conflicting domain rights, folder permissions

Is there a way to grant users on a Server 2003 domain the right to create files and folders on a network share that denies them the right to delete files and/or folders, as well as denies them the right to modify an existing file/folder? The only problem I run into is that they can delete the files they create, as well as delete the files they create. This sounds like an impossibility, but I thought I'd get a second or third opinion.

Thanks in advance.
effincomputersAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ormerodrutterCommented:
I think you can achieve it by opening the properties of that shared folder and go to the Security tab, choose CREATOR OWNER and deny Modify right.
0
effincomputersAuthor Commented:
I think this might get in the way of creators and owners from other groups, who have the right to create , modify, and delete from being able to do this. Similar to this kind of a solution, I've tried denying the targeted group from being able to take ownership. But that isn't helping.
0
gobanCommented:
Usually a "Deny" setting will take precedence over an "Allow". Instead of using "deny" try removing/unchecking "Allow".
0
effincomputersAuthor Commented:
Hi Goban. Are you referring to: "Security tab, choose CREATOR OWNER and deny Modify right."? If so, this wouldn't prevent owners of other files that should have more advanced privileges from exercising them?
0
gobanCommented:
Let me see if I understand you correctly. I broke down your original question to try to clarify my understanding of the problem and what I think may be the answer.

First I suggest you start with a blank slate
-------------------------------------
Right click folder > Folder properties > Security tab > Click Advanced > Uncheck Inherit from parent... setting > Click Remove > If there are any Permission entries left, remove them all.

Second add back the essentials

Add...

Administrators Group
--Allow Full Control

SYSTEM
--Allow Full Control


Now on to your questions,

"Is there a way to grant users on a Server 2003 domain the right to create files and folders on a network share..."

My reasoning: We need to specifically "Allow" some security settings for this to work.

"... that denies them the right to delete files and/or folders as well as denies them the right to modify an existing file/folder?"

My reasoning: We need to clear some settings because what isn't specifically set as "Allow" will be denied by default. We don't use "Deny" in this case because a "Deny" setting can take precedence over other security settings even if they are granted "Allow" status.

Translating these ideas into a security setting we would set it up like this:

Click Add...
Domain Users (or other group containing your users)
--Clear Full Control
--Allow Traverse Folder / Execute File
--Allow List Folder/ Read Data
--Allow Read Attributes
--Allow Read Extended Attributes
--Allow Create Files / Write Data
--Allow Create Folders / Append Data
--Allow Write Attributes
--Allow Write Extended Attributes
--Clear Delete Subfolder and Files
--Clear Delete
--Allow Read Permissions
--Clear Change Permissions
--Clear Take Ownership

If you don't want certain domain users included in this restriction you will need to use another security group in place of "Domain Users".

Results for me when I test this, are as follows:

Any Domain User can Create, Read, Execute, List the Contents of a Folder, and Modify files, but cannot delete them.
Any Administrator Account, has Full control.

Are these the results you want? You can change the "Allow" settings I listed above to "Clear" to further restrict the folder if you need to.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.