Solved

NTFS Permissions:  How to prevent folder moves

Posted on 2009-04-03
28
2,026 Views
Last Modified: 2012-05-06
Structure looks like this:

Share:  \\server\shared   Domain users have "list folder" permission, this folder only.

Beneath this "Shared" directory are multiple individual directories for departments (Marketing, Accounting, etc.).  The appropriate groups have NTFS modify permissions on their individual department folder.  

In some cases, a user will correctly have rights to more than one department so they can access both the Marketing and Accounting folders.  Some users get "click happy" and accidentally drag their entire Marketing folder into the Accounting folder for example.  

Is there a way I can protect these "parent" Marketing and Accounting folders so that the folder itself cannot be moved (or deleted), but still allow the users to have full control to the files within?

Thanks!
0
Comment
Question by:rvthost
  • 15
  • 9
  • 4
28 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24062048
You need to use advanced NTFS permissions, and on the  top level department folders give the users traverse folder/execute files, list folder/read data, and set it to apply only to this folder.  That way they can move things within the folder, but can't move that folder itself.

You may have to do this on multiple levels, depending on your folder structure.

Another method is to set the shares at the department level, so that they don't see the others, and for those people who have access across deparments just map the shares to different drives.

0
 
LVL 15

Expert Comment

by:zelron22
ID: 24062059
Oh yeah, to get to the advanced NTFS permissions, get the folder properties and click the advanced button.  You can get very granular there.  You'll probably need to turn off inheritance and copy the current permissions to the folder before modifying them.
0
 
LVL 11

Author Comment

by:rvthost
ID: 24062419
Hi Zelron, thanks for the comments.  I see exactly what you are referencing; however, it seems that it won't let me add those permissions since the group already has Modify rights to the folder.  After hitting apply, it doesn't add a second line of permissions for that group.  Does that make sense?
screenshot1.jpg
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24062464
Yes, it does make sense.  If you just add those permissions and modify is less restrictive, it just uses the modify.  You need to change the modify permissions to only apply to subfolders and files only, and then add the permissions for this folder only for the traverse, etc.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24062468
You have to set two levels of permission for the group:
1.  Apply the permissions described by Zelron for the Marketing Access Group and set the "Apply to" setting to "This folder only".
2.  Create new permissions for the Marketing Access Group to Modify and set the "Apply to" setting to "Subfolders and files only."
I believe this will work as you described you want it to.
0
 
LVL 11

Author Comment

by:rvthost
ID: 24062720
Getting close!  Thanks for the continued support.  We're migrating from Netware and are getting up to speed quickly, but some things are quite different :)  

The permissions are close.  I assigned them as specified and thanks for the clarification regarding more/less restrictive.  With these permissions, this is now the effect:

- On my test user, with Windows Explorer open and Marketing and Accounting folders visible, I set the file rights.  I try to move the Marketing folder into Accounting and it fails, correctly.  

- Users can't create subfolders within Marketing or Accounting.  I think this makes sense based on the permissions, but doesn't work too well for us.  

- Once Windows Explorer is closed, users see no visible folders when accessing their network drive (\\server\shared).  i.e.  they no longer see Marketing or Accounting.


Am I just creating file permission hell or something easy that I am missing?  Thanks again.



0
 
LVL 11

Author Comment

by:rvthost
ID: 24062725
Screenshot 2:
screenshot1.jpg
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24062794
Whoops, yeah, they'll need a little bit more. Edit the settings for THIS FOLDER ONLY to include Create Folders/Append Data and if you also want them to be able to create files at the root of that folder, then add Create Files / Write Data.

That should do it.
0
 
LVL 11

Author Comment

by:rvthost
ID: 24062876
No problem, I made the changes....

- Users can create files/folders now, good.

- Users can't see the marketing/accounting folders from their drive mapping.  It's not visible after setting permissions, not good.

- When I try to move Marketing into Accounting, it gets an error, the marketing folder stays put, but it copies the entire marketing folder and moves all sub folders/files into the Accounting folder.  Basically it moved everything over, it just didn't move the parent folder, not good of course.

0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 100 total points
ID: 24062971
The "List folder/read data" setting should make the folder visible to the users.
Unfortunately, once you give them the ability to create folders and write data to the main folder, the behavior you see when trying to copy is going to happen.  Do they absolutely have to have the ability to create folders at the top level within the main folder?
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063039
To your first point, that is my understanding too, but for some reason it's still not visible.

To your second point, I might be able to work around that so we can ignore that piece.  We'll assume that we will not allow them to create folders/files in the root.
screenshot1.jpg
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063051
More info:  The folders are not visible as previously mentioned and if I try to access Y:\Marketing directly, I get access to the resource has been disallowed.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24063098
What are the share permissions on the Marketing folder?
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24063112
Hmm.  I believe we have to change the Traverse Folder / Excute File and List folder / Read Data to include this folder and subfolders.
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063122
We're not sharing the marketing folder directly.  We make a single share one level higher:

Share:  \\server\shared   Domain users have "list folder" permission, this folder only.

Then we use NTFS permissions to grant different groups to the various sub folders.  This allows us to have a single drive letter that is consistent for all.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24063149
I think that may be your problem - try changing that top level (Shared) "List folder" permission to "This folder and subfolders."
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063157
@Zelron:  No change after changing to include this folder and subfolders.

@All:  Be advised, access-based enumeration is enabled on the share.  We have to mimic our Netware behavior in that users cannot see folders or files that they don't have permission to, regardless of whether they are able to open them or not.  However, it is my understanding that ABE shouldn't be a problem...the users do have rights to the marketing folder so they "should" see it.  Thanks!
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063158
@hypercat:  I did try changing the share to folder and subfolders as well, no change.
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063198
Ok, I temporarily disabled ABE and the folders appeared.  I removed the users' rights to the Accounting folder and the user still sees that folder even though he cannot access it which I cannot have.

I guess I can't it have both ways????
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24063220
Yes, if ABE is enabled, users who have at least the right to access it should see it.

heh...I just noticed that that was the marketing folder.  this needs to be set at the folder that is shared.

>Hmm.  I believe we have to change the Traverse Folder / Excute File and List folder / Read Data to >include this folder and subfolders.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24063269
folder structure and permissions

Dept_Folders -- Traverse/Execute, List folder/read data -- this folder and sub folders
             Marketing -- Modify/read -- this folder, subfolder, and files
             Accounting -- Modify/read -- this folder, subfolder and files
             ....etc.
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063272
I did modify the share "Shared" as well.  ABE is back on, can't see Marketing or Accounting though.
screenshot1.jpg
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063330
Confirming from your last post:

Shared -- Traverse/Execute, List folder/read data -- this folder and sub folders
             Marketing -- Modify/read -- subfolders and files only
             Marketing -- Traverse/Execute, List folder/read date - this folder and subfolders
             Accounting -- Modify/read -- subfolders and files only
             Accounting -- Traverse/Execute, List folder/read date - this folder and subfolders

I can't do as you posted "Marketing -- Modify/read -- this folder, subfolder, and files" otherwise it doesn't prevent folder moves.  With that permission, I can of course see the folder again, but I am free to move the marketing folder wherever I want.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24063341
riiiiiiiigt... :)

This tool may be helpful.  You may already know about it if you're using ABE.

http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063387
Good tool, thanks.  It was going to be a future question :)

File rights look fine to me based on its results.  It may be time to scrap this idea and let the users learn from their mistakes when moving the folders.
screenshot1.jpg
0
 
LVL 15

Accepted Solution

by:
zelron22 earned 400 total points
ID: 24063468
I know it works, I've done it...not sure why it's not working here.  Alas, I'm a tactile person...  Good luck!
0
 
LVL 11

Author Comment

by:rvthost
ID: 24063518
No problem, I appreciate the help and lesson in file rights.  Points for effort are on their way.
0
 
LVL 11

Author Closing Comment

by:rvthost
ID: 31566344
Thanks again!
0

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now