barrykeel
asked on
Prevent Users From Moving Folders and Files
I am using Win 2003 Server and have a share that I would like to prevent users from moving folders and files. I have a folder shared as a mapped drive F: At the root level is a folder named Docs. Inside this folder are project folders for jobs based on job numbers, named as 01-100, 01-101, etc. I need all domain users to be able to write files and folders and be able to modify and delete them in these job folders, but not in the Docs folder and at the root level of the share. Here they only need read access. The share has sharing permissions set to Everyone Full control. The root level of the share has the security set for Read and Execute for Domain Users. The Docs folder has permissions set to read and execute for Domain Users and has Special Permissions on the Docs folder for Domain Users set to Write - Subfolders and Files Only. Now by doing this I do understand that they will not be able to delete in the job folders, but they should be able to write and append data to files. What is happenning is that users can read all data, but some users, not all, are getting Access Denied errors when they try to save Word documents of files that they do not own. The only way that I have been able to coreect this is give them Modify permissions on the job folders, but this lets them move them, Any insight on setting these folders would be apprecitaed.
Barry
Barry
ASKER
Everything I have read, including documents from Microsoft and all certification manuals, etc. recommend that the Everyone group be given full contol of the Share permissions and then lock the share down with the Security permissions by groups. Full control is the Share permission only. The Security Permissions will take precedent. As far the second part about the Advanced button, I know all this. And, I know it is not going to be pretty. I have over 500 folder I need to reverse what the previous guy did that got into this. Any ideas?
Barry
Barry
Hi
Yes you're right - recommended is allowing full control for everyone on the share permissions and fine tuning with the security permissions.
If I'm understanding what you want to do correctly then try this:
Scenario1
Users can't delete or move folders in the Docs folder itself
In the Job folders users can create files and change data in files. But they cannot rename files or delete them. They cannot create folders in Job folders or move or delete them.
Docs Folder - Advanced permissions:
Domain users - this folder only (don't set permissions on subfolders here)
Travers folder/Execute file
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
Job Folders - Advanced Permissions
Domain Users
Apply to this folder and files
Allow all permissions except:
Creat Folders/append data
Delete subfolders and file
Delete
Change Permissions
Take Ownership
Then add the domain users group again with the following advanced permissions on the jobs folder
Apply to files
Everything except
Delete subfolders and files
delete
change permissions
(N.B if you want the to be able to change files names in the job folder then enable the delete permission here)
Does that help at all?
Deb :))
Yes you're right - recommended is allowing full control for everyone on the share permissions and fine tuning with the security permissions.
If I'm understanding what you want to do correctly then try this:
Scenario1
Users can't delete or move folders in the Docs folder itself
In the Job folders users can create files and change data in files. But they cannot rename files or delete them. They cannot create folders in Job folders or move or delete them.
Docs Folder - Advanced permissions:
Domain users - this folder only (don't set permissions on subfolders here)
Travers folder/Execute file
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
Job Folders - Advanced Permissions
Domain Users
Apply to this folder and files
Allow all permissions except:
Creat Folders/append data
Delete subfolders and file
Delete
Change Permissions
Take Ownership
Then add the domain users group again with the following advanced permissions on the jobs folder
Apply to files
Everything except
Delete subfolders and files
delete
change permissions
(N.B if you want the to be able to change files names in the job folder then enable the delete permission here)
Does that help at all?
Deb :))
ASKER
Deb,
I am following you on this. I have tried this and was sure this was the solution. The problem that has come up is that say User 1 opens a file and saves it in a job folder. User 2 opens the same file and appends data to it and saves the changes. User 3 goes to update the file. User 3 get an access denied when trying to save it. All users are in the Domain Users group and there are no groups with Deny permissions. This is what I am not figuring out. This is happening in Microsoft Word version 2002 and 2003 under WIn 2K and XP. Am I missing something?
Barry
I am following you on this. I have tried this and was sure this was the solution. The problem that has come up is that say User 1 opens a file and saves it in a job folder. User 2 opens the same file and appends data to it and saves the changes. User 3 goes to update the file. User 3 get an access denied when trying to save it. All users are in the Domain Users group and there are no groups with Deny permissions. This is what I am not figuring out. This is happening in Microsoft Word version 2002 and 2003 under WIn 2K and XP. Am I missing something?
Barry
Hmm - I've not been able to recreate this yet. Have you checked the effective permissions for the users experiencing the problem? - check the folder properties - security - advanced - effective permissions - to see if there are any inconsistencies between users. It also occurred to me that there may be an issue with user's delete permissions and the way that word uses temp files. This also is worth checking out,
Description of how Word creates temporary files
http://support.microsoft.com/?kbid=211632
Description of how Word creates temporary files
http://support.microsoft.com/?kbid=211632
ASKER
That is a good point about Word and something I was afraid of. Originally I had only given write persmissions to the jobs folders which does allow for appending but not deleting. I may have to reach a compromise and allow only read to the Docs folder and modify to the jobs folder. This would at least stop writing to the docs folder. Question. I could set read and execute to docs and the set Special Permissions to modify for subfolders and files only, correct? BTW, I will look at the effective permissions later today.
Barry
Barry
ASKER
I looked at effective permissions and they were the same for all users. I really don not know why this is happening. After testing with a series of folders the best I could come up with is Read and Execute (This folder only) to the Docs folder and also to Docs give Special permissions to Domain Users (Subfolders and Files Only) the same as Modify but changing the delete permission to subfolders and files. This will at least prevent writing to Docs but it still will not prevent moving the contents inside one job folder to another. It appears this is as close as you can get.
Barry
Barry
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is something else strange. I have narrowed down why some can save and some can't with the same (Effective)permissions. The one's that can't are using Win2k machines and the ones that can are using XP. I replicate this 100% of the time. Is this normal?
Barry
Barry
ASKER
Debsyl99,
I am going to give you the points as you have helped with this. I finally just set the Docs folder to Read and Execute (This folder only) and also to Docs gave Special permissions to Domain Users (Subfolders and Files Only). This prevents writing to Docs but stills makes the subfolders usable. I may still have to put up with files being moved in the subfolders. After double checking the difference between Win2k and XP, it just happened that the file in question was owned by the Win2k user. So, it appears that all is working as it should be. Thanks for the help.
Barry
I am going to give you the points as you have helped with this. I finally just set the Docs folder to Read and Execute (This folder only) and also to Docs gave Special permissions to Domain Users (Subfolders and Files Only). This prevents writing to Docs but stills makes the subfolders usable. I may still have to put up with files being moved in the subfolders. After double checking the difference between Win2k and XP, it just happened that the file in question was owned by the Win2k user. So, it appears that all is working as it should be. Thanks for the help.
Barry
When you go into the Advanced button on permissions, you are going to want to uncheck inherit permissions. When you set special permissions, it's like creating a set of rules. You can create a rule for each user/group for each area that you want it to apply to (This folder only, Files only, etc). With what your wanting to do, it probably won't be pretty.