NTFS Permissions

Need a little help applying NTFS folder permissions.

Under the company root share folder (Drive G:) there are 35 shared folders, divided by department. Under each department shared folder there are 2 folders, one called 'deptonly' and the other called 'everyone'. Permissions are assigned by AD group.

My goal is to reset permissions more efficiently.

1. No user can make any modifications to any of the 35 shared folders, or the 2 folders underneath (no copy, move, delete, rename...no modifying at all).

2. Users who are in the security group for their department can access the 'deptonly' folder and make any changes that want to everything underneath it, except full control and anything as well as the 'everyone' folder.

3. All folders to be visible to everyone.


What Ive done so far is that on one of the department folders I am not inheriting permissions to any of the security groups from the parent (root share). I setup the domain users group with special permissions of allow 'list folder / read data' - apply to: This folder Only.

On the 'dept only' folder I gave the domain users group modify permissions, which will be inherited to all subfolders and files.

I logged on as a domain user and verified that I cannot copy or move the department folder, but if I try to delte it, it starts to delete.

On the 'everyone' folder I'm assuming by giving everyone modify privleges that would reach my goal.

Why does the folder delete when they dont have the privlege and any recommendations if there is a more efficient way to do this.
Thanks!
 
LVL 7
tolinromeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
If you want to prohibit delete then go to the AVANCED options on the security tab, open the Everyone or group and remove (or deny) the delete optioin
markdmacCommented:
to expand on what KCTS has said, there is a drop down where you can specify THIS FOLDER ONLY versus THIS FOLDER, SUBFOLDERS AND FILES.
tolinromeAuthor Commented:
KCTS - The everyone group is for shares and I want everyone to access the share. It's the NTFS permissions I need help with.

Permissions are assigned by security groups.

There is a folder called 'ACCT' that is shared to everyone, (which I want)and it is not inheriting permissions from the parent Root share (hard drive).

Under the 'ACCT' folder there are 2 folders - one called 'everyone' and one called 'dept only'.

Everyone should be able to see all 3 folders and not to modify any of the 3 folders themselves.

I need everyone to be able to go in and access the 'everyone' folder and under that folder they are able to make any modifications they want, except full control.

I need only the accounting dept to be able to go into the ACCT folder and do whatever they want, except full control, to the folders/files under the ACCT folder.

On the Acct folder I set permissions for domain users to have only special permission of  list folder/ read data - but I logged on as a domainuser and tried to delete the ACCT folder and it started to delete. I then applied the special of deny- delete - apply to this folder only to domain users and still they can delete the folder.

Also, if I give modify permissions to both folders under the ACCT folder will I be able ot meet my goal?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

markdmacCommented:
Modify lets you delete.

Looks like you want your permissions to be set to the following

ACCT
Block Inheritance.
Everyone Read & Execute, List Folder Contents, Read
Go to Advanced.  Select This Folder Only, set Everyone DENY on Delete.

Everyone(folder)
Block Inheritance.
Everyone Click full control then uncheck full control.
Go to Advanced.  Select This Folder Only, set Everyone DENY on Delete.

Acct
Block Inheritance.
Everyone Read & Execute, List Folder Contents, Read
Accounting Dept Click full control then uncheck full control.
Accounting group Click full control then uncheck full control.
Go to Advanced.  Select This Folder Only, set Everyone DENY on Delete.
tolinromeAuthor Commented:
If I select everyone deny on delete, wont that even block domain admins from deleting? Which I would not want to do.

Also, if I set the Deny for delete for Domain Users it adds an additional group for Domain Users for that deny delete entry its self, so I now have 2 Domain Users Groups.
Brian PiercePhotographerCommented:
Yes denying delete on EVERYONE will prevent admins from deleting - better to just remove the DELETE permission for EVERYONE then unless the delete permission is explicityly given by membership of another group then they can't delete (admins can then still delete if the admins have that permission by virtue of there membership of the admins group
markdmacCommented:
If you read my suggestion carefully I am recommending that you deny deletion on the folder only, not the files within it.  I find it hard to believe you would even want Admins to be able to delete the folder with files in it.  And if you did you could simply remove that setting along with all other permissions since a deletion of the folder would remove all permissions anyway.
tolinromeAuthor Commented:
I want domain admins to have full control of everything and:

When I set the Deny for delete for Domain Users it adds an additional group for Domain Users for that deny delete entry its self, so I now have 2 Domain Users Groups. Why does it do that?
markdmacCommented:
I wish I could tell you why that behavior is exhibited but that would need to be asked of a Microsoft engineer.  It is however "normal".

Domain admins always have the ability to take ownership or change permissions.  In this case you don't lose any functionality if you do as I have recommended.  At worst case, if you wanted to delete the folder you would need to remove the Deny.  You would however NEVER be doing that unless you were removing everyone elses' access to the folder (since it would be deleted), so you don't lose any day to day management capabilities.
Brian PiercePhotographerCommented:
You don't need to DENY Domain Users, simply removing the tick from the DELETE option in the advanced permissions will be enough.
As Administrators by default are added to the permissions list (ACL), with full control, then they will still be able to delete.
That way Domain Users have no deny permission but Adminisarators do - no need to explicitly deny anyone
Brian PiercePhotographerCommented:
opps a slight typo

You don't need to DENY Domain Users, simply removing the tick from the DELETE option in the advanced permissions will be enough.
As Administrators by default are added to the permissions list (ACL), with full control, then they will still be able to delete.
That way Domain Users have no delete permission but Adminisarators do - no need to explicitly deny anyone
tolinromeAuthor Commented:
unfortunately non of thewse solutions have worked. Maybe if I attach a document it'll be easier to see what I mean....I'll try to do one shortly.
tolinromeAuthor Commented:
I attached a document showing the setup and the current permissions. Now I get access denied permissions for the 'everyone' folder as a domain user.

Lets just use the domain users security group for this. As a user of the domain users security group I need to be able to open the ACCT folder and open the 'everyone' folder. I should not be able to modify the folders themselves in any way. Everything under the 'everyone' folder (subfolder & files) I should be able to modify.

The Accounting security Group members should be able to go into the 'everyone' folder as well and have the same permissions as the domain users security group and should be able to go into the 'ACCT dept only' folder and modify any subfolders and files. Only the Accounting Security Group should be allowed to go into the 'ACCT dept only' folder.
example.pdf
giltjrCommented:
There is no way to prevent copy.  To the OS copy is nothing more than read the original file and write some place else.  

So as long as they have read access to the folders/files and they have write access to ANYPLACE (such as their computers C drive) they can copy.
Rich RumbleSecurity SamuraiCommented:
giltjr is correct- the PC knows no different, windows has no native way to prevent copying of files or folders other than to prevent access to them entirely. If you can read, you can copy is the digital "law". No amount of DRM or permissions can change that :(
-rich
tolinromeAuthor Commented:
On the ACCT folder I have domain users special permissions with Deny from read attributes down to change permissions - apply to: this folder only, and Allow for list folder read data - apply to: this folder only.

On the Everyone subfolder I have domain users special permisions with deny for read attributes, read extended attributes, write attributes, write extended attributes, delete - apply to: this folder only and allow special permissions for everything from traverse folder/execute file to read permissions - apply to: subfolders and files only.

So, logged on as a domain user:
- When I try to delete the ACCT folder, it deletes everything under the everyone folder, but doesnt delete the ACCT or everyone folders: accomplished
- I cant, move, delete the everyone folder: accomplished.

Do you think I went to far in selecting deny on the special permissions?
If I remove the deny permissions for domain users on each folder, wouldnt that have the same effect as it is now with the deny permissions?
What I mean is if allow isnt selected then why have deny?

My reasoning for selecting deny was that I can be 100% sure there is no way the folders will be able to be modified.
tolinromeAuthor Commented:
On the ACCT folder I have domain users special permissions with Deny from read attributes down to change permissions - apply to: this folder only, and Allow for list folder read data - apply to: this folder only.

On the Everyone subfolder I have domain users special permisions with deny for read attributes, read extended attributes, write attributes, write extended attributes, delete - apply to: this folder only and allow special permissions for everything from traverse folder/execute file to read permissions - apply to: subfolders and files only.

So, logged on as a domain user:
- When I try to delete the ACCT folder, it deletes everything under the everyone folder, but doesnt delete the ACCT or everyone folders: accomplished
- I cant, move, delete the everyone folder: accomplished.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian PiercePhotographerCommented:
As has been said there is no way to prevent copy without also preventing read (unless you want to go doen the DRM route)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.