conflicting domain rights, folder permissions

Is there a way to grant users on a Server 2003 domain the right to create files and folders on a network share that denies them the right to delete files and/or folders, as well as denies them the right to modify an existing file/folder? The only problem I run into is that they can delete the files they create, as well as delete the files they create. This sounds like an impossibility, but I thought I'd get a second or third opinion.

Thanks in advance.
effincomputersAsked:
Who is Participating?
 
gobanConnect With a Mentor Commented:
Let me see if I understand you correctly. I broke down your original question to try to clarify my understanding of the problem and what I think may be the answer.

First I suggest you start with a blank slate
-------------------------------------
Right click folder > Folder properties > Security tab > Click Advanced > Uncheck Inherit from parent... setting > Click Remove > If there are any Permission entries left, remove them all.

Second add back the essentials

Add...

Administrators Group
--Allow Full Control

SYSTEM
--Allow Full Control


Now on to your questions,

"Is there a way to grant users on a Server 2003 domain the right to create files and folders on a network share..."

My reasoning: We need to specifically "Allow" some security settings for this to work.

"... that denies them the right to delete files and/or folders as well as denies them the right to modify an existing file/folder?"

My reasoning: We need to clear some settings because what isn't specifically set as "Allow" will be denied by default. We don't use "Deny" in this case because a "Deny" setting can take precedence over other security settings even if they are granted "Allow" status.

Translating these ideas into a security setting we would set it up like this:

Click Add...
Domain Users (or other group containing your users)
--Clear Full Control
--Allow Traverse Folder / Execute File
--Allow List Folder/ Read Data
--Allow Read Attributes
--Allow Read Extended Attributes
--Allow Create Files / Write Data
--Allow Create Folders / Append Data
--Allow Write Attributes
--Allow Write Extended Attributes
--Clear Delete Subfolder and Files
--Clear Delete
--Allow Read Permissions
--Clear Change Permissions
--Clear Take Ownership

If you don't want certain domain users included in this restriction you will need to use another security group in place of "Domain Users".

Results for me when I test this, are as follows:

Any Domain User can Create, Read, Execute, List the Contents of a Folder, and Modify files, but cannot delete them.
Any Administrator Account, has Full control.

Are these the results you want? You can change the "Allow" settings I listed above to "Clear" to further restrict the folder if you need to.
0
 
ormerodrutterCommented:
I think you can achieve it by opening the properties of that shared folder and go to the Security tab, choose CREATOR OWNER and deny Modify right.
0
 
effincomputersAuthor Commented:
I think this might get in the way of creators and owners from other groups, who have the right to create , modify, and delete from being able to do this. Similar to this kind of a solution, I've tried denying the targeted group from being able to take ownership. But that isn't helping.
0
 
gobanCommented:
Usually a "Deny" setting will take precedence over an "Allow". Instead of using "deny" try removing/unchecking "Allow".
0
 
effincomputersAuthor Commented:
Hi Goban. Are you referring to: "Security tab, choose CREATOR OWNER and deny Modify right."? If so, this wouldn't prevent owners of other files that should have more advanced privileges from exercising them?
0
All Courses

From novice to tech pro — start learning today.