Solved

Avoid delete folders and file on a network share / Not able to save excel files Error message can not save the “file name” the folder is mark as a read only .

Posted on 2006-07-20
14
454 Views
Last Modified: 2013-12-04
I am trying to accomplish the following task

1) Avoid users to delete and move folders and files on a network share on a windows platform with a Dell server running SBS 2003 service pack 2, all the client are XP professional with service pack 2

They should be able to do everything with the exception of moving folders, due to the fact that folders on that share  get always moved and lost by mistake of the users. I have already created the group , and deny delete and delete subfolder and files.

This option is not working for me because is having like side effects, allow me to explain.

Once the deny delete and delete subfolder is applied

1) Users can not delete files and folder – First task accomplish
 

2) Users can not move a folder into another folder – Second task accomplish  at 50% becasue a message display access denied which is wan I want but it creates an empty folder with the same name of the source folder inside the destination folder   – This  folder  it can not be delete an creates confusion for the user and  they start filing in the wrong location = How could this be avoided the creation of an empty folder at the destination folder?

With files it works beautifull access denied and that is

3)  My main concern now is that all the files created under the share  folder  respond to the deny option  with the execption of excel. It display an error message    Error message can not save the “file name” the folder is mark as a read only .


4) User can not move or delete files inside the share but they can creates copies on theirs desktop – for security could this be control it.


Thanks in advance
0
Comment
Question by:musiquito2001
  • 4
  • 4
  • 3
14 Comments
 
LVL 11

Expert Comment

by:rafael_acc
Comment Utility
First ... some background

When you share file and folders resources you have two level of permissions. The first level is the share level permissions. The second is the NTFS level permissions. When you share a folder, the most restrictive one will apply. Say for instance you have read only share permission but full access ntfs permissions for everyone, when that resource will be accessed through the network, it would still be READONLY.

A best practice is to specify full access for "Authenticated Users" for the share permissions and restrict rights locally, using NTFS permissions. I can point you at the moment two reasons why doing so is better:

1. It's easier, as you would focus on ntfs permissions only
2. It's easier to debug/troubleshoot problems
3. It's more secure
4. You are both restricting network access and local access (imagine if you didn't do so, you would for instance specify readonly for userx, but then, if userx gets physical access to the actual server, he/she will be able to access the files/folders).

Now, back to your problem

To deny delete/moving files and folders, assingn the "modify" permission accordingly. Antoher thing with office files is to make sure you don't have the same file open by another user or process.

Let me know how it goes ...

Cheers
0
 

Author Comment

by:musiquito2001
Comment Utility
Don Rafael Acc;

Thanks for replying to my message, I have already try your suggestion and is not working. This is the scenario:

At the share level full control to "authenticated users” at the NTFS level I have grant:

Modify
Read & execute
List folder contents
Read
Write

Special permission = Go to the advance tab and:

Deny             Delete subfolders and files
Deny             Delete

To the authenticated users.

This combination it works fine so far for Microsoft word, however when I try to create and save other type of files like excel and I just notice that power point also behave the same way. The error message is

The file "name of the file.ppt" already exits. Do you want to replace exiting file

Yes No

I select yes

A message appear the folder is marked as read only

Ok

I do invite you to try it just create a folder on your desktop and apply those setting to your account and you will see.


There must be a solution

I wonder where the problem reside, and if there is another way to achieve the task which is:

Avoid all users to move files and folder that they create on a network share. It just happened again a user it has delete an excel file with the master calculation. My boos is on my but.  I need to fix this situation ASAP.

Any suggestion is well appreciated

Thank

Raul

0
 
LVL 11

Expert Comment

by:rafael_acc
Comment Utility
Raul,

I don't need to test it. I do this on a regular basis. You must be missing something and unfortunately, by not being there, I can't really provide you an "out of the box" solution to your problem. However, I will try to go through this with you and see what else I can do to help you.

1. could you please make sure you don't have that folder/files marked as readonly??
2. Does this problem happen with Ms Office files only or anyother files as well?


Cheers,
Rafael
0
 
LVL 11

Expert Comment

by:rafael_acc
Comment Utility
To do that, you should right-click on the fodler and check the General tab. Look for the ReadOnly attribute ... Is it checked?

Cheers
0
 

Author Comment

by:musiquito2001
Comment Utility

Hi Rafael;

To answer your question.

1. could you please make sure you don't have that folder/files marked as readonly??

I have already try it out using the administrator account and ownwer of the folder, remove the attribute read only and applied to all folder, dub folder and files. Click okey

 

2. Does this problem happen with Ms Office files only or anyother files as well?

So far only with power excel and power point files extension.

I have try with all others format, word, bitmap, jpeg, etc and it works fine

If you want i could accomodate and allow you to connect remotly and take a look. If it is possible of course, we could make an appoitment

Please advise

Thanks

Raul

Just le
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 11

Expert Comment

by:rafael_acc
Comment Utility
I'm not sure if I'm breaking any rules of this site by doing this but if you could manage to give remote access, I could at least take a look. However, since this is happening with some MS Office files only, all I can think of at the moment is that this could be a issue with Office files actualy and not permissions related ...

On my website (which can be found in my profile's page) you can find my email address in case you want to get a more personalised advice.

Cheers
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
>I'm not sure if I'm breaking any rules of this site by doing this but if you could manage to give remote access
   You would be breaking the MA/EULA, please don't proceed down that path.

Since your using 2003, hopefully SP1... if you don't want users to view folders or files they are not supposed to have access to try this utility from M$, for 2003, SP1
http://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en

These are the rights required to have M$ Office files operate properly
http://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en
-rich
0
 

Author Comment

by:musiquito2001
Comment Utility

Hi Rich;

Thanks for the input,

The first link for the utility of M$ which is fine but at the present time is not need it.

The second link is the want that I am interested, the rights required to have M$ Office files operate properly.

However is the same link as the first one pointing to download the M$ utility.

Can you please send me the correct one? I would appreciate.

Thanks

Raul



0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
0
 

Author Comment

by:musiquito2001
Comment Utility

Rich;

Look what i found on the microsoft web site. Acording to this I need to allow the DELETE permission. This situation is contradicted because with that perision the user will be able to move the file and delete it as well. It brings me back to square 1. I wonder how microsoft deal with type of situation, there must be a way. I do what that the files on the network share are not protected. I dont know what to do. Any sugestion?

Restricted permissions
When you save an Excel file to a network drive, you must have the following permissions to the folder where you are saving the file:

• Read permissions
• Write permissions
• Rename permissions
• Delete permissions
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
Comment Utility
The delete permission is so that the "temporary file" that word/excel create when you open a doc, can be deleted after you close the doc.
http://support.microsoft.com/kb/211632/EN-US/ (same for excel)
http://support.microsoft.com/kb/814068/
http://support.microsoft.com/kb/308419/
M$ asumes your going to make nightly back-ups of important files, as well as turn up the Auditing/event log settings.
-rich
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video discusses moving either the default database or any database to a new volume.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now