Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

NTFS Permissions

Posted on 2009-04-09
11
Medium Priority
?
329 Views
Last Modified: 2012-06-22
Dear Experts,

I need help with assign permissions. Currently one of our Depts are saving sensitive details on a word document on a share drive.

They currently have modify access.

The manager wants us to give them access to be able to save word documents to the folder only, but they shouldn't be able to read or edit the existing documents in that folder.

I tried giving them special permissions which are:

This Folder only - Traverse Folder/Execute File
             List Folder / Read Data
             Read Attributes
             Read Extended Attributes
             Create Files/ Write Data
             Create Folder/ Append Data
             Write Attributes
             Write Extended Attributes
             Read Permissions
 
Files Only - Create Files/ Write Data
                   Create Folders / Append Data
                   Write Attributes
                   Write Extended Attributes
                   Read permissions


Now the users are unable to save new word documents to that folder.

I need to find out how to assign permissions to that dept so they are able to save new documents and cannot edit or open existing word documents.

Thank you,

mshaikh22
                     
0
Comment
Question by:mshaikh22
11 Comments
 
LVL 5

Assisted Solution

by:wpathan
wpathan earned 200 total points
ID: 24105789
in special permissions please assign rights to individual users as
Write Data > Allow
Add the same user again in special permissions and assign Deny rights to respective options.
In all there should be two entries for each user in special permissions, one that allows writing files and other with deny access to for deletion, read, modify etc.
0
 
LVL 7

Assisted Solution

by:maze-uk
maze-uk earned 200 total points
ID: 24105847
If your users can at least read their own data, you might grant access to 'Creator Owner' ...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106046
The users must be able to "List Folder / Read Data" and "Read Extended Attributes" to FILES ONLY in addition to the permissions you assigned to allow them to create files in that folder...
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106074
Oh and unfortunately, with the "List Folder / Read Data" permission, this allows them to open the files.

Remove the permission, they will not be able to create new documents either. You can't have it both ways! :)

I also found some strange behaviour - With the settings as I've said (what you've got with the addition of the ability to "List Folder / Read Data" and "Read Extended Attributes", I could save new Word Documents with no problems. Not so with Excel Spreadsheets though - To save spreadsheets it required me to add the "This folder only" permission: "Delete Subfolders / Files". Once that was added, I can save spreadsheets too.

Strange eh? Must be something to do with the way the 2 different apps perform a save operation...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106111
Other things to bare in mind - Renaming files in that folder will also require the permission to delete files within that folder.

Anyone who has the ability to 'read' these docs, should also have the ability to 'delete' files within that folder - This is because every time you open a Word doc or whatever, a temporary file is created in that folder - Even if you don't make any changes, and just close the doc, the temp file will remain there because they don't have the perms to delete it.

It gets rather awkward when you're trying to do the sorts of things you're doing. MS's logic doesn't always lend itself nicely to what most people would see as logical... :)

Pete
0
 

Author Comment

by:mshaikh22
ID: 24106616
Thank you, Guys for all of your help.

This is what I have done,

After this, I am able to save new word documents to the folder. (Which is what I wanted)

I am not able to open other documents. (Which is what I wanted)

But I can still open and edit the documents that I have created.

Is there a way to prevent the user from opening or editing their own documents that they have created or saved.
 
folder.jpg
files.jpeg
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24106713
I honestly think that's as close as you're going to get, and you may have problems with the way you have it set up as it is... O.o

A certain level of trust is vital in these scenarios I'm afraid - If you don't trust them enough to view the files, they probably shouldn't be creating them in the first place!

Sorry!

Pete
0
 

Author Comment

by:mshaikh22
ID: 24109065
I agree with you. But my stupid manager wants it that way. I don't know why. If I make any other changes and save it to the folder. It gives me memory error.
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1600 total points
ID: 24109859
That's because you need the delete subfolders / files permission on the containing folder. **Which also then allows them to delete anything in that folder** -

That's the problem, the way it works, doing exactly what you want just isn't really possible... NTFS perms don't allow you to separate the perms as you'd like.

Honestly, I think you'll just have to tell management that it's not possible, and that they need to rethink how they want to do it. It's not your fault, it's just the way it is! :)

However obviously feel free to wait and see if anyone else has an ingenius idea, but I don't think you can do it...

Pete
0
 

Author Comment

by:mshaikh22
ID: 24158064
Can you run a batch every night to remove the read attributes from the folder so the users dont have permissions to the old files.
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 1600 total points
ID: 24158376
You could run a batch file that moves the files out to another folder to which the users don't have any access maybe? Would that help?

So they'd have access to the current folder, and can create docs etc there, but then at whatever time, the batch runs, moves all the files out to another location, and just only allow any access at all to the people that need to be able to open/modify them?

That may work...
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question