NTFS Permissions

Posted on 2010-01-05
Last Modified: 2013-12-04
I thought I had a good handle on NTFS permissions, but I'm missing something...probably something obvious...hence this post.

I have a folder on a Windows 2003 Standard server that is shared and maps to a drive letter (G:) for all Domain Users.  This folder (hereafter referred to as G:) contains subfolders (hereafter referred to as 'project folders') for each project that our company works on.  

I want to configure G: so that Domain Users CANNOT create new files/folders or rename/delete/move project folders that already exist at this location.  We want to lock G: down in this manner so that IT controls the creation and naming conventions of everything at this location and users will not be able to 'accidentally' move/delete project folders when frantically clicking.  

Subsequently we want Domain Users to have the ability to 'modify' anything within the project folders.  Project files contained in project folders are theirs to organize, create, delete, etc. in whatever manner they see fit.

What is the best way to configure the NTFS permissions to achieve this?

Thanks in advance.
Question by:guruerror
    LVL 38

    Accepted Solution

    Go to Properties on the shared folder.
    Go to the Sharing tab.
    Click Permissions and grant Full Control to Everyone.
    Go to the Security tab.
    Click the Advanced button.
    Uncheck the Inherit from parent the permission entries... box, and select Remove when prompted.
    Click OK.
    Add the Administrators group and the SYSTEM account (and any other groups which you want to be able to modify the project folders themselves) and grant them Full Control.
    Add the Authenticated Users domain group and allow Read & Execute, List Folder Contents, and Read.
    Click the Advanced button.
    Add the Authenticated Users domain group.
    Select the Apply onto dropdown menu and select Subfolders and files only.
    Check the Allow boxes for the following permissions:
    Traverse Folder / Execute FileList Folder / Read DataRead AttributesRead Extended AttributesCreate Files / Write DataCreate Folder / Append DataWrite AttributesWrite Extended AttributesDelete Subfolders and FilesRead Permissions
    Note: do not allow the permission which is just named Delete.

    This should give users Write permission on all subfolders and files, but not on the project folders themselves.

    Author Comment

    That all makes sense and that's basically how I was setting things up; but this still allows Authenicated Users to to drag one project folder and drop it into another.

    For instance if an Authenticated User drags PROJECT01 and drops it on PROJECTS02 (accidentally, of course) the system will create a PROJECTS01 in PROJECTS02 and move all the contents of G:\PROJECTS01 to G:\PROJECTS02\PROJECTS01.  Granted it will not delete the original (and now empty) PROJECTS01, but I'm trying to find a way to have it disallow the move in general.
    LVL 38

    Expert Comment

    I don't know of a native way to accomplish that.  What they're doing is writing files under one project folder and deleting them from under another.  If those are functions you normally want them to perform then there isn't a way to prohibit them just for dragging and dropping.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now