Avatar of javajo
javajo
Flag for United States of America asked on

Sanity check on securing NTFS root folder from accidental moves & deletes

Good afternoon all:

Running Windows 2003 AD with NTFS file shares

He have a primary DFS file share called "A"
We have about 25 subfolders underneath that get accidentally moved all the time

Would like to put an end to this (and take a hammer to the people not paying attention when using their mouse)


Steps i've taken:
On each of the 25 sub folders i've turned off "inherit permissions from parent" and assigned individual NTFS permissions to each of the 25 folders typically involving modify access for all required users.  I want the users to be able to create, modify folders and documents within the sub folders.  I really don't care if they accidentally move stuff in these sub folders.

The "root" share or "A" is set to full control to all domain users.

Currently users are able to move the 25 sub folders into other sub folders in the root:
So if root is A:
and I have sub folder B
and I have sub folder C

Assuming domain users have full access to both B & C - users can move folder B into folder C.

Here's my question - proposed solution.

At the root share (A) - I limit domain users to Read and list folders.
Domain admins have full control.
That should prevent users from accidentally moving the sub folders.

Does this make sense?









Microsoft Legacy OSActive Directory

Avatar of undefined
Last Comment
Chris Dent

8/22/2022 - Mon
Chris Dent


It depends on the degree of control your users have over the individual sub-folders, not the parent.

For instance, if they have full control over "sub folder A" setting read permission on the parent folder will not stop them moving "sub folder A" inside another.

You might be better setting an explicit deny on write / delete for the folder itself, provided you don't allow that to inherit it should work. There's a catch though... some operations will move the content and only fail on the final step, deleting the original folder. The content will still move.

Chris
javajo

ASKER
Thanks Chris -
Yep - we've tried setting perms on the individual folders and exactly that happens - but that also prevents them from deleting within the folder etc...which they need to do.

I dont care what they do within the subfolders....
i DO care about the structure of the root.

main share A
     folder b
     folder c
     folder d

i want to prevent users from moving b to c etc...

i think i can accomplish this by restricting access to "read" and "travers folders" at the main share point - then prevent the sub folders from inheriting from the root and assigning appropriate perms at the sub folder level

Make sense?



Chris Dent


I do something similar, I have the same kind of structure, read only on the main share.

For the sub-folders I have:

Deny Delete - This Folder Only (applied to Folder objects not files)
Allow Read - This Folder Only (applied to Folder objects not files)
Allow Modify - Sub-Folders and Files

It means that cannot delete or change the parent, nor can they move the parent folder itself, but they can play with the contents (except for setting permissions which I keep).

Chris
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
javajo

ASKER
Thanks Chris -

I'm turning on auditing too so we can kindly ask the fat'fingered person to refrain from dragging and dropping folders.

So agervating...

Chris Dent


I know exactly what you mean, I have auditing on delete enabled for the same reason :)

Chris
javajo

ASKER
Ughhh..

Doesn't work.  

If a user has access to the folder they try and copy to they are able to complete the copy on the subfolders...even with the NTFS set to read at the root.
what is your share permission set to at the root?

Mine is everyone full.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Chris Dent


I think I need to clarify what I meant when I said this:

> It means that cannot delete or change the parent, nor can they move the parent folder itself, but they can
> play with the contents (except for setting permissions which I keep).

There's no way around this, you can't prevent them moving things without denying delete on all objects (and then it won't prevent the copy being created).

I mean you can set this:

ShareRoot
  Share Permissions: Everyone - Allow Full Control
  NTFS Permissions: Everyone (or some group) - Allow Read and Execute

Shareroot\SomeFolder
  NTFS Permissions: Some Group - Deny Delete (This folder only)
                                Some Group - Allow Modify (children will inherit)

It will prevent users from deleting SomeFolder, but it will not prevent them deleting the contents.

A Move operation is Copy then Delete, so it will copy the contents, delete the old files and only fail on the very last step, deleting SomeFolder.

The same applies to Delete. If you select SomeFolder and hit delete the contents will be removed first, the last step is removing SomeFolder, the operation will only fail on deletion of SomeFolder and that's far too late to save the contents.

Unfortunately it's about the best we can get with NTFS permissions. If we were able to deny delete on everything we could stop it moving. Unfortunately half the packages in Office will need Delete in order to save over an existing file.

Chris
javajo

ASKER
Good morning Chris -

Ok - applied permissions as you stated.

Now here is the issue.

It seems that users of Windows 7 cannot move the subfolders into other subfolders.  Perms work correctly.

others who are using XP can still move the subfolders into other subfolders.  They initially receive an error.  Then what ends up happening is the contents of the subfolder are moved into the destination subfolder with the "shell of the subfolder being left behind...
Effective permissions for both users of Win 7 and XP are the same.

so for instance..

when the XP user attempts to move a subfolder into another sub-folder this is what happens:

Before user of XP move

Root
   sub folder A
           file1
           file2
           file3
   sub folder B
           file4
           file5
           file6

after move

Root
   sub folder A
           
   sub folder B
           file4
           file5
           file6
           sub folder A
           file1
           file2
           file3

Users of Windows 7 are fine - they cannot move the folders....

Thoughts?


Thanks again!
















ASKER CERTIFIED SOLUTION
Chris Dent

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question