Solved

NTFS Permissions

Posted on 2009-04-09
11
326 Views
Last Modified: 2012-06-22
Dear Experts,

I need help with assign permissions. Currently one of our Depts are saving sensitive details on a word document on a share drive.

They currently have modify access.

The manager wants us to give them access to be able to save word documents to the folder only, but they shouldn't be able to read or edit the existing documents in that folder.

I tried giving them special permissions which are:

This Folder only - Traverse Folder/Execute File
             List Folder / Read Data
             Read Attributes
             Read Extended Attributes
             Create Files/ Write Data
             Create Folder/ Append Data
             Write Attributes
             Write Extended Attributes
             Read Permissions
 
Files Only - Create Files/ Write Data
                   Create Folders / Append Data
                   Write Attributes
                   Write Extended Attributes
                   Read permissions


Now the users are unable to save new word documents to that folder.

I need to find out how to assign permissions to that dept so they are able to save new documents and cannot edit or open existing word documents.

Thank you,

mshaikh22
                     
0
Comment
Question by:mshaikh22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 5

Assisted Solution

by:wpathan
wpathan earned 50 total points
ID: 24105789
in special permissions please assign rights to individual users as
Write Data > Allow
Add the same user again in special permissions and assign Deny rights to respective options.
In all there should be two entries for each user in special permissions, one that allows writing files and other with deny access to for deletion, read, modify etc.
0
 
LVL 7

Assisted Solution

by:maze-uk
maze-uk earned 50 total points
ID: 24105847
If your users can at least read their own data, you might grant access to 'Creator Owner' ...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
ID: 24106046
The users must be able to "List Folder / Read Data" and "Read Extended Attributes" to FILES ONLY in addition to the permissions you assigned to allow them to create files in that folder...
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
ID: 24106074
Oh and unfortunately, with the "List Folder / Read Data" permission, this allows them to open the files.

Remove the permission, they will not be able to create new documents either. You can't have it both ways! :)

I also found some strange behaviour - With the settings as I've said (what you've got with the addition of the ability to "List Folder / Read Data" and "Read Extended Attributes", I could save new Word Documents with no problems. Not so with Excel Spreadsheets though - To save spreadsheets it required me to add the "This folder only" permission: "Delete Subfolders / Files". Once that was added, I can save spreadsheets too.

Strange eh? Must be something to do with the way the 2 different apps perform a save operation...
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
ID: 24106111
Other things to bare in mind - Renaming files in that folder will also require the permission to delete files within that folder.

Anyone who has the ability to 'read' these docs, should also have the ability to 'delete' files within that folder - This is because every time you open a Word doc or whatever, a temporary file is created in that folder - Even if you don't make any changes, and just close the doc, the temp file will remain there because they don't have the perms to delete it.

It gets rather awkward when you're trying to do the sorts of things you're doing. MS's logic doesn't always lend itself nicely to what most people would see as logical... :)

Pete
0
 

Author Comment

by:mshaikh22
ID: 24106616
Thank you, Guys for all of your help.

This is what I have done,

After this, I am able to save new word documents to the folder. (Which is what I wanted)

I am not able to open other documents. (Which is what I wanted)

But I can still open and edit the documents that I have created.

Is there a way to prevent the user from opening or editing their own documents that they have created or saved.
 
folder.jpg
files.jpeg
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
ID: 24106713
I honestly think that's as close as you're going to get, and you may have problems with the way you have it set up as it is... O.o

A certain level of trust is vital in these scenarios I'm afraid - If you don't trust them enough to view the files, they probably shouldn't be creating them in the first place!

Sorry!

Pete
0
 

Author Comment

by:mshaikh22
ID: 24109065
I agree with you. But my stupid manager wants it that way. I don't know why. If I make any other changes and save it to the folder. It gives me memory error.
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
ID: 24109859
That's because you need the delete subfolders / files permission on the containing folder. **Which also then allows them to delete anything in that folder** -

That's the problem, the way it works, doing exactly what you want just isn't really possible... NTFS perms don't allow you to separate the perms as you'd like.

Honestly, I think you'll just have to tell management that it's not possible, and that they need to rethink how they want to do it. It's not your fault, it's just the way it is! :)

However obviously feel free to wait and see if anyone else has an ingenius idea, but I don't think you can do it...

Pete
0
 

Author Comment

by:mshaikh22
ID: 24158064
Can you run a batch every night to remove the read attributes from the folder so the users dont have permissions to the old files.
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 400 total points
ID: 24158376
You could run a batch file that moves the files out to another folder to which the users don't have any access maybe? Would that help?

So they'd have access to the current folder, and can create docs etc there, but then at whatever time, the batch runs, moves all the files out to another location, and just only allow any access at all to the people that need to be able to open/modify them?

That may work...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question