We help IT Professionals succeed at work.

NTFS, Allow users modify files within directory only

Hi guys,

This seems like it should be easily done but I'm struggling to get it to work.

I have a simple 4 level tree of directories.  I don't want users making any changes to the folders of the tree, I just want them to be able to create, edit, delete etc. files in the very last folders.  I don't want them creating any more folders if possible, but this is secondary.  The tree isn't that large so I'm not too bothered about applying this automatically or setting up a mad inheritance structure to save work, if somebody can literally tell me how to make this work on a single folder I'll be happy.

So the question is literally, how do I setup NTFS permissions to allow users create/edit files in a folder but not rename/delete/move that folder itself?  Seems simple, but it's not :).

Windows 2008 Server.

Thanks!

Comment
Watch Question

if you give edit permission that indirectly gives you delete permission in NTFS.

either you can create some service sort of which will be constantly running and do what you want.

Author

Commented:
Sorry Rajesh, I don't mind users deleting files within the folder, they can do whatever they want with files within the folder.  I don't want them editing/deleting the folder the files are in.
I don't understand your second line.

Commented:
i'm preety sure this cannot be done. if user have accessto the file in a folder nd can create nev file in the same, it must have permission over the whole folder.
you can anyway avoid him to delete upper level folder by not allowing permission to be transefered to the last folder.
ask me for help in doing this if it would be usefull...
do you want one of this scenario that user can create file in the folder but cant rename the folder than this is not possible.

Author

Commented:
I find it very hard to believe that it is not possible to protect your folder tree structure while allowing users do what they need to within the lowest folders.  Surely this is a VERY common requirement in any business where they have a half decent data management policy?
Anyway, assuming it's not possible, what options do I have?  oloap88 - maybe you could elaborate on your suggestion?

Author

Commented:
OK I think I might have this, maybe somebody could think it through and try to correct me if I'm right/wrong.
1. Domain Users have "Read" permissions inherited from the very top level.
2. On my bottom level folder I set "Domain Users" with "Full Permission" applying to "Files Only".  At this point Domain Users can do anything they want to existing files within the folder but can't create new ones.  
3. So again on the folder I add "Domain Users" giving "Create files/Write Data" applying to "This folder only".  I now seem to be able to create files but not folder, do whatever I want with files in the folder and am not able to edit the top level folder.


Seems to work, any thoughts?

Commented:
so:
we have f1-->f2-->f3-->f4 ok?

wehere f1 is the top folder, f2 is inside f1, f3 inside f2 and f4 inside f3.
i suppose you want to give user  the rigts only on f4....

so you right click on f1
select security
advanced

under authorization tab:

uncheck "inhert permission from parent folder...."
a message pops up
select delete or remove

now check the option under the lkast one that should be like " sustitute permission on child folder and object....."
click yes on popup

give restricted permission to this folder depending on what you want.

whith restricte i mean that users cannot access it so, for example full controll to administrators, domain admins.

no nobody else than admins can access folder tree.

now go to the folder thet user must access so f4.

now again cright click on f4
then proprieties
security
advanced

uncheck "inhert authorization from father..."
but this time select "copy when windows popup
check the second option
ad user authorization
aply

leave sharing option set to full controll to everytone.

i suggest to manage sharing from file server management in win srv 2003, add $ at the end of the f1, f2 f3 folder but not on f4, so users will be blocked by ntfs options if they try to browse f1,f2,f3 folders, they will not see those folder if they browse entire nework but they will only see the folder thy have access.

anyway i suppose in this way they cannot remove or rename the folder but i'm not sure.
what i'm sure is that they cannot touch or see f1,f2 and f3

hope this help,
paolo.
as you mention it will allow to create new fles but wont allow you to edit or delete file.
You can give one more premission i.e. to take ownership this way, user can add read write permission for that files.
There is something missing on the procedure given.

on the F4 folder the user should have Special Permission.

Check again what the author wants to achieve:
The author asking: how do I setup NTFS permissions to allow users create/edit files in a folder but not rename/delete/move that folder itself?

Right Click on the folder> on Security Tab click Advanced> Remove Allow inherrited.. then add the User/ group if any> click Edit> This will launch Speficial Permission you will notice that their is Delete Subfolders and Files AND Delelte "only" options, what where our concern here is the "Delete" word only means that this Folder (f4) this should be "unchecked" then your good to go.

Author

Commented:
oloap88 - I tried that, but as you say this will actually allow users rename/delete the f4 folder itself which I certainly don't want.
I have tested the solution I posted above for a couple of hours now and it actually seems to do exactly what I am trying to achieve.  Using your analogy, I can create/delete/edit files in the f4 folder but cannot edit/rename/delete the f1,f2,f3 or f4 folders.  I also can't create any more folders in f4.

Commented:
yes, i was sure about that. this is the best i can suggest anyway.  maybe you can try giving ownership to the f4 folder to the group domain user.
another solution would be to create a personal folder for each user but i suppose this is not what you want.
anyway i've never been facing a situation like that i'm just guessing...
hope to help anyway..

Author

Commented:
As posted above, I have sorted it out.  Thanks for the help anyway...
Commented:
Question PAQ'd, 400 points refunded, and stored in the solution database.