Folder Permissons - Secure a Folder from being deleted/moved/renamed

I've asked this question a little over a week ago and still have not recieved the solution I'm looking for.  depending on the outcome here I may have to break down and call Microsoft. I might have to go 3rd party, who knows.  

Is there a way to set permissions on a folder so that its subfolders can't be deleted/renamed/moved.  I have a client folder that has roughly 2600 subfolders(basiclly a folder for each of our clients).  Users are accidently deleting/renaming/moving these subfolders causing problems.  Users need full control inside these subfolders to save client data and create folders.

---------\abc company\
---------\bcd company\
----------\dfg company\

Per above I need the company folders locked down and I also need to be able to create files and folders underneath the company fodlers.  I get everything perfect except being able to create files and folders under each client/company folder.

I probably can't lock the folders down AND be able to create folders/files inside of them.
Would love any info/help

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
What is the operating system on the machine that is hosting the folders?
In 2003, you can set advanced options under the folder security. This includes 'special' combinations that give you a great deal of flexibility and control including removing the inheritance from higher levels within the hierarchy. The difficulty will be matching these up with the 'share' permissions which are much less controllable.

Yes you can.

Using the Advanced button under the security tab of the Clients folder, add a DENY rule for Delete for all regular users.

Apply onto: is still "This folder, subfolders and files", but enable the checkbox called "Apply these permissions to objects and/or containers within this container only"

This will enable freedom within the Clients subdirectories, but users cannot change, rename or move the Clients directories themselves. This also means that they can't create a Client folder using Windows Explorer... Actually they can, but Windows names the folder "New Folder" initially and you can't rename them, remember ;-)

Creating a new folder using command prompt does work, or have an administrator create the Clients folders.
Dushan De SilvaTechnology ArchitectCommented:
ru taliking about ftp?

BR Dushan
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Have just read the original thread ;-)

The NTFS filesystem in NT4 offers a LOT less flexibility with access control (that's why you get the message that an NT5 host has tried to set permissions the  NT4 host doesn't support). However, I created a setup and what you want is partially possible.

First, I assume all users already have Change permissions on all files and directories, including the Clients folder. (I prevent FC wherever possible).

Then open the permissions for the Clients folder. Select the users group and choose "Special Directory Access...". Set it to "Other" and only check the Read checkbox. Click OK. Then select "Special File Access...", Select Other, and make sure all checkboxes are cleared. OK your way out of here, without applying these permissions to subfolders.

This will only prevent users from renaming Client folders, but it will not prevent them from deleting any. The NT4 file system can't distinguish between the Client folder itself, and the directory objects within it (so if you prevent the Clients\A folder from being deleted, you can't delete child folders within Clients\A either).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wiafeliceAuthor Commented:
I have these hosted on an NT 4.0 enterprise member server, In a sbs 2003 envirornment.  I am trying to set the permissions from a XP pro client.  I've messed around with the advanced option and the deny attribute but never seem to get it right.

I will try the checkbox to apply to container only and see if that works.  

Well, that's the problem...  NTFS version 4 doesn't recognize the checkbox for "this folder only", and it doesn't have a deny-attribute (only "No access"). Maybe you can enable it from the XP client (which supports NTFS version 5), but I don't think the server's going to pick that up.

Would be delighted if it did, though :)

If you really want to accomplish this type of security and depending on the server hardware you need, your best bet: upgrade to a Windows 2003 file server. The nice thing is, that if you choose to install a Windows Server 2003 as a member server, that the Client Access Licenses you bought for SBS2003 are VALID for the domain member. No need to purchase extra CALs apart from the Server license.

Just a thought.
Keith AlabasterEnterprise ArchitectCommented:
<<< What is the operating system on the machine that is hosting the folders? >>>

lol, I should have pushed for an answer :) Saved us all some time....
It's in the original thread, but also I didn't read that until after my first comment:

<< OP: I've asked this question a little over a week ago >>

Don't worry wiafelice, I'll live ;-)
wiafeliceAuthor Commented:
No need to by more Cals if I have a licensend copy of server 2003?  I actually won a copy of 2003 enterprise server with 25 cals a few weeks ago at a Microsoft Seminar.  Spose i can put it to use.

Hahaha, that's another way to get your licenses. That's a poky $4,997 worth of software.

They didn't give you a server to go with it? Ridiculous!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.