Premiernc
asked on
NTFS permissions config
Hello,
I am trying to do the age old task that nobody seems to have an answer for, so I thought I'd ask here.
I am trying to give permissions to a folder in an existing share that would allow a users to create folders and files in it, but then not delete them once they are added. This is a common issue at law firms and was easily accomplished in Novell. Only one person will have the rights to edit and delete the content of the directory, but everyone will be able to add to it. When you set this up on NTFS, you cannot name the file or directory what you want, you need delete permissions to do this, seems like a major bug. If anyone has actually figured out a way to do this, it would be a great help.
Thanks
I am trying to do the age old task that nobody seems to have an answer for, so I thought I'd ask here.
I am trying to give permissions to a folder in an existing share that would allow a users to create folders and files in it, but then not delete them once they are added. This is a common issue at law firms and was easily accomplished in Novell. Only one person will have the rights to edit and delete the content of the directory, but everyone will be able to add to it. When you set this up on NTFS, you cannot name the file or directory what you want, you need delete permissions to do this, seems like a major bug. If anyone has actually figured out a way to do this, it would be a great help.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One thing you can try is to create your own rename script that is set to use "runas administrator" which would bypass the problem of the users restriction of the "deny delete" permission.
Not a problem (Although eDirectory/NDS is kinda nice isn't it?)
You want to set rights like Traverse folder, List Folder/read Data, Read Attributes, Read Extended Attributes, Create Files Write Data, Create Folders Append Data and Read Permissions. That's All!
You want to set rights like Traverse folder, List Folder/read Data, Read Attributes, Read Extended Attributes, Create Files Write Data, Create Folders Append Data and Read Permissions. That's All!
Hi, MSGeek,
Those were the permission settings that I first thought of but it still doesn't allow the user to rename a file/folder...and unless I'm misreading the question, I think Premiernc wants to be able to create, edit, and rename but not delete.
Those were the permission settings that I first thought of but it still doesn't allow the user to rename a file/folder...and unless I'm misreading the question, I think Premiernc wants to be able to create, edit, and rename but not delete.
FishMonger.. sorry about that, there is a similar post going and it took me a while to find my answer, no responses when I started looking. Wish I had reloaded question.
I agree, I did not read the question. Would have been a good exam question :)
You could go one step further and at the very least give the creator owner delete permission?
I agree, I did not read the question. Would have been a good exam question :)
You could go one step further and at the very least give the creator owner delete permission?
FishMonger & Premiernc.. I am trying to sort out a way to do this using creator owner and seperate permissions for users on the different levels you can use under the advanced settings:
This folder only
This folder, subfolders and files
This folder and subfolders
This folder and files
Subfolder and files only
Subfolders only
Files only
These settings are a bit more granular
This folder only
This folder, subfolders and files
This folder and subfolders
This folder and files
Subfolder and files only
Subfolders only
Files only
These settings are a bit more granular
ASKER
I was working with the idea of giving the delete permision to the folder only and then they can create the folders and files, give them a new name, and then somehow have the new folder inherit a no delete permission. Are inherited permissions applied to a folder just after you have created it? When you right click and create new folder and it shows up as NEWFOLDER highlited for you to give it a new name, has it actually already inherited permissions and the user is just performing a rename?
Inherit is the default, so your answer is yes. At what poit they are applied, my guess would be once the initial name is accepted. You have to implicitly turn off inheritance and copy/remove inherited rights.
I've worked on this problem several times in the past and have tried numerous permutations of permission settings but have been unable to find any that would allow renaming without the ability to delete. Hopefully, MSGeek will be able to find something that I missed. If he can't, I think we may want to visit my previous idea of writing a custom "rename" script that runs with admin rights.
If I remember correctly, this was easy to do in NT. However, it appears that Microsoft removed this capability in 2000.
This has my wheels turning, have either of you tried Enabling the Administrator to Have Access to Redirected Folders? http://support.microsoft.com/default.aspx?scid=kb;en-us;288991
I have implemented this, I cannot explain the behaivor, but it is very odd when you implement it. This behaivor may shed some light on how these rights and at what level they are applied are propogated downward.
I admitt this may be a lost cause, but thought I would run this KB by you.
I have implemented this, I cannot explain the behaivor, but it is very odd when you implement it. This behaivor may shed some light on how these rights and at what level they are applied are propogated downward.
I admitt this may be a lost cause, but thought I would run this KB by you.
Yes, I have seen and enabled the folder redirection as per this KB. I agree that it's very odd to jump through these hoops to setup the permissions for folder redirection. Other articles make it very clear that when you enable redirection, you let the OS create the directory and set the permissions. I have also seen & used a group policy setting that automatically accomplished the same thing that this KB is telling you to do manually. Is Microsoft telling us that they can't makeup their mind as to which way we're to setup redirection?
Unfortunately, I fail to see how folder redirection applies to this problem.
I just caught something that I previously missed. The users don't need to edit existing files, they just need a "drop" folder where they can save files. I'm not clear if they need the ability to view the files after they've been saved, but if they don't we should be able to figure out the needed permissions. I will test this later today when I have more time.
Unfortunately, I fail to see how folder redirection applies to this problem.
I just caught something that I previously missed. The users don't need to edit existing files, they just need a "drop" folder where they can save files. I'm not clear if they need the ability to view the files after they've been saved, but if they don't we should be able to figure out the needed permissions. I will test this later today when I have more time.
> "Yes, I have seen and enabled the folder redirection as per this KB."
It's not the redirection that is important in that KB, it is how they are telling you to assign the rights. When I assign the rights as indicated it works, but behaivor of Creator Owner right is strange, but works. Thought that observation may shed some light.
It's not the redirection that is important in that KB, it is how they are telling you to assign the rights. When I assign the rights as indicated it works, but behaivor of Creator Owner right is strange, but works. Thought that observation may shed some light.
I think I found your solution, it's not exactly what you are looking for. It is capable of doing the job.:
http://www.microsoft.com/sharepoint/default.asp
http://www.microsoft.com/sharepoint/default.asp
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,
****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********
- If you would like to close this question and have your points refunded, please post a question in community support area on https://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you
Pasha
Cleanup Volunteer
****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********
- If you would like to close this question and have your points refunded, please post a question in community support area on https://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you
Pasha
Cleanup Volunteer
A grade of C is pretty weak for FishMongers contribution to this question!!
ASKER