Solved

Submissions folder for students: Write but not change or delete

Posted on 2011-02-16
7
743 Views
Last Modified: 2012-05-11
I am looking to create folders for students to be able to save a copy of their work for review by the teacher. I would like them to be able to place a file in that folder but not delete or change that saved file. Additionally I would like to keep them out of each other's submission folders. I would also like to have a map to that folder.

Is there any way to do this? I have already created the folders in a shared folder and assigned the maps using group policy but every time I give them enough rights to be able to read and write to their folders, they can then delete and modify the files. Even if I specifically deny delete I still have the problem. When I give them only write access, it kinda works, but they can't actually navigate to the folder, see the contents, or map the drive. (They can copy a file to the folder and if they try it a second time they get a "folder exists error").

The clients are all windows xp with Group Policy Preference Client Side Extensions installed.

Any help or guidance would be appreciated.
0
Comment
Question by:bismarkbalt
  • 4
  • 3
7 Comments
 
LVL 3

Accepted Solution

by:
Richard2k4 earned 500 total points
ID: 34909604
look under the special permissions on those folders.  You can give them read/write but not append.  You can also specify that a user cannot delete.
0
 

Author Comment

by:bismarkbalt
ID: 34910139
Thank you Richard,

I can't play with it till tomorrow morning, but, as an example, for user nmosk3557, shouldn't the /deny in "icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(WDAC,WO,D) ...." block the delete?

The deny shows up when you view special permissions, but it does day "This folder only" does that mean if they create a file or folder below this that they will be able to delete?

Is there a way to automate this with icacls so that sub-directories created later will have the same "deletablity"?
0
 
LVL 3

Expert Comment

by:Richard2k4
ID: 34910245
icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(AD,WDAC,WO,D)

the AD sets Append Data/Add Subdirectory    I think the append data deny may block changes

I'll have to look it up to confirm



yes.... use /T to hit all directories and files.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:bismarkbalt
ID: 34910563
Thank you again.
Will check it tom.
Did some more reading, do I need (OI)(CI) also?
eg:
icacls c:\users\Submissions\nmosk3557 /grant:r managers:(OI)(CI)F /grant:r nmosk3557:(OI)(CI)RW /deny nmosk3557:(OI)(CI)(AD,WDAC,WO,D) /remove everyone /t >>c:\results.txt
0
 
LVL 3

Expert Comment

by:Richard2k4
ID: 34911025
I think the /T covers it, but I could be wrong.
0
 

Author Comment

by:bismarkbalt
ID: 34919806
In the end, the following worked:

icacls c:\users\Submissions\sbrom3345 /grant:r administrators:(OI)(CI)RXW /grant:r managers:(OI)(CI)RXW /grant:r sbrom3345:(OI)(CI)RXW /deny sbrom3345:(OI)(CI)(AD,WDAC,WO,D,DC) /remove everyone /t >>c:\results.txt

For some reason, i could not map the drive from group policy with RW and needed RXW before it would show.

Thank you for your help!!!!
0
 

Author Closing Comment

by:bismarkbalt
ID: 34919816
Thanks for you help and attention.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now