Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 194
  • Last Modified:

Special File permissions in a read only directory

I have a folder that contains various file types like .PDF, .XLT, and .DOT.  However some of files are standard .XLS files.  This folder was desinged to just house templates, but other forms have been added that require specific users to modify them.

I would like to make the entire folder read only so that no one can create new files or folders within it.  I would then like to grant specific files modify access for specific users.

Is this possible?

I realize that this may be a lot of work as far as administration, but my users have been putting junk in this folder for quite some time and I have been trying to make it so they can't, but I cannot figure it out.

Thanks,
Matthew
0
spectraflame
Asked:
spectraflame
  • 11
  • 10
1 Solution
 
mikeleebrlaCommented:
yes it will be alot of work depending on how many files you have.  all you have to do though is rightclick on the folder and go into special permissions and change "appy onto" to this folder only... then take away the right to create objects from the group of users.  

then just highlight a file (or group of files) in that directory and set the permissions you want to the file(s)
0
 
spectraflameAuthor Commented:
I decided to create a new folder so that I would not bother my users during testing.

I created a new folder and granted the USER group Read / Execute, List Folder Contents, and Read permissions.  I then copied a file from the original folder into the new folder.  I check to see if the permissions were still set for Read Only for the Users group which they were.  I then added a specific user just for that file and granted them Modify and Write permissions.  I then went to that users PC, opened the file, modified the file, and tried to save it.  A message popped up stated that I did not have permission to change this file.

My next test was to, from the server, create a new file in the new folder and then grant only that user special modify permissions to that folder.  That worked just fine.

My question is how do I now copy my existing document into this folder so that I can set the permissions per file appropriatly?

I tried changing the permissions on the existing folder and then changing a specific file's permissions, but that did not work.

Matthew
0
 
mikeleebrlaCommented:
ok,, what do you mean when you say you checked the folder for  "read only"??  "Read only" is a file attribute that is completely seperate from setting NTFS permissions (what you see on the security tab of the file/folder)?

I think what happened with your first test is that you set them the NTFS permission to modify and write which was correct, but the file still had the "read only" attribute on it (seen on the general tab).  If the file has the read only attribute set it doesn't matter what NTFS permisions you set, it will still be a read only file.

Also,,  remember that when you MOVE a file to a folder on the same volume it will retain the NTFS permissions it had in the original folder.  However when you COPY a file it will inherit the NTFS permissions from the destination folder.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
spectraflameAuthor Commented:
The read only box is checked but it is grayed out.  When I uncheck it an apply the changes, it comes right back.

Under the NTFS permissions or the security tab, I have the users group set to read only.

Am I headed in the right direction.

Matthew
0
 
spectraflameAuthor Commented:
Forgot to mention that this folder, on the server, is one of many folders on a shared volume.  The volume has security permissions for the Users group set to read and execute.

Matthew
0
 
mikeleebrlaCommented:
The links below will explain what is going on when you set the "read only" attribute on a folder.  Basically this attribute can only be set on files, and not on folders.  XP/2003 display the read only option on folders however and it is very confusing and is a crappy design in my opinion since (even the MS article below says so) setting this on a folder has no affect.  Why put it there if it doesn't have any affect??  In any case, like i mentioned earlier, when you set the read only attribute on a file, it applies to everyone.  You should stop trying to do what you are tying to accomplish by messing with the "read only" attribute, but instead use NTFS permissions (what you see on the secuirty tab) since these can apply to specific users or groups where as the read only attribute applies to everyone.

http://www.experts-exchange.com/Operating_Systems/Q_20941466.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;326549
http://www.annoyances.org/exec/forum/winxp/1065399208

Also, you mentioned that this is a shared folder.  Make sure that you have the sharing permissions (what you see on the sharing tab on the share) set to everyone having full permissions.  This will make your life much easier.  Instead of setting permission on the share, use NTFS permissions and only NTFS permissions for security.  This way you won't have 2 or more security mechanisms "fighting" with eachother. This will make adminstration much easier for you.
0
 
spectraflameAuthor Commented:
The shared volume is set to Read/Execute for the USERS group.  This will prevent the users from creating new files or folder within the root of this volume.  This is working correctly.

There are other folders within that volume that have permissions to specific groups of users to modify with the USERS group having no access.  This prevents people who should not be in the folder from even looking at the contents.  This is working correctly.

The FORMS folder, where all of the templates are stored, has the USERS group with permissions of Read/Execute.  This prevents the users from creating new files or folders inside that folder.  This works correctly.

All of the documents within that folder have the USERS group permissions set to Read/Execute.  Specific files have individual users with permissions to modify those specific files.  This is where I get lost.

Is this not the correct way to accomplish this?  This should not be this hard should it?  Maybe I am just tired.

Matthew
0
 
mikeleebrlaCommented:
that looks good to me...  permissions especially when you get into the "advanced" permissions can get pretty hairy.  It seems like you have your setup correctly now.  the important thing to remember is to only use one secuirty mechanism so you dont have 2 or more confilicting with eachother.
0
 
spectraflameAuthor Commented:
I thought that I had everything in order, but it is still not making an senese to me.  If I create a brand new file within that directory and set permissions for a specific user, it works great.  If I copy a file into that directory and set the permissions, it does not work.  This is where I do not understand what is gonig on.

Any thoughts,
Matthew
0
 
mikeleebrlaCommented:
if you copy the file into the directory, it will inherit the same NTFS secuirty that its new parent folder has (assuming you have inheritance setup).  But in your last comment you said you are copying the file and THEN setting its permissions.  If you copy it and then set permissions then the file will have whichever permissions you gave it.  If you set it exacly as the other file that is working correctly then it will work.

FYI,, you do know that you have to log off and log back on in order for secuity changes to take effect dont you? This is b/c a user gets their security token at logon.  So if you change something after they log on, they will have to log off and log back on in order to get  a new token so that the changes you made will take effect.  
0
 
spectraflameAuthor Commented:
I have tried logging off and back on but that does not seem to make any difference.  I have set the file permissions just like the one that I created within that folder, but it does not work.

Matthew
0
 
mikeleebrlaCommented:
something about them is obviously different since they are behaving different.  When you look at the advanced security are they identical?
0
 
spectraflameAuthor Commented:
They are the same as far as I can tell.  They are both set up to only Allow USERS to read and execute with a specific user able to modify.  They are both set up to allow inheriant permissions.

Matthew
0
 
spectraflameAuthor Commented:
This is really weird.  If I create a text file in that directory and set the permissions for a specific user to modify it, it works.  If I create an RTF file format and do the same thing, it does not work.  Does that make sense?

Matthew
0
 
mikeleebrlaCommented:
how exacly are you testing the txt and rft files?
0
 
spectraflameAuthor Commented:
From the server, I am right clicking and choose to create a new file.  Once the file is created, still on the server, I modify the permissions to allow that specific user modify rights.

Matthew
0
 
mikeleebrlaCommented:
then what do you do to complete the test?  those steps are only how to change the rights, not how you test the results.
0
 
spectraflameAuthor Commented:
I then log back on to a PC with that specific user and try to modify that specific file.

Matthew
0
 
mikeleebrlaCommented:
what error do you get when you try to modify the rtf file?
does the same thing happen if you try it with a DOC file?
are you testing this with just one rtf file?  if so that one file might be currupt.
0
 
spectraflameAuthor Commented:
I get a standard MS Office error.

The file that you are tying to modify is read only or you do not have sufficent permissions to edit the file.

Then I am prompted to save it as a different file name.

I get the same error on .DOC, .XLS, .RTF.  So far it only works on .TXT files but they have to be created by Administrator on the server.

Matthew
0
 
mikeleebrlaCommented:
well i am at a loss then,,,, ive never seen 2 files with identical permissions behave differently.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now