lighthousekeeper
asked on
Prevent users from being able to move folders
Hi,
I'm trying to implement a solution on our Windows 2008 file server to prevent users from being able to move root folders. What often happens is a user will inadvertently drag and drop a root folder into another one and it then "goes missing".
I tried to follow this solution:
http://waynes-world-it.blogspot.com/2008/06/preventing-accidental-ntfs-data-moves.html
But am having trouble implementing it. Does anyone have a step by step guide regarding the above solution or have a better way? The above link seems like an ideal solution, but I can't get the permissioning down properly.
The "placeholder" file needs read only for which group? How do I actually set the "read only"? Is that read only permission or attribute? Do I deny the rest for the group in question?
Now what about the actual directory which I want to prevent from being moved, what specific permissions do I apply to this?
This seems like such a simple thing to implement but so difficult. I'm curious to hear your expert suggestions on this solution or another.
Thanks!
I'm trying to implement a solution on our Windows 2008 file server to prevent users from being able to move root folders. What often happens is a user will inadvertently drag and drop a root folder into another one and it then "goes missing".
I tried to follow this solution:
http://waynes-world-it.blogspot.com/2008/06/preventing-accidental-ntfs-data-moves.html
But am having trouble implementing it. Does anyone have a step by step guide regarding the above solution or have a better way? The above link seems like an ideal solution, but I can't get the permissioning down properly.
The "placeholder" file needs read only for which group? How do I actually set the "read only"? Is that read only permission or attribute? Do I deny the rest for the group in question?
Now what about the actual directory which I want to prevent from being moved, what specific permissions do I apply to this?
This seems like such a simple thing to implement but so difficult. I'm curious to hear your expert suggestions on this solution or another.
Thanks!
It sounds like what you want to do is set permissions on the root folder that allow read access and then apply the write access to the lower folders.
The best way is to go into the properties of the folders you do not want moved, and under the security tab click the advanced button. From this screen you can click on the group/user in question, click the Change Permissions button and uncheck the Include inheritable permissions... checkbox.
You will be prompted to copy the permissions or remove them. If you choose copy, you will then have all your permissions as before but be able to change them on this folder and down.
Once you have adjusted the permissions on the sub folders, you can change the permissions on the root share folder to Read & Execute with no write. It will not push down on the folders you already took inheritance off of, and will stop users of that group from changing things in the root folder.
The best way is to go into the properties of the folders you do not want moved, and under the security tab click the advanced button. From this screen you can click on the group/user in question, click the Change Permissions button and uncheck the Include inheritable permissions... checkbox.
You will be prompted to copy the permissions or remove them. If you choose copy, you will then have all your permissions as before but be able to change them on this folder and down.
Once you have adjusted the permissions on the sub folders, you can change the permissions on the root share folder to Read & Execute with no write. It will not push down on the folders you already took inheritance off of, and will stop users of that group from changing things in the root folder.
It sounds like what you want to do is set permissions on the root folder that allow read access and then apply the write access to the lower folders.
The best way is to go into the properties of the folders you do not want moved, and under the security tab click the advanced button. From this screen you can click on the group/user in question, click the Change Permissions button and uncheck the Include inheritable permissions... checkbox.
You will be prompted to copy the permissions or remove them. If you choose copy, you will then have all your permissions as before but be able to change them on this folder and down.
Once you have adjusted the permissions on the sub folders, you can change the permissions on the root share folder to Read & Execute with no write. It will not push down on the folders you already took inheritance off of, and will stop users of that group from changing things in the root folder.
The best way is to go into the properties of the folders you do not want moved, and under the security tab click the advanced button. From this screen you can click on the group/user in question, click the Change Permissions button and uncheck the Include inheritable permissions... checkbox.
You will be prompted to copy the permissions or remove them. If you choose copy, you will then have all your permissions as before but be able to change them on this folder and down.
Once you have adjusted the permissions on the sub folders, you can change the permissions on the root share folder to Read & Execute with no write. It will not push down on the folders you already took inheritance off of, and will stop users of that group from changing things in the root folder.
ASKER
Unfortunately, that still doesn't help me. I need step by step instructions on how to implement this because what you suggest doesn't seem to be working for me.
Thanks.
Thanks.
I might have time later tonight to do something with screen shots.
ASKER
I would greatly appreciate that, or a reference to elsewhere if this is documented in detail. Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is a quick and dirty PDF with some examples. See if this is enough to get you started.
quick-access-howto.pdf
quick-access-howto.pdf
ASKER
.
ASKER
We contacted Microsoft on this and they said it's not possible:
I tried to research on your issue again and even though I give full control to subfolders and files and only read permission to this folder only. It is not working. This happens because the permissions always have cumulative effect. It will start reading permission from top to bottom and the most restrictive will apply. So if we are blocking users from drag and drop at top level, They lose control of making any changes to folders and files. And this is carried forward to the bottom folders and files. SO the settings which your are trying to apply is not possible. I also tried to see if there is any work around. But there is not work around as such. If you have any questions please email me. I didn’t email you earlier as I was still trying to find solution to this issue.
So, we have no options. What to do??? Third party solution??
I tried to research on your issue again and even though I give full control to subfolders and files and only read permission to this folder only. It is not working. This happens because the permissions always have cumulative effect. It will start reading permission from top to bottom and the most restrictive will apply. So if we are blocking users from drag and drop at top level, They lose control of making any changes to folders and files. And this is carried forward to the bottom folders and files. SO the settings which your are trying to apply is not possible. I also tried to see if there is any work around. But there is not work around as such. If you have any questions please email me. I didn’t email you earlier as I was still trying to find solution to this issue.
So, we have no options. What to do??? Third party solution??
The best way is to go into the properties of the folders you do not want moved, and under the security tab click the