• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

NTFS Permissions

I thought I had a good handle on NTFS permissions, but I'm missing something...probably something obvious...hence this post.

I have a folder on a Windows 2003 Standard server that is shared and maps to a drive letter (G:) for all Domain Users.  This folder (hereafter referred to as G:) contains subfolders (hereafter referred to as 'project folders') for each project that our company works on.  

I want to configure G: so that Domain Users CANNOT create new files/folders or rename/delete/move project folders that already exist at this location.  We want to lock G: down in this manner so that IT controls the creation and naming conventions of everything at this location and users will not be able to 'accidentally' move/delete project folders when frantically clicking.  

Subsequently we want Domain Users to have the ability to 'modify' anything within the project folders.  Project files contained in project folders are theirs to organize, create, delete, etc. in whatever manner they see fit.

What is the best way to configure the NTFS permissions to achieve this?

Thanks in advance.
  • 2
1 Solution
Go to Properties on the shared folder.
Go to the Sharing tab.
Click Permissions and grant Full Control to Everyone.
Go to the Security tab.
Click the Advanced button.
Uncheck the Inherit from parent the permission entries... box, and select Remove when prompted.
Click OK.
Add the Administrators group and the SYSTEM account (and any other groups which you want to be able to modify the project folders themselves) and grant them Full Control.
Add the Authenticated Users domain group and allow Read & Execute, List Folder Contents, and Read.
Click the Advanced button.
Add the Authenticated Users domain group.
Select the Apply onto dropdown menu and select Subfolders and files only.
Check the Allow boxes for the following permissions:
Traverse Folder / Execute FileList Folder / Read DataRead AttributesRead Extended AttributesCreate Files / Write DataCreate Folder / Append DataWrite AttributesWrite Extended AttributesDelete Subfolders and FilesRead Permissions
Note: do not allow the permission which is just named Delete.

This should give users Write permission on all subfolders and files, but not on the project folders themselves.
guruerrorAuthor Commented:
That all makes sense and that's basically how I was setting things up; but this still allows Authenicated Users to to drag one project folder and drop it into another.

For instance if an Authenticated User drags PROJECT01 and drops it on PROJECTS02 (accidentally, of course) the system will create a PROJECTS01 in PROJECTS02 and move all the contents of G:\PROJECTS01 to G:\PROJECTS02\PROJECTS01.  Granted it will not delete the original (and now empty) PROJECTS01, but I'm trying to find a way to have it disallow the move in general.
I don't know of a native way to accomplish that.  What they're doing is writing files under one project folder and deleting them from under another.  If those are functions you normally want them to perform then there isn't a way to prohibit them just for dragging and dropping.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now