Link to home
Create AccountLog in
Avatar of lrkwalkers

asked on

Windows 2003 Share Permissions

For a share, is it possible to have permissions so that users can create folders and have read/write access to the entire data in the share but not have permission to delete folders?
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

No, Share permissions are basic - you would need to use NTFS Permissions (Share permissions, in my opinion, are NEARLY useless and I can't imagine "crying" about them if Microsoft stopped offering the ability to use them... they really are ALMOST pointless.
Avatar of lrkwalkers


So if I set the share to Full Control for Everyone, how would I configure the NTFS permissions?
However you like.  Configure the folder and then set permissions.  DO NOT USE DENY.  Deny overrides permit so if you allow jsmith full control but he's part of the accounting group and you deny the accounting group, then you deny jsmith.

Proper methodology says you setup GROUPS and add and remove users from the groups.  Then you apply the groups to the permissions structure.  If a group is NOT explicitly granted access, they are automatically denied.

So, lets say you want to setup the following 5 users:

jsmith - Accounting
njohnson - Human Resources
rthompson - Human Resources
hwilson - Accounting
ganderson - OWNER.

Now you want to create a share so that the accounting people can share data but the HR people can't and a share so the HR people can share data but the accounting can't.  And the OWNER needs access to EVERYTHING.

Then you create two groups:
Accounting Group - contains jsmtih, ganderson, hwilson
Human Resources Group - contains rthompson, njohnson, ganderson

Now to create the folders - lets say on your D: drive - d:\accounting and d:\hr.  Share them with everyone - full control (default share permissions on 2003 is Everyone - Read Only - so you'll have to change it).  Then you grant the Accounting Group, Domain Administrators, and System Full Control on d:\accounting in the NTFS permissions (Security tab).  Then you do likewise for D:\HR, granting the Human Resources Group Full Control and also Domain Admins and System.  Since HR does not have accountants listed as a group allowed to use the folder, they will get an Access Denied error if they attempt to access it.  And vice versa for the HR group accessing the Accounting folder.  Our owner, ganderson, since he's a member of both groups, will have full access to both folders.

Now, doing special things like not allowing deletions can be tricky because sometimes programs create temporary files when you work with their documents (for example, Word does this - open a file and you'll find a similarly named file starting with a ~.  And if you prevent it from deleting those, you could end up with TONS of temporary files.  Also, some programs work by deleting the files and then replacing them with new versions.  What I suggest is a better method would be to enable Volume Shadow copy and maintain good backups.
Thanks mate - one last question...

So there's no way of denying users the ability DELETE FOLDERS?

Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Great - thanks mate.  Points awarded.