?
Solved

NTFS Permissions

Posted on 2009-04-09
11
Medium Priority
?
328 Views
Last Modified: 2012-06-22
Dear Experts,

I need help with assign permissions. Currently one of our Depts are saving sensitive details on a word document on a share drive.

They currently have modify access.

The manager wants us to give them access to be able to save word documents to the folder only, but they shouldn't be able to read or edit the existing documents in that folder.

I tried giving them special permissions which are:

This Folder only - Traverse Folder/Execute File
             List Folder / Read Data
             Read Attributes
             Read Extended Attributes
             Create Files/ Write Data
             Create Folder/ Append Data
             Write Attributes
             Write Extended Attributes
             Read Permissions
 
Files Only - Create Files/ Write Data
                   Create Folders / Append Data
                   Write Attributes
                   Write Extended Attributes
                   Read permissions


Now the users are unable to save new word documents to that folder.

I need to find out how to assign permissions to that dept so they are able to save new documents and cannot edit or open existing word documents.

Thank you,

mshaikh22
                     
0
Comment
Question by:mshaikh22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 5

Assisted Solution

by:wpathan
wpathan earned 200 total points
ID: 24105789
in special permissions please assign rights to individual users as
Write Data > Allow
Add the same user again in special permissions and assign Deny rights to respective options.
In all there should be two entries for each user in special permissions, one that allows writing files and other with deny access to for deletion, read, modify etc.
0
 
LVL 7

Assisted Solution

by:maze-uk
maze-uk earned 200 total points
ID: 24105847
If your users can at least read their own data, you might grant access to 'Creator Owner' ...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106046
The users must be able to "List Folder / Read Data" and "Read Extended Attributes" to FILES ONLY in addition to the permissions you assigned to allow them to create files in that folder...
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106074
Oh and unfortunately, with the "List Folder / Read Data" permission, this allows them to open the files.

Remove the permission, they will not be able to create new documents either. You can't have it both ways! :)

I also found some strange behaviour - With the settings as I've said (what you've got with the addition of the ability to "List Folder / Read Data" and "Read Extended Attributes", I could save new Word Documents with no problems. Not so with Excel Spreadsheets though - To save spreadsheets it required me to add the "This folder only" permission: "Delete Subfolders / Files". Once that was added, I can save spreadsheets too.

Strange eh? Must be something to do with the way the 2 different apps perform a save operation...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106111
Other things to bare in mind - Renaming files in that folder will also require the permission to delete files within that folder.

Anyone who has the ability to 'read' these docs, should also have the ability to 'delete' files within that folder - This is because every time you open a Word doc or whatever, a temporary file is created in that folder - Even if you don't make any changes, and just close the doc, the temp file will remain there because they don't have the perms to delete it.

It gets rather awkward when you're trying to do the sorts of things you're doing. MS's logic doesn't always lend itself nicely to what most people would see as logical... :)

Pete
0
 

Author Comment

by:mshaikh22
ID: 24106616
Thank you, Guys for all of your help.

This is what I have done,

After this, I am able to save new word documents to the folder. (Which is what I wanted)

I am not able to open other documents. (Which is what I wanted)

But I can still open and edit the documents that I have created.

Is there a way to prevent the user from opening or editing their own documents that they have created or saved.
 
folder.jpg
files.jpeg
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106713
I honestly think that's as close as you're going to get, and you may have problems with the way you have it set up as it is... O.o

A certain level of trust is vital in these scenarios I'm afraid - If you don't trust them enough to view the files, they probably shouldn't be creating them in the first place!

Sorry!

Pete
0
 

Author Comment

by:mshaikh22
ID: 24109065
I agree with you. But my stupid manager wants it that way. I don't know why. If I make any other changes and save it to the folder. It gives me memory error.
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24109859
That's because you need the delete subfolders / files permission on the containing folder. **Which also then allows them to delete anything in that folder** -

That's the problem, the way it works, doing exactly what you want just isn't really possible... NTFS perms don't allow you to separate the perms as you'd like.

Honestly, I think you'll just have to tell management that it's not possible, and that they need to rethink how they want to do it. It's not your fault, it's just the way it is! :)

However obviously feel free to wait and see if anyone else has an ingenius idea, but I don't think you can do it...

Pete
0
 

Author Comment

by:mshaikh22
ID: 24158064
Can you run a batch every night to remove the read attributes from the folder so the users dont have permissions to the old files.
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 1600 total points
ID: 24158376
You could run a batch file that moves the files out to another folder to which the users don't have any access maybe? Would that help?

So they'd have access to the current folder, and can create docs etc there, but then at whatever time, the batch runs, moves all the files out to another location, and just only allow any access at all to the people that need to be able to open/modify them?

That may work...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question