Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 695
  • Last Modified:

Allow create file to a folder, but deny write access to files in the folder via inheritance - possible?

Ok, I am having a bit of a hassle with some folder/file permissions in Windows 2003 Server, and curious if someone else has an idea. This is probably a simple solution that I am just missing. I have a folder which contains multiple (read: dozens) of files inside. I have a group of users I want to be to read all files in the folder, but cannot edit the existing files. However, I want to allow them the ability to edit and save the modified files as a new file, with a different name.

For example, I have folder A, with files 1 - 10 inside. I want to be able to allow a user to open up file 1, modify and save the file as 1-mod. The original file cannot be saved in the edited state.

Obviously I could just give read/write access to the folder, and implicitly deny write on each file, but all told there is over 3000 files in various folders I need to do this for as well as new files placed in on a daily basis by multiple people, so its not a reasonable option to manually set write-deny on each file. Is there another solution that would give the same effect, but would be set up via inheritance?
1 Solution
Malli BoppeCommented:
try using cacls

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]
   filename      Displays ACLs.
   /T            Changes ACLs of specified files in
                 the current directory and all subdirectories.
   /E            Edit ACL instead of replacing it.
   /C            Continue on access denied errors.
   /G user:perm  Grant specified user access rights.
                 Perm can be: R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /R user       Revoke specified user's access rights (only valid with /E).
   /P user:perm  Replace specified user's access rights.
                 Perm can be: N  None
                              R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /D user       Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

   CI - Container Inherit.
        The ACE will be inherited by directories.
   OI - Object Inherit.
        The ACE will be inherited by files.
   IO - Inherit Only.
        The ACE does not apply to the current file/directory.
avoginiAuthor Commented:
Running it will work initially to change all the files attributes, but what about the other half of the problem, where I have other (write-enabled) users adding new files every day? I need to be able to take out user-error in forgetting to set the permissions of the files. Perhaps I could set up a scheduled batch script to run daily, but I was hoping for something through Windows permissions directly. Is it not possible for the this?
Walter PadrónCommented:
Give the parent directory this permissions

CACLS output:
Everyone:(OI)(CI)(special access:)

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now