We have a windows 2003 file server (Also DC). Users connect to a data share on the srever. The share permissions are set to "Full Control" for all users. The security permissions for the file system are set with special permissions for users:
Read extended attributes
These equate to a "List Folder Contents" ACL in the main ACL screen.
Below the shared folder are a number of departmental folders e.g. Finance, Purchasing etc.
What we are trying to achieve is that people have all access to their relevant folder (controlled via departmental group access) but cannot delete any files. The main reason for this is that a Finance user could inadvertantly (?) select the finance folder within the share and delete the entire contents. We can restrict the folder from deleteion but that will still allow the contents to be removed before failing at the folder level.
We can deny the delete access by removing the "Delete" and "Delete subfolders and files" permissions from the special permissions section. However if we do that users cannot rename files or save them under a different name. Removing the "Delete" permission also removes the "Modify" permission!!
Is there a way to achieve both goals i.e. prevent file deleteion but still allow users the flexibility of renaming or performing a "Save as" for files?