• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1438
  • Last Modified:

Windows 2003 Share Permissions

For a share, is it possible to have permissions so that users can create folders and have read/write access to the entire data in the share but not have permission to delete folders?
0
lrkwalkers
Asked:
lrkwalkers
  • 4
  • 3
1 Solution
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
No, Share permissions are basic - you would need to use NTFS Permissions (Share permissions, in my opinion, are NEARLY useless and I can't imagine "crying" about them if Microsoft stopped offering the ability to use them... they really are ALMOST pointless.
0
 
lrkwalkersAuthor Commented:
So if I set the share to Full Control for Everyone, how would I configure the NTFS permissions?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
However you like.  Configure the folder and then set permissions.  DO NOT USE DENY.  Deny overrides permit so if you allow jsmith full control but he's part of the accounting group and you deny the accounting group, then you deny jsmith.

Proper methodology says you setup GROUPS and add and remove users from the groups.  Then you apply the groups to the permissions structure.  If a group is NOT explicitly granted access, they are automatically denied.

So, lets say you want to setup the following 5 users:

jsmith - Accounting
njohnson - Human Resources
rthompson - Human Resources
hwilson - Accounting
ganderson - OWNER.

Now you want to create a share so that the accounting people can share data but the HR people can't and a share so the HR people can share data but the accounting can't.  And the OWNER needs access to EVERYTHING.

Then you create two groups:
Accounting Group - contains jsmtih, ganderson, hwilson
Human Resources Group - contains rthompson, njohnson, ganderson

Now to create the folders - lets say on your D: drive - d:\accounting and d:\hr.  Share them with everyone - full control (default share permissions on 2003 is Everyone - Read Only - so you'll have to change it).  Then you grant the Accounting Group, Domain Administrators, and System Full Control on d:\accounting in the NTFS permissions (Security tab).  Then you do likewise for D:\HR, granting the Human Resources Group Full Control and also Domain Admins and System.  Since HR does not have accountants listed as a group allowed to use the folder, they will get an Access Denied error if they attempt to access it.  And vice versa for the HR group accessing the Accounting folder.  Our owner, ganderson, since he's a member of both groups, will have full access to both folders.

Now, doing special things like not allowing deletions can be tricky because sometimes programs create temporary files when you work with their documents (for example, Word does this - open a file and you'll find a similarly named file starting with a ~.  And if you prevent it from deleting those, you could end up with TONS of temporary files.  Also, some programs work by deleting the files and then replacing them with new versions.  What I suggest is a better method would be to enable Volume Shadow copy and maintain good backups.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
lrkwalkersAuthor Commented:
Thanks mate - one last question...
0
 
lrkwalkersAuthor Commented:
...dammit...sorry...

So there's no way of denying users the ability DELETE FOLDERS?

0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You can do it - the thing is you will likely cause unexpected and undesired results as explained above.    Instead of giving full control, modify the permissions custom and you can prevent deletion.
0
 
lrkwalkersAuthor Commented:
Great - thanks mate.  Points awarded.

Cheers
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now