Allow create file to a folder, but deny write access to files in the folder via inheritance - possible?

Ok, I am having a bit of a hassle with some folder/file permissions in Windows 2003 Server, and curious if someone else has an idea. This is probably a simple solution that I am just missing. I have a folder which contains multiple (read: dozens) of files inside. I have a group of users I want to be to read all files in the folder, but cannot edit the existing files. However, I want to allow them the ability to edit and save the modified files as a new file, with a different name.

For example, I have folder A, with files 1 - 10 inside. I want to be able to allow a user to open up file 1, modify and save the file as 1-mod. The original file cannot be saved in the edited state.

Obviously I could just give read/write access to the folder, and implicitly deny write on each file, but all told there is over 3000 files in various folders I need to do this for as well as new files placed in on a daily basis by multiple people, so its not a reasonable option to manually set write-deny on each file. Is there another solution that would give the same effect, but would be set up via inheritance?
Who is Participating?
Walter PadrónCommented:
Give the parent directory this permissions

CACLS output:
Everyone:(OI)(CI)(special access:)
Malli BoppeCommented:
try using cacls

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]
   filename      Displays ACLs.
   /T            Changes ACLs of specified files in
                 the current directory and all subdirectories.
   /E            Edit ACL instead of replacing it.
   /C            Continue on access denied errors.
   /G user:perm  Grant specified user access rights.
                 Perm can be: R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /R user       Revoke specified user's access rights (only valid with /E).
   /P user:perm  Replace specified user's access rights.
                 Perm can be: N  None
                              R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /D user       Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

   CI - Container Inherit.
        The ACE will be inherited by directories.
   OI - Object Inherit.
        The ACE will be inherited by files.
   IO - Inherit Only.
        The ACE does not apply to the current file/directory.
avoginiAuthor Commented:
Running it will work initially to change all the files attributes, but what about the other half of the problem, where I have other (write-enabled) users adding new files every day? I need to be able to take out user-error in forgetting to set the permissions of the files. Perhaps I could set up a scheduled batch script to run daily, but I was hoping for something through Windows permissions directly. Is it not possible for the this?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.