Solved

Preventing users from deleting folders in shared drive

Posted on 2006-06-30
21
483 Views
Last Modified: 2011-09-20
Hi,
  My users constantly drags and drops important folders into another. I need to know how to create the shared folder so that all users can read/create files under it, delete files that other users create in the same folder BUT CANNOT DELETE THE TOP LEVEL FOLDER itself.

I tried manipulating advanced permissions and removing the delete permission. If i do that editing the file also does not work.

Some help would be greatly appreciated...My deadline is end of weekend..

Vinod.
0
Comment
Question by:mvvinod
  • 11
  • 10
21 Comments
 
LVL 26

Expert Comment

by:Pber
Comment Utility
You almost had it.
Do this

At the top level folder
Grant the user or group modify access and click apply
then go to advanced security.
Edit that permssion that you just set above
In the dropdown for Apply Onto
Select Subfolders and files only.
click apply
0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
I tired your permission and it doesnt work. Here is the summary of the permission and the results.

Top Folder - Admin-full control, system fullcontrol, users-read/list folder contents, users-modify-delete (apply to subfolder and files)

When i first didnt add read/list folder contents, i got a access denied when i tried to open the folder. So i included read/list folder contents.

Now users are not able to create any new files in the folder, it gives an access denied. I want them to create and modify files. I just dont want them to delete them.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
There are two things to consider.  The Share permissions and the folder/file NTFS permissions.

At the share you should have users with modify permission.  This might being restricting you now.

At the top level folder NTFS permissions, it still looks like you have special permissions set.  I would completely remove the user from the permissions, click apply then start over.

You are also better to set original permission via the first security window and not the advanced tab.  That's why I mentioned to grant the users modify permissions then go into the advanced tab and modify the permissions.   Also make sure the existing files/folders under the top level folder are inheriting from the parent.

If you do this, it should allow you to do what you mentioned in the original post and allow users user to create/modify/delete, but not delete the top level folder.


0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
I'm testing this on the machine itself. I have not shared the folder yet. Share permission does not come into the picture here.

I did exactly as you said. I added users to modify and then went o advanced to remove delete and then use "subfolder and files". When i do this and click try to go into the folder as a user, it gives me access denied coz users dont have permission to traverse through the folder.......the permission that i set for users only applies to subfolder and files and not the folder itself....

Try doing the same and you'll realize the problem...

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Sorry I was testing with a group other that the default users group (I have this method hammered into my head as this is the way we operate our domain).  Thus mine worked as users already had read/execute at the root.

Anyhow, this is probably the best way of going about this...

Give the users read/execute at the root folder (this was probably the default)
Create another local group on the machines and add the desired users
Grant the new group modify at the top level
Now modify the new groups permission only to apply onto subfolders and files.
This should now work.

I noticed you mentioned you removed the delete priv in advanced.  You don't want users to delete anything under the root?
0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
I will try it. But here is exactly what i want. Lets say i want a top level folder called "Shared" and under that i have several folders "x" , "y" , "z".
Lets forget about the permission for "shared" since i will remove inheritance and give all users read/traverse only permission and administratos - full control. So only admin can create more folders.

Now permission for each of the folders x,y,z should be in a manner that any user can create new files under x/y/z. They can modify any files under x/y/z. They should not be able to delete any file or move any file/folder under x/y/z.

So i have 1 person designated as shared folder manager who will delete files/folders under x/y/z or move it to another location once the project is completed.

Can this be done ???? I got the idea of how to set permission to x/y/z itself so no users can delete/modify the folder.

BUt my question is how do i set permission under is that will allow user to create/modify files but not delete them....

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
What is happening is that even though you specified the permission by removing the delete attribute, the user becomes theowner of the object and thus inherits full control because the user is the owner.

You can probably fix this in one of two ways.

1)
Do what I've explained in my previous post and...
Edit/Add the Creator\Owner attribute at the top level folder and remove the delete and delete folders and files attributes (you might have to remove inheritance and copy the permissions).  

or...
2)
Do what I've explained in my previous post and...
On the new group you created in the previous post, instead of removing the delete and delete folders and files attributes, Deny the access.

WARNING:
Denys override allows, so be careful.  Do not deny the users access as this will deny Administrators even if they have full control.  Becuase of this, I recommend method one.

Hopefully this finally does what you need
0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
I'm experimenting with an empty folder and not the production folder. So there are no files already present in the folder. So the creater owner permission is not applicable here.

I tried deny. It also doesnt work. Once i deny delete, the user is not able to create new files anymore.

Vinod.
0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
Have you tried one of the permission you are suggesting here to see if it works for you ???

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Seems to work here as I've been testing.

How about we start from scratch

At the top folder, go to advanced security and remove inheritance.  When asked whether to copy/remove, select Remove.
Now we should have no permissions.

Add Administrators and System with Full Control
Add Users with Read/Execute
Add the "New Group" with modify.
go to advanced and give "New Group" deny Delete, and Deny Delete Subfolders and Files.  Only change those two, don't Change the Applies onto this time.

Does this work better...?




0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 8

Author Comment

by:mvvinod
Comment Utility
I have tried the exact same thing you have said. Users get an access denied when they try to create a new file/folder.

I called Microsoft Support about this and they admitted that there is no way to prevent users from deleting file/folder if you give them right to rename and modify the files/folder.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Well the permissions above seem to allow me to create files/folders under the root.  I just can rename them, but understanably not.

What do you have if you do a cacls *.* from the root folder from a dos prompt?

This is my output.
C:\tmp\root>cacls *.*
C:\tmp\root\test.txt MYPC\web:(DENY)(special access:)
                                 DELETE
                                 FILE_DELETE_CHILD

                     BUILTIN\Administrators:F
                     NT AUTHORITY\SYSTEM:F
                     BUILTIN\Users:R
                     MYPC\web:(special access:)
                                 READ_CONTROL
                                 SYNCHRONIZE
                                 FILE_GENERIC_READ
                                 FILE_GENERIC_WRITE
                                 FILE_GENERIC_EXECUTE
                                 FILE_READ_DATA
                                 FILE_WRITE_DATA
                                 FILE_APPEND_DATA
                                 FILE_READ_EA
                                 FILE_WRITE_EA
                                 FILE_EXECUTE
                                 FILE_READ_ATTRIBUTES
                                 FILE_WRITE_ATTRIBUTES


C:\tmp\root\TMPEC.tmp MYPC\web:(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

                      BUILTIN\Administrators:F
                      NT AUTHORITY\SYSTEM:F
                      BUILTIN\Users:R
                      MYPC\web:(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES


C:\tmp\root\x MYPC\web:(OI)(CI)(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

              BUILTIN\Administrators:(OI)(CI)F
              NT AUTHORITY\SYSTEM:(OI)(CI)F
              BUILTIN\Users:(OI)(CI)R
              MYPC\web:(OI)(CI)(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES


C:\tmp\root\y MYPC\web:(OI)(CI)(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

              BUILTIN\Administrators:(OI)(CI)F
              NT AUTHORITY\SYSTEM:(OI)(CI)F
              BUILTIN\Users:(OI)(CI)R
              MYPC\web:(OI)(CI)(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES


C:\tmp\root\z MYPC\web:(OI)(CI)(DENY)(special access:)
                                  DELETE
                                  FILE_DELETE_CHILD

              BUILTIN\Administrators:(OI)(CI)F
              NT AUTHORITY\SYSTEM:(OI)(CI)F
              BUILTIN\Users:(OI)(CI)R
              MYPC\web:(OI)(CI)(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES



C:\tmp\root>

0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
Maybe the user account you are using to create is a member of local admin... Have you checked group membership.

Coz i'm pretty sure when you deny delete and deny delete subfolder and files, it will not let you create files. The support personnel demonstrated this to me on a live meeting session.

Since you are trying this on your pc, check the group membership of all the accounts you are testing with.

Vinod.
0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
Sorry 1 small mistake in my post. It will let you create folders and files, but wont let you rename it. So all the folders you create will be called New Folder, New Folder (2), and so on....

Same way if you save directly from word, you are fine, otherwise when you right click and create new document, it wont let you rename them....

This happens when you deny delete and delete subfolders and files.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
What you could do in that situation is let the Folder Manager create the folders and name them appropriately  and have the users use the Save As from the application.
0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
That is not possible coz when users try to create folder not realizing they dont have permission, several of those files and folder will pile up....

I found the solution to my problem....

Here is my folder structure:
Shared
        Clients
                x
                y
                z

My goals:
1. I dont want any users to deleted shared or clients or any client under it (x,y,z)
2. I dont want users to create any files/folder under shared or clients.
3. User should create and delete files/folder as they want under each of the client (x,y,z)

Here my permission:
Shared: Administrators - Allow Full Control
            SYSTEM - Allow Full Control
            Domain users - Allow Modify
            Domain users - Deny (delete, delete subfolders and files, create files, create folders) + CHECK "Apply on this container within this container only".

This check mark is the KEY. It allows deny to propogate only 1 level down. so deny automatically disappears after the second level folder.
Due to this check mark, client folder have all those deny above. So noone can delete any folder under clients or the clients itself. But under each client, there is no deny permission so users have modify permission that is inheriting from the shared folder level......

This is awesome. Small check mark makes so much sense.

Vinod.
0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
Comment Utility
Careful, because you applied a deny to "Domain Users" and remember Deny overides allow, thus system and administrators will be subject to this denial as well.

you should create another group and permission as above.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Let me try to understand this.  All you want is for the users not to be able to delete files and folders above and including x,y,z, but allow them to do whatever they want under x,y,z?




0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
Yes absolutely.... I just wrote the above one for explanation purposes. I'm also thinking about how to incorporate delegation so 1 user can create folders and everyone else gets the above permission....

Although you could not solve my problem completely, you were very helpful and pointed me in the right direction so i will give you the points.

Vinod.


0
 
LVL 8

Author Comment

by:mvvinod
Comment Utility
Yes. till x,y,z level, there is no power for users. After that its their kingdom.

Key is, at the same time i didnt want anyone creating new client folder to set permission manually each time as its prone to mistakes. So i wanted permission to be automated which is what made the whole thing difficult.

Vinod.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Automation is good.  I'm glad I could help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Learn about cloud computing and its benefits for small business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now