rvthost
asked on
NTFS Permissions: How to prevent folder moves
Structure looks like this:
Share: \\server\shared Domain users have "list folder" permission, this folder only.
Beneath this "Shared" directory are multiple individual directories for departments (Marketing, Accounting, etc.). The appropriate groups have NTFS modify permissions on their individual department folder.
In some cases, a user will correctly have rights to more than one department so they can access both the Marketing and Accounting folders. Some users get "click happy" and accidentally drag their entire Marketing folder into the Accounting folder for example.
Is there a way I can protect these "parent" Marketing and Accounting folders so that the folder itself cannot be moved (or deleted), but still allow the users to have full control to the files within?
Thanks!
Share: \\server\shared Domain users have "list folder" permission, this folder only.
Beneath this "Shared" directory are multiple individual directories for departments (Marketing, Accounting, etc.). The appropriate groups have NTFS modify permissions on their individual department folder.
In some cases, a user will correctly have rights to more than one department so they can access both the Marketing and Accounting folders. Some users get "click happy" and accidentally drag their entire Marketing folder into the Accounting folder for example.
Is there a way I can protect these "parent" Marketing and Accounting folders so that the folder itself cannot be moved (or deleted), but still allow the users to have full control to the files within?
Thanks!
Oh yeah, to get to the advanced NTFS permissions, get the folder properties and click the advanced button. You can get very granular there. You'll probably need to turn off inheritance and copy the current permissions to the folder before modifying them.
ASKER
Hi Zelron, thanks for the comments. I see exactly what you are referencing; however, it seems that it won't let me add those permissions since the group already has Modify rights to the folder. After hitting apply, it doesn't add a second line of permissions for that group. Does that make sense?
screenshot1.jpg
screenshot1.jpg
Yes, it does make sense. If you just add those permissions and modify is less restrictive, it just uses the modify. You need to change the modify permissions to only apply to subfolders and files only, and then add the permissions for this folder only for the traverse, etc.
You have to set two levels of permission for the group:
1. Apply the permissions described by Zelron for the Marketing Access Group and set the "Apply to" setting to "This folder only".
2. Create new permissions for the Marketing Access Group to Modify and set the "Apply to" setting to "Subfolders and files only."
I believe this will work as you described you want it to.
1. Apply the permissions described by Zelron for the Marketing Access Group and set the "Apply to" setting to "This folder only".
2. Create new permissions for the Marketing Access Group to Modify and set the "Apply to" setting to "Subfolders and files only."
I believe this will work as you described you want it to.
ASKER
Getting close! Thanks for the continued support. We're migrating from Netware and are getting up to speed quickly, but some things are quite different :)
The permissions are close. I assigned them as specified and thanks for the clarification regarding more/less restrictive. With these permissions, this is now the effect:
- On my test user, with Windows Explorer open and Marketing and Accounting folders visible, I set the file rights. I try to move the Marketing folder into Accounting and it fails, correctly.
- Users can't create subfolders within Marketing or Accounting. I think this makes sense based on the permissions, but doesn't work too well for us.
- Once Windows Explorer is closed, users see no visible folders when accessing their network drive (\\server\shared). i.e. they no longer see Marketing or Accounting.
Am I just creating file permission hell or something easy that I am missing? Thanks again.
The permissions are close. I assigned them as specified and thanks for the clarification regarding more/less restrictive. With these permissions, this is now the effect:
- On my test user, with Windows Explorer open and Marketing and Accounting folders visible, I set the file rights. I try to move the Marketing folder into Accounting and it fails, correctly.
- Users can't create subfolders within Marketing or Accounting. I think this makes sense based on the permissions, but doesn't work too well for us.
- Once Windows Explorer is closed, users see no visible folders when accessing their network drive (\\server\shared). i.e. they no longer see Marketing or Accounting.
Am I just creating file permission hell or something easy that I am missing? Thanks again.
ASKER
Screenshot 2:
screenshot1.jpg
screenshot1.jpg
Whoops, yeah, they'll need a little bit more. Edit the settings for THIS FOLDER ONLY to include Create Folders/Append Data and if you also want them to be able to create files at the root of that folder, then add Create Files / Write Data.
That should do it.
That should do it.
ASKER
No problem, I made the changes....
- Users can create files/folders now, good.
- Users can't see the marketing/accounting folders from their drive mapping. It's not visible after setting permissions, not good.
- When I try to move Marketing into Accounting, it gets an error, the marketing folder stays put, but it copies the entire marketing folder and moves all sub folders/files into the Accounting folder. Basically it moved everything over, it just didn't move the parent folder, not good of course.
- Users can create files/folders now, good.
- Users can't see the marketing/accounting folders from their drive mapping. It's not visible after setting permissions, not good.
- When I try to move Marketing into Accounting, it gets an error, the marketing folder stays put, but it copies the entire marketing folder and moves all sub folders/files into the Accounting folder. Basically it moved everything over, it just didn't move the parent folder, not good of course.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
To your first point, that is my understanding too, but for some reason it's still not visible.
To your second point, I might be able to work around that so we can ignore that piece. We'll assume that we will not allow them to create folders/files in the root.
screenshot1.jpg
To your second point, I might be able to work around that so we can ignore that piece. We'll assume that we will not allow them to create folders/files in the root.
screenshot1.jpg
ASKER
More info: The folders are not visible as previously mentioned and if I try to access Y:\Marketing directly, I get access to the resource has been disallowed.
What are the share permissions on the Marketing folder?
Hmm. I believe we have to change the Traverse Folder / Excute File and List folder / Read Data to include this folder and subfolders.
ASKER
We're not sharing the marketing folder directly. We make a single share one level higher:
Share: \\server\shared Domain users have "list folder" permission, this folder only.
Then we use NTFS permissions to grant different groups to the various sub folders. This allows us to have a single drive letter that is consistent for all.
Share: \\server\shared Domain users have "list folder" permission, this folder only.
Then we use NTFS permissions to grant different groups to the various sub folders. This allows us to have a single drive letter that is consistent for all.
I think that may be your problem - try changing that top level (Shared) "List folder" permission to "This folder and subfolders."
ASKER
@Zelron: No change after changing to include this folder and subfolders.
@All: Be advised, access-based enumeration is enabled on the share. We have to mimic our Netware behavior in that users cannot see folders or files that they don't have permission to, regardless of whether they are able to open them or not. However, it is my understanding that ABE shouldn't be a problem...the users do have rights to the marketing folder so they "should" see it. Thanks!
@All: Be advised, access-based enumeration is enabled on the share. We have to mimic our Netware behavior in that users cannot see folders or files that they don't have permission to, regardless of whether they are able to open them or not. However, it is my understanding that ABE shouldn't be a problem...the users do have rights to the marketing folder so they "should" see it. Thanks!
ASKER
@hypercat: I did try changing the share to folder and subfolders as well, no change.
ASKER
Ok, I temporarily disabled ABE and the folders appeared. I removed the users' rights to the Accounting folder and the user still sees that folder even though he cannot access it which I cannot have.
I guess I can't it have both ways????
I guess I can't it have both ways????
Yes, if ABE is enabled, users who have at least the right to access it should see it.
heh...I just noticed that that was the marketing folder. this needs to be set at the folder that is shared.
>Hmm. I believe we have to change the Traverse Folder / Excute File and List folder / Read Data to >include this folder and subfolders.
heh...I just noticed that that was the marketing folder. this needs to be set at the folder that is shared.
>Hmm. I believe we have to change the Traverse Folder / Excute File and List folder / Read Data to >include this folder and subfolders.
folder structure and permissions
Dept_Folders -- Traverse/Execute, List folder/read data -- this folder and sub folders
Marketing -- Modify/read -- this folder, subfolder, and files
Accounting -- Modify/read -- this folder, subfolder and files
....etc.
Dept_Folders -- Traverse/Execute, List folder/read data -- this folder and sub folders
Marketing -- Modify/read -- this folder, subfolder, and files
Accounting -- Modify/read -- this folder, subfolder and files
....etc.
ASKER
I did modify the share "Shared" as well. ABE is back on, can't see Marketing or Accounting though.
screenshot1.jpg
screenshot1.jpg
ASKER
Confirming from your last post:
Shared -- Traverse/Execute, List folder/read data -- this folder and sub folders
Marketing -- Modify/read -- subfolders and files only
Marketing -- Traverse/Execute, List folder/read date - this folder and subfolders
Accounting -- Modify/read -- subfolders and files only
Accounting -- Traverse/Execute, List folder/read date - this folder and subfolders
I can't do as you posted "Marketing -- Modify/read -- this folder, subfolder, and files" otherwise it doesn't prevent folder moves. With that permission, I can of course see the folder again, but I am free to move the marketing folder wherever I want.
Shared -- Traverse/Execute, List folder/read data -- this folder and sub folders
Marketing -- Modify/read -- subfolders and files only
Marketing -- Traverse/Execute, List folder/read date - this folder and subfolders
Accounting -- Modify/read -- subfolders and files only
Accounting -- Traverse/Execute, List folder/read date - this folder and subfolders
I can't do as you posted "Marketing -- Modify/read -- this folder, subfolder, and files" otherwise it doesn't prevent folder moves. With that permission, I can of course see the folder again, but I am free to move the marketing folder wherever I want.
riiiiiiiigt... :)
This tool may be helpful. You may already know about it if you're using ABE.
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
This tool may be helpful. You may already know about it if you're using ABE.
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
ASKER
Good tool, thanks. It was going to be a future question :)
File rights look fine to me based on its results. It may be time to scrap this idea and let the users learn from their mistakes when moving the folders.
screenshot1.jpg
File rights look fine to me based on its results. It may be time to scrap this idea and let the users learn from their mistakes when moving the folders.
screenshot1.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No problem, I appreciate the help and lesson in file rights. Points for effort are on their way.
ASKER
Thanks again!
You may have to do this on multiple levels, depending on your folder structure.
Another method is to set the shares at the department level, so that they don't see the others, and for those people who have access across deparments just map the shares to different drives.