We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Folder Permissons - Secure a Folder from being deleted/moved/renamed

wiafelice
wiafelice asked
on
Medium Priority
244 Views
Last Modified: 2013-12-04
I've asked this question a little over a week ago and still have not recieved the solution I'm looking for.  depending on the outcome here I may have to break down and call Microsoft. I might have to go 3rd party, who knows.  

Is there a way to set permissions on a folder so that its subfolders can't be deleted/renamed/moved.  I have a client folder that has roughly 2600 subfolders(basiclly a folder for each of our clients).  Users are accidently deleting/renaming/moving these subfolders causing problems.  Users need full control inside these subfolders to save client data and create folders.

\Clients\
---------\abc company\
--------------------------\2006
---------\bcd company\
--------------------------\quickbooks
---------------------------\2005
---------------------------\2006
----------\dfg company\

Per above I need the company folders locked down and I also need to be able to create files and folders underneath the company fodlers.  I get everything perfect except being able to create files and folders under each client/company folder.

I probably can't lock the folders down AND be able to create folders/files inside of them.
Would love any info/help

Comment
Watch Question

Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
What is the operating system on the machine that is hosting the folders?
In 2003, you can set advanced options under the folder security. This includes 'special' combinations that give you a great deal of flexibility and control including removing the inheritance from higher levels within the hierarchy. The difficulty will be matching these up with the 'share' permissions which are much less controllable.

Commented:
Yes you can.

Using the Advanced button under the security tab of the Clients folder, add a DENY rule for Delete for all regular users.

Apply onto: is still "This folder, subfolders and files", but enable the checkbox called "Apply these permissions to objects and/or containers within this container only"

This will enable freedom within the Clients subdirectories, but users cannot change, rename or move the Clients directories themselves. This also means that they can't create a Client folder using Windows Explorer... Actually they can, but Windows names the folder "New Folder" initially and you can't rename them, remember ;-)

Creating a new folder using command prompt does work, or have an administrator create the Clients folders.
Dushan De SilvaTechnology Architect

Commented:
ru taliking about ftp?

BR Dushan
Commented:
Have just read the original thread ;-)

The NTFS filesystem in NT4 offers a LOT less flexibility with access control (that's why you get the message that an NT5 host has tried to set permissions the  NT4 host doesn't support). However, I created a setup and what you want is partially possible.

First, I assume all users already have Change permissions on all files and directories, including the Clients folder. (I prevent FC wherever possible).

Then open the permissions for the Clients folder. Select the users group and choose "Special Directory Access...". Set it to "Other" and only check the Read checkbox. Click OK. Then select "Special File Access...", Select Other, and make sure all checkboxes are cleared. OK your way out of here, without applying these permissions to subfolders.

This will only prevent users from renaming Client folders, but it will not prevent them from deleting any. The NT4 file system can't distinguish between the Client folder itself, and the directory objects within it (so if you prevent the Clients\A folder from being deleted, you can't delete child folders within Clients\A either).

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I have these hosted on an NT 4.0 enterprise member server, In a sbs 2003 envirornment.  I am trying to set the permissions from a XP pro client.  I've messed around with the advanced option and the deny attribute but never seem to get it right.

I will try the checkbox to apply to container only and see if that works.  

Commented:
Well, that's the problem...  NTFS version 4 doesn't recognize the checkbox for "this folder only", and it doesn't have a deny-attribute (only "No access"). Maybe you can enable it from the XP client (which supports NTFS version 5), but I don't think the server's going to pick that up.

Would be delighted if it did, though :)

If you really want to accomplish this type of security and depending on the server hardware you need, your best bet: upgrade to a Windows 2003 file server. The nice thing is, that if you choose to install a Windows Server 2003 as a member server, that the Client Access Licenses you bought for SBS2003 are VALID for the domain member. No need to purchase extra CALs apart from the Server license.

Just a thought.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
<<< What is the operating system on the machine that is hosting the folders? >>>

lol, I should have pushed for an answer :) Saved us all some time....

Commented:
It's in the original thread, but also I didn't read that until after my first comment:

<< OP: I've asked this question a little over a week ago >>
http://www.experts-exchange.com/Security/Win_Security/Q_21775354.html

Don't worry wiafelice, I'll live ;-)

Author

Commented:
No need to by more Cals if I have a licensend copy of server 2003?  I actually won a copy of 2003 enterprise server with 25 cals a few weeks ago at a Microsoft Seminar.  Spose i can put it to use.

Commented:
Hahaha, that's another way to get your licenses. That's a poky $4,997 worth of software.

They didn't give you a server to go with it? Ridiculous!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.