Solved

Preventing users from deleting folders in shared drive

Posted on 2006-06-30
21
522 Views
Last Modified: 2011-09-20
Hi,
  My users constantly drags and drops important folders into another. I need to know how to create the shared folder so that all users can read/create files under it, delete files that other users create in the same folder BUT CANNOT DELETE THE TOP LEVEL FOLDER itself.

I tried manipulating advanced permissions and removing the delete permission. If i do that editing the file also does not work.

Some help would be greatly appreciated...My deadline is end of weekend..

Vinod.
0
Comment
Question by:mvvinod
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
21 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 17022221
You almost had it.
Do this

At the top level folder
Grant the user or group modify access and click apply
then go to advanced security.
Edit that permssion that you just set above
In the dropdown for Apply Onto
Select Subfolders and files only.
click apply
0
 
LVL 8

Author Comment

by:mvvinod
ID: 17024155
I tired your permission and it doesnt work. Here is the summary of the permission and the results.

Top Folder - Admin-full control, system fullcontrol, users-read/list folder contents, users-modify-delete (apply to subfolder and files)

When i first didnt add read/list folder contents, i got a access denied when i tried to open the folder. So i included read/list folder contents.

Now users are not able to create any new files in the folder, it gives an access denied. I want them to create and modify files. I just dont want them to delete them.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17024750
There are two things to consider.  The Share permissions and the folder/file NTFS permissions.

At the share you should have users with modify permission.  This might being restricting you now.

At the top level folder NTFS permissions, it still looks like you have special permissions set.  I would completely remove the user from the permissions, click apply then start over.

You are also better to set original permission via the first security window and not the advanced tab.  That's why I mentioned to grant the users modify permissions then go into the advanced tab and modify the permissions.   Also make sure the existing files/folders under the top level folder are inheriting from the parent.

If you do this, it should allow you to do what you mentioned in the original post and allow users user to create/modify/delete, but not delete the top level folder.


0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 
LVL 8

Author Comment

by:mvvinod
ID: 17025254
I'm testing this on the machine itself. I have not shared the folder yet. Share permission does not come into the picture here.

I did exactly as you said. I added users to modify and then went o advanced to remove delete and then use "subfolder and files". When i do this and click try to go into the folder as a user, it gives me access denied coz users dont have permission to traverse through the folder.......the permission that i set for users only applies to subfolder and files and not the folder itself....

Try doing the same and you'll realize the problem...

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17025330
Sorry I was testing with a group other that the default users group (I have this method hammered into my head as this is the way we operate our domain).  Thus mine worked as users already had read/execute at the root.

Anyhow, this is probably the best way of going about this...

Give the users read/execute at the root folder (this was probably the default)
Create another local group on the machines and add the desired users
Grant the new group modify at the top level
Now modify the new groups permission only to apply onto subfolders and files.
This should now work.

I noticed you mentioned you removed the delete priv in advanced.  You don't want users to delete anything under the root?
0
 
LVL 8

Author Comment

by:mvvinod
ID: 17025511
I will try it. But here is exactly what i want. Lets say i want a top level folder called "Shared" and under that i have several folders "x" , "y" , "z".
Lets forget about the permission for "shared" since i will remove inheritance and give all users read/traverse only permission and administratos - full control. So only admin can create more folders.

Now permission for each of the folders x,y,z should be in a manner that any user can create new files under x/y/z. They can modify any files under x/y/z. They should not be able to delete any file or move any file/folder under x/y/z.

So i have 1 person designated as shared folder manager who will delete files/folders under x/y/z or move it to another location once the project is completed.

Can this be done ???? I got the idea of how to set permission to x/y/z itself so no users can delete/modify the folder.

BUt my question is how do i set permission under is that will allow user to create/modify files but not delete them....

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17028020
What is happening is that even though you specified the permission by removing the delete attribute, the user becomes theowner of the object and thus inherits full control because the user is the owner.

You can probably fix this in one of two ways.

1)
Do what I've explained in my previous post and...
Edit/Add the Creator\Owner attribute at the top level folder and remove the delete and delete folders and files attributes (you might have to remove inheritance and copy the permissions).  

or...
2)
Do what I've explained in my previous post and...
On the new group you created in the previous post, instead of removing the delete and delete folders and files attributes, Deny the access.

WARNING:
Denys override allows, so be careful.  Do not deny the users access as this will deny Administrators even if they have full control.  Becuase of this, I recommend method one.

Hopefully this finally does what you need
0
 
LVL 8

Author Comment

by:mvvinod
ID: 17031909
I'm experimenting with an empty folder and not the production folder. So there are no files already present in the folder. So the creater owner permission is not applicable here.

I tried deny. It also doesnt work. Once i deny delete, the user is not able to create new files anymore.

Vinod.
0
 
LVL 8

Author Comment

by:mvvinod
ID: 17031918
Have you tried one of the permission you are suggesting here to see if it works for you ???

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17036874
Seems to work here as I've been testing.

How about we start from scratch

At the top folder, go to advanced security and remove inheritance.  When asked whether to copy/remove, select Remove.
Now we should have no permissions.

Add Administrators and System with Full Control
Add Users with Read/Execute
Add the "New Group" with modify.
go to advanced and give "New Group" deny Delete, and Deny Delete Subfolders and Files.  Only change those two, don't Change the Applies onto this time.

Does this work better...?




0
 
LVL 8

Author Comment

by:mvvinod
ID: 17037346
I have tried the exact same thing you have said. Users get an access denied when they try to create a new file/folder.

I called Microsoft Support about this and they admitted that there is no way to prevent users from deleting file/folder if you give them right to rename and modify the files/folder.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17037409
Well the permissions above seem to allow me to create files/folders under the root.  I just can rename them, but understanably not.

What do you have if you do a cacls *.* from the root folder from a dos prompt?

This is my output.
C:\tmp\root>cacls *.*
C:\tmp\root\test.txt MYPC\web:(DENY)(special access:)
                                 DELETE
                                 FILE_DELETE_CHILD

                     BUILTIN\Administrators:F
                     NT AUTHORITY\SYSTEM:F
                     BUILTIN\Users:R
                     MYPC\web:(special access:)
                                 READ_CONTROL
                                 SYNCHRONIZE
                                 FILE_GENERIC_READ
                                 FILE_GENERIC_WRITE
                                 FILE_GENERIC_EXECUTE
                                 FILE_READ_DATA
                                 FILE_WRITE_DATA
                                 FILE_APPEND_DATA
                                 FILE_READ_EA
                                 FILE_WRITE_EA
                                 FILE_EXECUTE
                                 FILE_READ_ATTRIBUTES
                                 FILE_WRITE_ATTRIBUTES


C:\tmp\root\TMPEC.tmp MYPC\web:(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

                      BUILTIN\Administrators:F
                      NT AUTHORITY\SYSTEM:F
                      BUILTIN\Users:R
                      MYPC\web:(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES


C:\tmp\root\x MYPC\web:(OI)(CI)(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

              BUILTIN\Administrators:(OI)(CI)F
              NT AUTHORITY\SYSTEM:(OI)(CI)F
              BUILTIN\Users:(OI)(CI)R
              MYPC\web:(OI)(CI)(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES


C:\tmp\root\y MYPC\web:(OI)(CI)(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

              BUILTIN\Administrators:(OI)(CI)F
              NT AUTHORITY\SYSTEM:(OI)(CI)F
              BUILTIN\Users:(OI)(CI)R
              MYPC\web:(OI)(CI)(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES


C:\tmp\root\z MYPC\web:(OI)(CI)(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

              BUILTIN\Administrators:(OI)(CI)F
              NT AUTHORITY\SYSTEM:(OI)(CI)F
              BUILTIN\Users:(OI)(CI)R
              MYPC\web:(OI)(CI)(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES



C:\tmp\root>

0
 
LVL 8

Author Comment

by:mvvinod
ID: 17037477
Maybe the user account you are using to create is a member of local admin... Have you checked group membership.

Coz i'm pretty sure when you deny delete and deny delete subfolder and files, it will not let you create files. The support personnel demonstrated this to me on a live meeting session.

Since you are trying this on your pc, check the group membership of all the accounts you are testing with.

Vinod.
0
 
LVL 8

Author Comment

by:mvvinod
ID: 17037521
Sorry 1 small mistake in my post. It will let you create folders and files, but wont let you rename it. So all the folders you create will be called New Folder, New Folder (2), and so on....

Same way if you save directly from word, you are fine, otherwise when you right click and create new document, it wont let you rename them....

This happens when you deny delete and delete subfolders and files.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17037724
What you could do in that situation is let the Folder Manager create the folders and name them appropriately  and have the users use the Save As from the application.
0
 
LVL 8

Author Comment

by:mvvinod
ID: 17037826
That is not possible coz when users try to create folder not realizing they dont have permission, several of those files and folder will pile up....

I found the solution to my problem....

Here is my folder structure:
Shared
        Clients
                x
                y
                z

My goals:
1. I dont want any users to deleted shared or clients or any client under it (x,y,z)
2. I dont want users to create any files/folder under shared or clients.
3. User should create and delete files/folder as they want under each of the client (x,y,z)

Here my permission:
Shared: Administrators - Allow Full Control
            SYSTEM - Allow Full Control
            Domain users - Allow Modify
            Domain users - Deny (delete, delete subfolders and files, create files, create folders) + CHECK "Apply on this container within this container only".

This check mark is the KEY. It allows deny to propogate only 1 level down. so deny automatically disappears after the second level folder.
Due to this check mark, client folder have all those deny above. So noone can delete any folder under clients or the clients itself. But under each client, there is no deny permission so users have modify permission that is inheriting from the shared folder level......

This is awesome. Small check mark makes so much sense.

Vinod.
0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 17037845
Careful, because you applied a deny to "Domain Users" and remember Deny overides allow, thus system and administrators will be subject to this denial as well.

you should create another group and permission as above.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17037875
Let me try to understand this.  All you want is for the users not to be able to delete files and folders above and including x,y,z, but allow them to do whatever they want under x,y,z?




0
 
LVL 8

Author Comment

by:mvvinod
ID: 17037880
Yes absolutely.... I just wrote the above one for explanation purposes. I'm also thinking about how to incorporate delegation so 1 user can create folders and everyone else gets the above permission....

Although you could not solve my problem completely, you were very helpful and pointed me in the right direction so i will give you the points.

Vinod.


0
 
LVL 8

Author Comment

by:mvvinod
ID: 17037884
Yes. till x,y,z level, there is no power for users. After that its their kingdom.

Key is, at the same time i didnt want anyone creating new client folder to set permission manually each time as its prone to mistakes. So i wanted permission to be automated which is what made the whole thing difficult.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17037996
Automation is good.  I'm glad I could help.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question