?
Solved

NTFS permissions config

Posted on 2003-03-26
17
Medium Priority
?
320 Views
Last Modified: 2010-04-13
Hello,
I am trying to do the age old task that nobody seems to have an answer for, so I thought I'd ask here.
I am trying to give permissions to a folder in an existing share that would allow a users to create folders and files in it, but then not delete them once they are added. This is a common issue at law firms and was easily accomplished in Novell. Only one person will have the rights to edit and delete the content of the directory, but everyone will be able to add to it. When you set this up on NTFS, you cannot name the file or directory what you want, you need delete permissions to do this, seems like a major bug. If anyone has actually figured out a way to do this, it would be a great help.
Thanks
0
Comment
Question by:Premiernc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
  • +1
17 Comments
 
LVL 1

Author Comment

by:Premiernc
ID: 8214407
This is on win2k sp3 server clean install, running AD, DNS, DHCP, pretty standard.
0
 
LVL 28

Accepted Solution

by:
FishMonger earned 500 total points
ID: 8214699
After doing some testing (and unfruitful searches on google & Microsoft's web site), I've come to the conclusion that if you set the "deny delete" permission to prevent users from deleting files/folders, Windows will treat a rename as if you are trying to perform a cut/paste where the paste would create the file with a new name.  Since the deny delete permission will not let you perform the cut portion of the operation, the rename will fail.  So, it appears that Microsoft doesn't believe that you will ever need to rename a file once you set the deny delete.
0
 
LVL 28

Expert Comment

by:FishMonger
ID: 8214713
One thing you can try is to create your own rename script that is set to use "runas administrator" which would bypass the problem of the users restriction of the "deny delete" permission.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 9

Expert Comment

by:MSGeek
ID: 8214737
Not a problem (Although eDirectory/NDS is kinda nice isn't it?)


You want to set rights like Traverse folder, List Folder/read Data, Read Attributes, Read Extended Attributes, Create Files Write Data, Create Folders Append Data and Read Permissions.  That's All!
0
 
LVL 28

Expert Comment

by:FishMonger
ID: 8214791
Hi, MSGeek,

Those were the permission settings that I first thought of but it still doesn't allow the user to rename a file/folder...and unless I'm misreading the question, I think Premiernc wants to be able to create, edit, and rename but not delete.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8215106
FishMonger.. sorry about that, there is a similar post going and it took me a while to find my answer, no responses when I started looking.  Wish I had reloaded question.

I agree, I did not read the question.  Would have been a good exam question :)

You could go one step further and at the very least give the creator owner delete permission?

0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8217215
FishMonger & Premiernc..  I am trying to sort out a way to do this using creator owner and seperate permissions for users on the different levels you can use under the advanced settings:

This folder only
This folder, subfolders and files
This folder and subfolders
This folder and files
Subfolder and files only
Subfolders only
Files only

These settings are a bit more granular
0
 
LVL 1

Author Comment

by:Premiernc
ID: 8218176
I was working with the idea of giving the delete permision to the folder only and then they can create the folders and files, give them a new name, and then somehow have the new folder inherit a no delete permission. Are inherited permissions applied to a folder just after you have created it? When you right click and create new folder and it shows up as NEWFOLDER highlited for you to give it a new name, has it actually already inherited permissions and the user is just performing a rename?
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8218504
Inherit is the default, so your answer is yes. At what poit they are applied, my guess would be once the initial name is accepted. You have to implicitly turn off inheritance and copy/remove inherited rights.
0
 
LVL 28

Expert Comment

by:FishMonger
ID: 8218667
I've worked on this problem several times in the past and have tried numerous permutations of permission settings but have been unable to find any that would allow renaming without the ability to delete.  Hopefully, MSGeek will be able to find something that I missed.  If he can't, I think we may want to visit my previous idea of writing a custom "rename" script that runs with admin rights.
0
 
LVL 28

Expert Comment

by:FishMonger
ID: 8218698
If I remember correctly, this was easy to do in NT.  However, it appears that Microsoft removed this capability in 2000.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8224131
This has my wheels turning, have either of you tried Enabling the Administrator to Have Access to Redirected Folders?  http://support.microsoft.com/default.aspx?scid=kb;en-us;288991

I have implemented this, I cannot explain the behaivor, but it is very odd when you implement it.  This behaivor may shed some light on how these rights and at what level they are applied are propogated downward.

I admitt this may be a lost cause, but thought I would run this KB by you.
0
 
LVL 28

Expert Comment

by:FishMonger
ID: 8226055
Yes, I have seen and enabled the folder redirection as per this KB.  I agree that it's very odd to jump through these hoops to setup the permissions for folder redirection.  Other articles make it very clear that when you enable redirection, you let the OS create the directory and set the permissions.  I have also seen & used a group policy setting that automatically accomplished the same thing that this KB is telling you to do manually.  Is Microsoft telling us that they can't makeup their mind as to which way we're to setup redirection?

Unfortunately, I fail to see how folder redirection applies to this problem.

I just caught something that I previously missed.  The users don't need to edit existing files, they just need a "drop" folder where they can save files.  I'm not clear if they need the ability to view the files after they've been saved, but if they don't we should be able to figure out the needed permissions.  I will test this later today when I have more time.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8226189
> "Yes, I have seen and enabled the folder redirection as per this KB."

It's not the redirection that is important in that KB, it is how they are telling you to assign the rights.  When I assign the rights as indicated it works, but behaivor of Creator Owner right is strange, but works.  Thought that observation may shed some light.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8230580
I think I found your solution, it's not exactly what you are looking for.  It is capable of doing the job.:
http://www.microsoft.com/sharepoint/default.asp
0
 
LVL 5

Expert Comment

by:cempasha
ID: 8595647
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,

****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********

- If you would like to close this question and have your points refunded, please post a question in community support area on http://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you      

Pasha

Cleanup Volunteer


0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8600285
A grade of C is pretty weak for FishMongers contribution to this question!!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question