Windows 2003 Share Permissions

For a share, is it possible to have permissions so that users can create folders and have read/write access to the entire data in the share but not have permission to delete folders?
Who is Participating?
Lee W, MVPTechnology and Business Process AdvisorCommented:
You can do it - the thing is you will likely cause unexpected and undesired results as explained above.    Instead of giving full control, modify the permissions custom and you can prevent deletion.
Lee W, MVPTechnology and Business Process AdvisorCommented:
No, Share permissions are basic - you would need to use NTFS Permissions (Share permissions, in my opinion, are NEARLY useless and I can't imagine "crying" about them if Microsoft stopped offering the ability to use them... they really are ALMOST pointless.
lrkwalkersAuthor Commented:
So if I set the share to Full Control for Everyone, how would I configure the NTFS permissions?
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Lee W, MVPTechnology and Business Process AdvisorCommented:
However you like.  Configure the folder and then set permissions.  DO NOT USE DENY.  Deny overrides permit so if you allow jsmith full control but he's part of the accounting group and you deny the accounting group, then you deny jsmith.

Proper methodology says you setup GROUPS and add and remove users from the groups.  Then you apply the groups to the permissions structure.  If a group is NOT explicitly granted access, they are automatically denied.

So, lets say you want to setup the following 5 users:

jsmith - Accounting
njohnson - Human Resources
rthompson - Human Resources
hwilson - Accounting
ganderson - OWNER.

Now you want to create a share so that the accounting people can share data but the HR people can't and a share so the HR people can share data but the accounting can't.  And the OWNER needs access to EVERYTHING.

Then you create two groups:
Accounting Group - contains jsmtih, ganderson, hwilson
Human Resources Group - contains rthompson, njohnson, ganderson

Now to create the folders - lets say on your D: drive - d:\accounting and d:\hr.  Share them with everyone - full control (default share permissions on 2003 is Everyone - Read Only - so you'll have to change it).  Then you grant the Accounting Group, Domain Administrators, and System Full Control on d:\accounting in the NTFS permissions (Security tab).  Then you do likewise for D:\HR, granting the Human Resources Group Full Control and also Domain Admins and System.  Since HR does not have accountants listed as a group allowed to use the folder, they will get an Access Denied error if they attempt to access it.  And vice versa for the HR group accessing the Accounting folder.  Our owner, ganderson, since he's a member of both groups, will have full access to both folders.

Now, doing special things like not allowing deletions can be tricky because sometimes programs create temporary files when you work with their documents (for example, Word does this - open a file and you'll find a similarly named file starting with a ~.  And if you prevent it from deleting those, you could end up with TONS of temporary files.  Also, some programs work by deleting the files and then replacing them with new versions.  What I suggest is a better method would be to enable Volume Shadow copy and maintain good backups.
lrkwalkersAuthor Commented:
Thanks mate - one last question...
lrkwalkersAuthor Commented:

So there's no way of denying users the ability DELETE FOLDERS?

lrkwalkersAuthor Commented:
Great - thanks mate.  Points awarded.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.