[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

NTFS Permissions

Dear Experts,

I need help with assign permissions. Currently one of our Depts are saving sensitive details on a word document on a share drive.

They currently have modify access.

The manager wants us to give them access to be able to save word documents to the folder only, but they shouldn't be able to read or edit the existing documents in that folder.

I tried giving them special permissions which are:

This Folder only - Traverse Folder/Execute File
             List Folder / Read Data
             Read Attributes
             Read Extended Attributes
             Create Files/ Write Data
             Create Folder/ Append Data
             Write Attributes
             Write Extended Attributes
             Read Permissions
 
Files Only - Create Files/ Write Data
                   Create Folders / Append Data
                   Write Attributes
                   Write Extended Attributes
                   Read permissions


Now the users are unable to save new word documents to that folder.

I need to find out how to assign permissions to that dept so they are able to save new documents and cannot edit or open existing word documents.

Thank you,

mshaikh22
                     
0
mshaikh22
Asked:
mshaikh22
8 Solutions
 
wpathanCommented:
in special permissions please assign rights to individual users as
Write Data > Allow
Add the same user again in special permissions and assign Deny rights to respective options.
In all there should be two entries for each user in special permissions, one that allows writing files and other with deny access to for deletion, read, modify etc.
0
 
maze-ukCommented:
If your users can at least read their own data, you might grant access to 'Creator Owner' ...
0
 
PeteJThomasCommented:
The users must be able to "List Folder / Read Data" and "Read Extended Attributes" to FILES ONLY in addition to the permissions you assigned to allow them to create files in that folder...
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
PeteJThomasCommented:
Oh and unfortunately, with the "List Folder / Read Data" permission, this allows them to open the files.

Remove the permission, they will not be able to create new documents either. You can't have it both ways! :)

I also found some strange behaviour - With the settings as I've said (what you've got with the addition of the ability to "List Folder / Read Data" and "Read Extended Attributes", I could save new Word Documents with no problems. Not so with Excel Spreadsheets though - To save spreadsheets it required me to add the "This folder only" permission: "Delete Subfolders / Files". Once that was added, I can save spreadsheets too.

Strange eh? Must be something to do with the way the 2 different apps perform a save operation...
0
 
PeteJThomasCommented:
Other things to bare in mind - Renaming files in that folder will also require the permission to delete files within that folder.

Anyone who has the ability to 'read' these docs, should also have the ability to 'delete' files within that folder - This is because every time you open a Word doc or whatever, a temporary file is created in that folder - Even if you don't make any changes, and just close the doc, the temp file will remain there because they don't have the perms to delete it.

It gets rather awkward when you're trying to do the sorts of things you're doing. MS's logic doesn't always lend itself nicely to what most people would see as logical... :)

Pete
0
 
mshaikh22Author Commented:
Thank you, Guys for all of your help.

This is what I have done,

After this, I am able to save new word documents to the folder. (Which is what I wanted)

I am not able to open other documents. (Which is what I wanted)

But I can still open and edit the documents that I have created.

Is there a way to prevent the user from opening or editing their own documents that they have created or saved.
 
folder.jpg
files.jpeg
0
 
PeteJThomasCommented:
I honestly think that's as close as you're going to get, and you may have problems with the way you have it set up as it is... O.o

A certain level of trust is vital in these scenarios I'm afraid - If you don't trust them enough to view the files, they probably shouldn't be creating them in the first place!

Sorry!

Pete
0
 
mshaikh22Author Commented:
I agree with you. But my stupid manager wants it that way. I don't know why. If I make any other changes and save it to the folder. It gives me memory error.
0
 
PeteJThomasCommented:
That's because you need the delete subfolders / files permission on the containing folder. **Which also then allows them to delete anything in that folder** -

That's the problem, the way it works, doing exactly what you want just isn't really possible... NTFS perms don't allow you to separate the perms as you'd like.

Honestly, I think you'll just have to tell management that it's not possible, and that they need to rethink how they want to do it. It's not your fault, it's just the way it is! :)

However obviously feel free to wait and see if anyone else has an ingenius idea, but I don't think you can do it...

Pete
0
 
mshaikh22Author Commented:
Can you run a batch every night to remove the read attributes from the folder so the users dont have permissions to the old files.
0
 
PeteJThomasCommented:
You could run a batch file that moves the files out to another folder to which the users don't have any access maybe? Would that help?

So they'd have access to the current folder, and can create docs etc there, but then at whatever time, the batch runs, moves all the files out to another location, and just only allow any access at all to the people that need to be able to open/modify them?

That may work...
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now