Avatar of mrwolf
mrwolfFlag for Australia

asked on 

Prevent folders renaming to top level folders

I have a task where I need to prevent network users from making changes to the top level folder tree on our windows network. We have a single shared top level folder with lots of sub folders. People are of course able to add files within these folders, but I need to prevent them from renaming the top level folders.  I have tried using NTFS deny permisions but it seems to be problematic.  I would really like a microsoft solution.
Any ideas?
OS SecurityWindows Server 2003

Avatar of undefined
Last Comment
Rollin Kuhn
Avatar of Point-In-Cyberspace
Flag of Italy image

Only NTFS permissions can do that. On top level folders set read only and in advenced permission check the bypass travers checking. This for the groups that should not be able to modify names of top level folders.
On the content of the top level folders select all and assign write permissions to the groups.
This is the Microsoft way. to do it.
Avatar of mrwolf
Flag of Australia image


Thanks for the reply. That was my other option, the problem is they like to create files and folders in those top level folders, so can't realy do that.
With the config i gave you is possible.
I only forget to tell you that in advenced tab of permissions you'll all that you need for this. You have to make some test, but it is definitely possible.
Avatar of rpartington
Flag of United Kingdom of Great Britain and Northern Ireland image

Maybe Im missing something here.
Are you saying that you are allowing your end users to log into a 2003 servers top level C: or other drive E - F - G what ever it is and create top level folders???

If that is the case you are leaving that one drive wide open to a whole administration nightmare.

Why not create the top level share called something like

Then create departmental subfolders inside calledsomething along the lines of
Accounts - Sales - etc etc etc

And then give them access to these and allow them to create and rename or what ever you see fit with in these folders,
this is the standard way and use groups to control their access to each set of sub folders.
Avatar of mrwolf
Flag of Australia image


The folder is a network share that people map as a network drive. It has various folders like sales, marketing, finace etc. Each folder has a security group that allows access to that folder. My problem is that management doesn't want people to be able to rename the folder called marketing, but does want them to create and delete suff inside that marketing folder.

I will keep looking at ways to lock down the folder level but still wondering if there was some 3rd party utility that could do this without reverting to deny permissions.

Thanks for your comments so far..
Avatar of rpartington
Flag of United Kingdom of Great Britain and Northern Ireland image

Thats fine.
Right click on say sales.
Take the tick out of Inherit from Parent etc etc.
Select copy from the pop up.

Right all you need to do now is lets say you have a group called Sales with access to the sales top level and you want them to be able to rename and create files folders etc INSIDE the main top level sales folder but NOT rename the sales top level folder.

You set the sales group in twice.
While still in advanced select edit you set the permissions to prevent editing the top level sales folder by using the drop down APPLY ONTO

Now back in the advanced section add the sales group again and do the same as above but select

This sets one lot of permissions for sales on the sales folder, protecting it from changes but allows them to access the actual folder.
The 2nd set of permissions lets them create and delete and rename subfolders within the sales folder.

I cant tell you what premissions you will need as this is a case of trial and error for your own unique situation, but once you get your head round the APPLY ONTO options it should all make sense.
It definately works its just a case of you getting your permissions just right for your situation.

Hope this helps as it is awkward trying to get your head round it the 1st time.
Avatar of mrwolf
Flag of Australia image


Hi rpartington

Your idea sounds logical but I can't set permissions for the same group twice in the same access control list.

I have a pretty good understanding of NTFS and how permissions work but this has got me stumped.  

Avatar of rpartington
Flag of United Kingdom of Great Britain and Northern Ireland image

Check out my Attached word doc with some screen shots which Ive tried to make pretty obvious.

The top level folder is Shares
which is shared out with Authenticated users with full control, I always take everyone out, not sure why I do it like that just habit I guess as either everyone or authenticvated will do.

Inside I have the SALES folder which is the top level we could also have marketing accounts etc along side but just for purposes of showing you how I do it Ive just put sales in.

The permissions are then set on the sales folder.
I create a
Sales Global group
Sales Local group
The sales global is made a member of Sales Local
Sales local
is then added to the folder
All the users are put into the Sales global and gain membership of the sales folder through membership of the global group being a member of the local group.

You should be able to follow just by the screen shots,
Hope this helps

What you can also do to make it more granular is if you wanted to which Ive done on countless occasions is have say managers in a seperate group and give this group delete folders perm and dissalow the standard users the option to delete folders, this way if an entire folder or folders are deleted you know it could only of being one of the management team, it also helps to keep the folder directory nice and tidy if you only allow managers to create folders, but thats for you to decide that one.

Have a look at the screenshots hopefully they should help and please do let me know.
This was taken from a 2003 std server which was a domain member.

Avatar of rpartington
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of rpartington
Flag of United Kingdom of Great Britain and Northern Ireland image

Glad you got it sorted,
But why the Grade B???
You have perfect screenshots of how to do each procedure???.
Avatar of allenlocke

I can't create a folder inside the subfolder when I follow these instructions.  I am able to delete a folder that is already in the subfolder though.  Any thoughts?  Thanks!
Avatar of Rollin Kuhn
Rollin Kuhn
Flag of United States of America image

what's awkward is reading someone who can't seem to use punctuation consistently and trying to make sense of it, especially technical material.
Windows Server 2003
Windows Server 2003

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo