ReefIT
asked on
NTFS permissions. Prevent root directory from being deleted.
Hi All,
I'm after your opinions on the following.
I have a folder e:\templates. This folder contains all the word doc templates for the company organised into sub-folders. All the sub-folders and files receive their permissions through inheritance.
There are 2 groups of users for this folder: dlg_templatesREAD and dlg_templatesMODIFY
The dlg_templatesREAD group has the following permission setup.
e:\templates (This folder, sub-folder, files)
dlg_templatesREAD List Folder Contents
Read
The dlg_templatesMODIFY group need to be to create\edit and delete folders and files except delete the e:\templates root folder. This group has the following permission setup:
e:\templates (This folder)
dlg_templatesMODIFY DENY Delete
e:\templates (This folder, sub-folders, files)
dlg_templatesMODIFY Modify
I have tested a number of different permission configurations but the above seems to work the best. (I do know that deny is bad practice)
Does anybody have any suggestions?.
Thanks in advance.
I'm after your opinions on the following.
I have a folder e:\templates. This folder contains all the word doc templates for the company organised into sub-folders. All the sub-folders and files receive their permissions through inheritance.
There are 2 groups of users for this folder: dlg_templatesREAD and dlg_templatesMODIFY
The dlg_templatesREAD group has the following permission setup.
e:\templates (This folder, sub-folder, files)
dlg_templatesREAD List Folder Contents
Read
The dlg_templatesMODIFY group need to be to create\edit and delete folders and files except delete the e:\templates root folder. This group has the following permission setup:
e:\templates (This folder)
dlg_templatesMODIFY DENY Delete
e:\templates (This folder, sub-folders, files)
dlg_templatesMODIFY Modify
I have tested a number of different permission configurations but the above seems to work the best. (I do know that deny is bad practice)
Does anybody have any suggestions?.
Thanks in advance.
imitchie
That setup looks right based on your requirement. Deny only the single permission "Delete" (current Folder).
I would set it up so that both groups have read and excute on This folder, sub-folder, files for the permissions for the e:\templates folder.
Then have setup within the permissions on e:\templates folder
dlg_templatesMODIFY, give modify permissions on subfolders and files only
this means that there is no deny permission used and also allows users in other groups to be able to delete the e:\templates folder as required eg domain admins, assuming that it is also in the permissions as full control.
Then have setup within the permissions on e:\templates folder
dlg_templatesMODIFY, give modify permissions on subfolders and files only
this means that there is no deny permission used and also allows users in other groups to be able to delete the e:\templates folder as required eg domain admins, assuming that it is also in the permissions as full control.
Why you don't simple turn off object inherit from parent on e:\templates and set permission manualy?
Hope this help.
Hope this help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.