Prevent folders renaming to top level folders
Hi,
I have a task where I need to prevent network users from making changes to the top level folder tree on our windows network. We have a single shared top level folder with lots of sub folders. People are of course able to add files within these folders, but I need to prevent them from renaming the top level folders. I have tried using NTFS deny permisions but it seems to be problematic. I would really like a microsoft solution.
Any ideas?
I have a task where I need to prevent network users from making changes to the top level folder tree on our windows network. We have a single shared top level folder with lots of sub folders. People are of course able to add files within these folders, but I need to prevent them from renaming the top level folders. I have tried using NTFS deny permisions but it seems to be problematic. I would really like a microsoft solution.
Any ideas?
Last Comment
ASKER
Thanks for the reply. That was my other option, the problem is they like to create files and folders in those top level folders, so can't realy do that.
With the config i gave you is possible.
I only forget to tell you that in advenced tab of permissions you'll all that you need for this. You have to make some test, but it is definitely possible.
I only forget to tell you that in advenced tab of permissions you'll all that you need for this. You have to make some test, but it is definitely possible.
Maybe Im missing something here.
Are you saying that you are allowing your end users to log into a 2003 servers top level C: or other drive E - F - G what ever it is and create top level folders???
If that is the case you are leaving that one drive wide open to a whole administration nightmare.
Why not create the top level share called something like
Shares ( NO ONE CAN CHANGE THIS)
Then create departmental subfolders inside calledsomething along the lines of
Accounts - Sales - etc etc etc
And then give them access to these and allow them to create and rename or what ever you see fit with in these folders,
this is the standard way and use groups to control their access to each set of sub folders.
Are you saying that you are allowing your end users to log into a 2003 servers top level C: or other drive E - F - G what ever it is and create top level folders???
If that is the case you are leaving that one drive wide open to a whole administration nightmare.
Why not create the top level share called something like
Shares ( NO ONE CAN CHANGE THIS)
Then create departmental subfolders inside calledsomething along the lines of
Accounts - Sales - etc etc etc
And then give them access to these and allow them to create and rename or what ever you see fit with in these folders,
this is the standard way and use groups to control their access to each set of sub folders.
ASKER
The folder is a network share that people map as a network drive. It has various folders like sales, marketing, finace etc. Each folder has a security group that allows access to that folder. My problem is that management doesn't want people to be able to rename the folder called marketing, but does want them to create and delete suff inside that marketing folder.
I will keep looking at ways to lock down the folder level but still wondering if there was some 3rd party utility that could do this without reverting to deny permissions.
Thanks for your comments so far..
I will keep looking at ways to lock down the folder level but still wondering if there was some 3rd party utility that could do this without reverting to deny permissions.
Thanks for your comments so far..
Thats fine.
Right click on say sales.
Properties
Security
Advanced
Take the tick out of Inherit from Parent etc etc.
Select copy from the pop up.
Right all you need to do now is lets say you have a group called Sales with access to the sales top level and you want them to be able to rename and create files folders etc INSIDE the main top level sales folder but NOT rename the sales top level folder.
You set the sales group in twice.
While still in advanced select edit you set the permissions to prevent editing the top level sales folder by using the drop down APPLY ONTO
AND SELECT THIS FOLDER.
Now back in the advanced section add the sales group again and do the same as above but select
APPLY ONTO
SUB FOLDERS AND FILES ONLY
This sets one lot of permissions for sales on the sales folder, protecting it from changes but allows them to access the actual folder.
The 2nd set of permissions lets them create and delete and rename subfolders within the sales folder.
I cant tell you what premissions you will need as this is a case of trial and error for your own unique situation, but once you get your head round the APPLY ONTO options it should all make sense.
It definately works its just a case of you getting your permissions just right for your situation.
Hope this helps as it is awkward trying to get your head round it the 1st time.
Right click on say sales.
Properties
Security
Advanced
Take the tick out of Inherit from Parent etc etc.
Select copy from the pop up.
Right all you need to do now is lets say you have a group called Sales with access to the sales top level and you want them to be able to rename and create files folders etc INSIDE the main top level sales folder but NOT rename the sales top level folder.
You set the sales group in twice.
While still in advanced select edit you set the permissions to prevent editing the top level sales folder by using the drop down APPLY ONTO
AND SELECT THIS FOLDER.
Now back in the advanced section add the sales group again and do the same as above but select
APPLY ONTO
SUB FOLDERS AND FILES ONLY
This sets one lot of permissions for sales on the sales folder, protecting it from changes but allows them to access the actual folder.
The 2nd set of permissions lets them create and delete and rename subfolders within the sales folder.
I cant tell you what premissions you will need as this is a case of trial and error for your own unique situation, but once you get your head round the APPLY ONTO options it should all make sense.
It definately works its just a case of you getting your permissions just right for your situation.
Hope this helps as it is awkward trying to get your head round it the 1st time.
ASKER
Hi rpartington
Your idea sounds logical but I can't set permissions for the same group twice in the same access control list.
I have a pretty good understanding of NTFS and how permissions work but this has got me stumped.
Your idea sounds logical but I can't set permissions for the same group twice in the same access control list.
I have a pretty good understanding of NTFS and how permissions work but this has got me stumped.
Hi
Check out my Attached word doc with some screen shots which Ive tried to make pretty obvious.
The top level folder is Shares
which is shared out with Authenticated users with full control, I always take everyone out, not sure why I do it like that just habit I guess as either everyone or authenticvated will do.
Inside I have the SALES folder which is the top level we could also have marketing accounts etc along side but just for purposes of showing you how I do it Ive just put sales in.
The permissions are then set on the sales folder.
I create a
Sales Global group
a
Sales Local group
The sales global is made a member of Sales Local
Sales local
is then added to the folder
All the users are put into the Sales global and gain membership of the sales folder through membership of the global group being a member of the local group.
You should be able to follow just by the screen shots,
Hope this helps
What you can also do to make it more granular is if you wanted to which Ive done on countless occasions is have say managers in a seperate group and give this group delete folders perm and dissalow the standard users the option to delete folders, this way if an entire folder or folders are deleted you know it could only of being one of the management team, it also helps to keep the folder directory nice and tidy if you only allow managers to create folders, but thats for you to decide that one.
Have a look at the screenshots hopefully they should help and please do let me know.
This was taken from a 2003 std server which was a domain member.
Roy
roy-partington.doc
Check out my Attached word doc with some screen shots which Ive tried to make pretty obvious.
The top level folder is Shares
which is shared out with Authenticated users with full control, I always take everyone out, not sure why I do it like that just habit I guess as either everyone or authenticvated will do.
Inside I have the SALES folder which is the top level we could also have marketing accounts etc along side but just for purposes of showing you how I do it Ive just put sales in.
The permissions are then set on the sales folder.
I create a
Sales Global group
a
Sales Local group
The sales global is made a member of Sales Local
Sales local
is then added to the folder
All the users are put into the Sales global and gain membership of the sales folder through membership of the global group being a member of the local group.
You should be able to follow just by the screen shots,
Hope this helps
What you can also do to make it more granular is if you wanted to which Ive done on countless occasions is have say managers in a seperate group and give this group delete folders perm and dissalow the standard users the option to delete folders, this way if an entire folder or folders are deleted you know it could only of being one of the management team, it also helps to keep the folder directory nice and tidy if you only allow managers to create folders, but thats for you to decide that one.
Have a look at the screenshots hopefully they should help and please do let me know.
This was taken from a 2003 std server which was a domain member.
Roy
roy-partington.doc
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Glad you got it sorted,
But why the Grade B???
You have perfect screenshots of how to do each procedure???.
But why the Grade B???
You have perfect screenshots of how to do each procedure???.
I can't create a folder inside the subfolder when I follow these instructions. I am able to delete a folder that is already in the subfolder though. Any thoughts? Thanks!
what's awkward is reading someone who can't seem to use punctuation consistently and trying to make sense of it, especially technical material.
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
On the content of the top level folders select all and assign write permissions to the groups.
This is the Microsoft way. to do it.