been inversely related to each other.. the more you increase one the more you decrease the other.

What would you do if you were in my case.

Folder structure has to stay since it is most descriptive and practical for the client.

Techs are not users, so they use a single user
If they ever get on the network. Though sometimes they email the pictures and an office staff user will upload it to the folder.


I like the idea of uploading to a temp folder (v3, then having it moved to the protected directory.  The problem is figuring to which folder it will be loaded

What would you do if you were in my case.

I would:

Listen to the consensus opinion that has citations that it is correct.
Listen to the considered opinions that says you need different users to allow other solutions to work.
Listen to the technical experts when they advise you're doing it wrong.

That is what I would do.

There's over 3 million pictures already there. With workorders from 2006

Changing the layout is crazy and harder to find things by date

Solution 1 - it isn't possible.
Response 1 - I don't accept that as a solution.

Solution 2 - Change the way you do things presently.
Response 2 - That's crazy as we have over 3 million pictures.

Solution 3 - Accept that you might have got this wrong from the beginning and that you might need to start again, doing it properly this time around and then you might just have a solution that will work.
Response 3 - Okay - I'll take that on board and run with it because it might just be the only way to get this working in the specific way that I want it to?

Or am I being a little optimistic here?  But then again - what do we know?  We are only Experts!

On a slightly less sarcastic note, why don't you try to setup what has been suggested for new jobs and run with it to see if it works.  If it does, then you can implement it permanently and massage the old photos into the new structure.

If it doesn't work, then you only have to massage a few folders into your existing structure and either give up on the solution, or continue searching for a different solution, knowing that you may never find one.

I think its talks like these... where the real solutions are born

Does anyone program in assembly? I may have an idea how to fix this

hypothetical, but I suppose the name is coded into the folder, which takes up parts of the folder header

so when you rename, if it doesnt erase, it will write over data

which is why it must be erased and copied back with the new name

as below



so, with some assebly manipulation , we can change the name to something with delete disabled,
as long as the new name has less bytes than the old one
..by replacing the bytes to display the proper letters of the name

Viewing this from the "use a temp folder and a script" viewpoint, it should be possible to translate any (temporary) folder structure containing all relevant infos, but being easier to create, into the appropriate structure already existing. For example, a temp folder could be

\Uploads
  \Worker1
    \yyyymmdd\location
  \Worker2

aso., or any variation, e.g. first location, or the date as  yyyy-Mon-dd, or whatever. The script to transfer data could be triggered by the worker or on schedule.
If you want to go that route, you should post a new question in the Scripting subtopic areas. Make sure to properly state the limitations and options (like whether PowerShell, VB Script etc. are options).