Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

User without delete permissions can still delete files

Posted on 2009-03-31
3
Medium Priority
?
330 Views
Last Modified: 2013-12-05
We are running windows 2000 server ( soon to be upgraded ) and have what seems like a simple process to implement.

We have digital photos that we need to keep in a directory structure like this
(I've never posted on here so I don't know if this will be mangled )
\Digital Photos
  \A
    \0001
       jpg files go here
    \0002
      jpg files go here
  \B
   \0001
      same as above
   \0002
   ......

Users should be able to create new folders under A and B ( I.E. 0003 and so on ) and put files in them.

Every 15 minutes I want to run a script that makes all of the files and directories under A and B "read only", meaning that they can't be deleted or moved without getting an admin invovled.

The permissions on "Digital Photos" is set for "Domain Users" to have all but:
Delete
Change Permissions
Take Ownership

Another group and the Administrators group have full control.

A and B inherit permisions.

My script uses cacls to hit all of the FILES ( selected using FORFILES testing @ISDIR for files ) and does the following cacls on them in 2 passes:
/E /R "Domain Users"
/E /G "Domain Users":R

This seems like it should work, the effective permissions for a test user show only:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

BUT the user can still delete the files in the 0001 level directories that they create.

I have tried setting the owner of the file to Administrator.
I have tried breaking inheritance at the 0001 directory level to eliminate the permissions from the A and B directories.
I have tried using cacls to change the permissions on the 0001 directory to the same as the indiviual files using cacls as above so the directory isn't inheriting anything from higher levels.
All of these have no noticeable effect on the "effective permissions" when the test user hits the share ( except for the change of ownership )

BUT The test user can STILL delete the files without so much as a warning.

I'm scratching my head at this point, anybody have any ideas ?

Everything says I should not be able to delete the files as a "Domain Users" member, but my test user is always able to.....

I'm sure I'm missing something obvious....

Thanks !
0
Comment
Question by:TheVirtualizer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Assisted Solution

by:GMorineau
GMorineau earned 80 total points
ID: 24034555
1) Create a new group and put the users able to access the folder "Digital Photos" in this group.
2) Let only this group and a folder admin group to have rights to "Digital Photos".
3) set only read and create to this group, and modify to the "folder admin" group.

No script needed. More simple, more sure.
0
 

Author Comment

by:TheVirtualizer
ID: 24038156
GMorineau - thanks for the suggestion, if I understand your reply, I'm not sure that would work for me.

The problem is that I need to have pretty much all users ( hence "Domain Users" ) able to add directories and files to those directories, then make it so that those users can't touch it shortly after creation.
Unfortunately we have a large number of users on 3 shifts that need to work with these for reference after they are created, but we can't allow them to alter them.

Maybe I'm missing something about your answer ?
0
 

Accepted Solution

by:
TheVirtualizer earned 0 total points
ID: 24316228
Found a way to handle it using a script created using FILEACL ( a free tool that gives better options than are available with cacls and xcacls ) - anybody needing details just drop me a line.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question