Allow create file to a folder, but deny write access to files in the folder via inheritance - possible?

Ok, I am having a bit of a hassle with some folder/file permissions in Windows 2003 Server, and curious if someone else has an idea. This is probably a simple solution that I am just missing. I have a folder which contains multiple (read: dozens) of files inside. I have a group of users I want to be to read all files in the folder, but cannot edit the existing files. However, I want to allow them the ability to edit and save the modified files as a new file, with a different name.

For example, I have folder A, with files 1 - 10 inside. I want to be able to allow a user to open up file 1, modify and save the file as 1-mod. The original file cannot be saved in the edited state.

Obviously I could just give read/write access to the folder, and implicitly deny write on each file, but all told there is over 3000 files in various folders I need to do this for as well as new files placed in on a daily basis by multiple people, so its not a reasonable option to manually set write-deny on each file. Is there another solution that would give the same effect, but would be set up via inheritance?
LVL 3
avoginiAsked:
Who is Participating?
 
Walter PadrónCommented:
Give the parent directory this permissions

CACLS output:
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)C
Everyone:(OI)(CI)(special access:)
                            READ_CONTROL
                            SYNCHRONIZE
                            FILE_GENERIC_READ
                            FILE_GENERIC_EXECUTE
                            FILE_READ_DATA
                            FILE_WRITE_DATA
                            FILE_READ_EA
                            FILE_EXECUTE
                            FILE_READ_ATTRIBUTES
NT AUTHORITY\SYSTEM:(OI)(CI)F
0
 
Malli BoppeCommented:
try using cacls

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]
   filename      Displays ACLs.
   /T            Changes ACLs of specified files in
                 the current directory and all subdirectories.
   /E            Edit ACL instead of replacing it.
   /C            Continue on access denied errors.
   /G user:perm  Grant specified user access rights.
                 Perm can be: R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /R user       Revoke specified user's access rights (only valid with /E).
   /P user:perm  Replace specified user's access rights.
                 Perm can be: N  None
                              R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /D user       Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
   CI - Container Inherit.
        The ACE will be inherited by directories.
   OI - Object Inherit.
        The ACE will be inherited by files.
   IO - Inherit Only.
        The ACE does not apply to the current file/directory.
0
 
avoginiAuthor Commented:
Running it will work initially to change all the files attributes, but what about the other half of the problem, where I have other (write-enabled) users adding new files every day? I need to be able to take out user-error in forgetting to set the permissions of the files. Perhaps I could set up a scheduled batch script to run daily, but I was hoping for something through Windows permissions directly. Is it not possible for the this?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.