Solved

NTFS Permissions

Posted on 2009-04-09
11
320 Views
Last Modified: 2012-06-22
Dear Experts,

I need help with assign permissions. Currently one of our Depts are saving sensitive details on a word document on a share drive.

They currently have modify access.

The manager wants us to give them access to be able to save word documents to the folder only, but they shouldn't be able to read or edit the existing documents in that folder.

I tried giving them special permissions which are:

This Folder only - Traverse Folder/Execute File
             List Folder / Read Data
             Read Attributes
             Read Extended Attributes
             Create Files/ Write Data
             Create Folder/ Append Data
             Write Attributes
             Write Extended Attributes
             Read Permissions
 
Files Only - Create Files/ Write Data
                   Create Folders / Append Data
                   Write Attributes
                   Write Extended Attributes
                   Read permissions


Now the users are unable to save new word documents to that folder.

I need to find out how to assign permissions to that dept so they are able to save new documents and cannot edit or open existing word documents.

Thank you,

mshaikh22
                     
0
Comment
Question by:mshaikh22
11 Comments
 
LVL 5

Assisted Solution

by:wpathan
wpathan earned 50 total points
Comment Utility
in special permissions please assign rights to individual users as
Write Data > Allow
Add the same user again in special permissions and assign Deny rights to respective options.
In all there should be two entries for each user in special permissions, one that allows writing files and other with deny access to for deletion, read, modify etc.
0
 
LVL 7

Assisted Solution

by:maze-uk
maze-uk earned 50 total points
Comment Utility
If your users can at least read their own data, you might grant access to 'Creator Owner' ...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
Comment Utility
The users must be able to "List Folder / Read Data" and "Read Extended Attributes" to FILES ONLY in addition to the permissions you assigned to allow them to create files in that folder...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
Comment Utility
Oh and unfortunately, with the "List Folder / Read Data" permission, this allows them to open the files.

Remove the permission, they will not be able to create new documents either. You can't have it both ways! :)

I also found some strange behaviour - With the settings as I've said (what you've got with the addition of the ability to "List Folder / Read Data" and "Read Extended Attributes", I could save new Word Documents with no problems. Not so with Excel Spreadsheets though - To save spreadsheets it required me to add the "This folder only" permission: "Delete Subfolders / Files". Once that was added, I can save spreadsheets too.

Strange eh? Must be something to do with the way the 2 different apps perform a save operation...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
Comment Utility
Other things to bare in mind - Renaming files in that folder will also require the permission to delete files within that folder.

Anyone who has the ability to 'read' these docs, should also have the ability to 'delete' files within that folder - This is because every time you open a Word doc or whatever, a temporary file is created in that folder - Even if you don't make any changes, and just close the doc, the temp file will remain there because they don't have the perms to delete it.

It gets rather awkward when you're trying to do the sorts of things you're doing. MS's logic doesn't always lend itself nicely to what most people would see as logical... :)

Pete
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:mshaikh22
Comment Utility
Thank you, Guys for all of your help.

This is what I have done,

After this, I am able to save new word documents to the folder. (Which is what I wanted)

I am not able to open other documents. (Which is what I wanted)

But I can still open and edit the documents that I have created.

Is there a way to prevent the user from opening or editing their own documents that they have created or saved.
 
folder.jpg
files.jpeg
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
Comment Utility
I honestly think that's as close as you're going to get, and you may have problems with the way you have it set up as it is... O.o

A certain level of trust is vital in these scenarios I'm afraid - If you don't trust them enough to view the files, they probably shouldn't be creating them in the first place!

Sorry!

Pete
0
 

Author Comment

by:mshaikh22
Comment Utility
I agree with you. But my stupid manager wants it that way. I don't know why. If I make any other changes and save it to the folder. It gives me memory error.
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
Comment Utility
That's because you need the delete subfolders / files permission on the containing folder. **Which also then allows them to delete anything in that folder** -

That's the problem, the way it works, doing exactly what you want just isn't really possible... NTFS perms don't allow you to separate the perms as you'd like.

Honestly, I think you'll just have to tell management that it's not possible, and that they need to rethink how they want to do it. It's not your fault, it's just the way it is! :)

However obviously feel free to wait and see if anyone else has an ingenius idea, but I don't think you can do it...

Pete
0
 

Author Comment

by:mshaikh22
Comment Utility
Can you run a batch every night to remove the read attributes from the folder so the users dont have permissions to the old files.
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 400 total points
Comment Utility
You could run a batch file that moves the files out to another folder to which the users don't have any access maybe? Would that help?

So they'd have access to the current folder, and can create docs etc there, but then at whatever time, the batch runs, moves all the files out to another location, and just only allow any access at all to the people that need to be able to open/modify them?

That may work...
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now