[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 228
  • Last Modified:

Disabling Delete Across AD Network

Hi Guys,

I am looking at removing the Delete permission from every folder on the network, and then implementing a Delete Permission for Domain Admins only. My main question is wheher this would be likely to have any effect on users. I am not sure if it would cause problems with any applications.

My aim here is to stamp out users calling our Helpdesk to say "Someone has deleted this folder and we need it back by tomorrow morning" and the folder is 5GB and the restore tapes wont be delivered for 2 hours and they tell you this at 4:30pm.
If we can stop them deleting the files and folders "Accidentally" then thats what I want to do.

Maybe another idea, crate a No Delete group in AD and at root level apply an Explicit Deny on Delete Permission.
Add users to this group and we can remove them if there is a need for them to have these permisssions.

Would either of these work for us?
If so which is best?
What problems could we run into?

Thanks
Chris
0
unitedmp
Asked:
unitedmp
  • 2
  • 2
1 Solution
 
BILJAXCommented:
Create a Security group and put all non-domain admins in it.   You can apply(link) a GPO that disables file deletion.

Problems, user's won't be able to clean out their drives, or personal files, leading to a bloated environment.


AC
0
 
unitedmpAuthor Commented:
We are looking at implementing folder redirection anyway.

We should be able to simply remove the explicit deny from the folder for their personal drive, U: which is network based and where the folder will redirect to.
Is this correct, and will that resolve the issue?


Thanks
Chris
0
 
BILJAXCommented:
yeah, you could do that.  At the least, you have to give everyone Read/list access to directories.
0
 
unitedmpAuthor Commented:
If I do it that way, I would leave all current permissions as they are since an Expolicit Deny will override current permissions anyway.
0
 
cmegsonCommented:
Try This:

Create a new security group, add all of your users to that.
Remove users who require delete access from the group.
Add the group to the security tab at the root directory.
Use advanced, edit, and DENY access to both the delete functions.
Apply, then allow Modify.
Apply this to the directory (will take a few hours).

Now all you have to do is add new users to this group, and if someone requires permission to delete, remove them from the group.

Cheers
CM
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now