Disabling Delete Across AD Network
Hi Guys,
I am looking at removing the Delete permission from every folder on the network, and then implementing a Delete Permission for Domain Admins only. My main question is wheher this would be likely to have any effect on users. I am not sure if it would cause problems with any applications.
My aim here is to stamp out users calling our Helpdesk to say "Someone has deleted this folder and we need it back by tomorrow morning" and the folder is 5GB and the restore tapes wont be delivered for 2 hours and they tell you this at 4:30pm.
If we can stop them deleting the files and folders "Accidentally" then thats what I want to do.
Maybe another idea, crate a No Delete group in AD and at root level apply an Explicit Deny on Delete Permission.
Add users to this group and we can remove them if there is a need for them to have these permisssions.
Would either of these work for us?
If so which is best?
What problems could we run into?
Thanks
Chris
I am looking at removing the Delete permission from every folder on the network, and then implementing a Delete Permission for Domain Admins only. My main question is wheher this would be likely to have any effect on users. I am not sure if it would cause problems with any applications.
My aim here is to stamp out users calling our Helpdesk to say "Someone has deleted this folder and we need it back by tomorrow morning" and the folder is 5GB and the restore tapes wont be delivered for 2 hours and they tell you this at 4:30pm.
If we can stop them deleting the files and folders "Accidentally" then thats what I want to do.
Maybe another idea, crate a No Delete group in AD and at root level apply an Explicit Deny on Delete Permission.
Add users to this group and we can remove them if there is a need for them to have these permisssions.
Would either of these work for us?
If so which is best?
What problems could we run into?
Thanks
Chris
ASKER
We are looking at implementing folder redirection anyway.
We should be able to simply remove the explicit deny from the folder for their personal drive, U: which is network based and where the folder will redirect to.
Is this correct, and will that resolve the issue?
Thanks
Chris
We should be able to simply remove the explicit deny from the folder for their personal drive, U: which is network based and where the folder will redirect to.
Is this correct, and will that resolve the issue?
Thanks
Chris
yeah, you could do that. At the least, you have to give everyone Read/list access to directories.
ASKER
If I do it that way, I would leave all current permissions as they are since an Expolicit Deny will override current permissions anyway.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Problems, user's won't be able to clean out their drives, or personal files, leading to a bloated environment.
AC