How to protect existing files while allowing new files in a folder?

Say I have a folder called: \data

In \data, I have files and sub folders.

I want one specific user (UserAccount A)  to have full control over everything - no problem I already set that.

But I also want every OTHER user (Domain Users) to have the ability to create NEW files and folders in \data, but not OVERWRITE existing files and folders..   So in other words, they could open \data\DocumentA.doc but they would have to SAVE-AS and make a NEW file in order to save the document to \data.

I've gone in and looked at the explicit NTFS permissions but can't seem to get the right combination of file and folder permissions set in order for this to work.  

How is this possible via NTFS permissions on the server? (2003)

Who is Participating?
banks1850Connect With a Mentor Commented:
I gave that to you above, I'll elaborate.  

In advanced permissions for the "\data" subfolder you would select the drop down list for the group you want and choose this folder and sub-folders and choose the options I told you about above (I.E. create folder and create files) along with read and list attributes.
then in the same place, re-add that group and in the dropdown choose "files only" and give them read permissions.

this will effectively give them the ability to create new files in a folder and traverse the folder but not over write those files or delete anything.  Its a little painful but that should do it for you.
Go into your Advanced settings under your folder's Security Properties and edit the group / users permissions.  Here you can do an explicit deny and tweak it down to where you need it.
create a different share and use shared folder permissions, have the other users use that share instead.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

aconwayAuthor Commented:
I don't have to create a different share... not unless I HAVE to.  I wanted to know if what I asked is possible without creating a separate share.

ICore: Yes I've gone in to Advanced options and played around, but as I said "I cannot get the right combination" to make it work exactly how I'm wanted.
Sorry, I missread the qeustion.

Well, in the properties of the folder, click the advanced button.  you should be able to give read and create permissions to user groups by clicking on the group, clicking edit, and checking off the rights that you need.  I.E. read and create folder/append data and create files/add data.  If you don't give them permissions to Change that should do it for you.
aconwayAuthor Commented:
Let me explain the scenario again, because I don't think what I want to do it possible:

UserA needs full control over all of  \data and it's files and subfolders.
UserGroupX needs to be able to Read the existing files and folders in \data but not modify any of the existing files.  They need to be able to open them but have to save a new version of that file in \data without being able to overwrite the original file that's in \data.

What **SPECIFIC** permission do I set to allow Domain Users to create new files and folders in \data but not modify existing "original" files that already exist in \data?  They also need to be able to READ the existing files.

I don't think it's possible.. right now I have \data\_working and have assigned Full Permissions to UserGroupX so they can save their documents in there, then UserA can manage it further and replace the existing files in \data manually.  

Oh, also, you might have to put the deny in the files only one for edit data and add data.  I forget whether you need that or if it is implicit with the read attribute.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.