[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Submissions folder for students: Write but not change or delete

Posted on 2011-02-16
7
Medium Priority
?
750 Views
Last Modified: 2012-05-11
I am looking to create folders for students to be able to save a copy of their work for review by the teacher. I would like them to be able to place a file in that folder but not delete or change that saved file. Additionally I would like to keep them out of each other's submission folders. I would also like to have a map to that folder.

Is there any way to do this? I have already created the folders in a shared folder and assigned the maps using group policy but every time I give them enough rights to be able to read and write to their folders, they can then delete and modify the files. Even if I specifically deny delete I still have the problem. When I give them only write access, it kinda works, but they can't actually navigate to the folder, see the contents, or map the drive. (They can copy a file to the folder and if they try it a second time they get a "folder exists error").

The clients are all windows xp with Group Policy Preference Client Side Extensions installed.

Any help or guidance would be appreciated.
0
Comment
Question by:bismarkbalt
  • 4
  • 3
7 Comments
 
LVL 3

Accepted Solution

by:
Richard2k4 earned 2000 total points
ID: 34909604
look under the special permissions on those folders.  You can give them read/write but not append.  You can also specify that a user cannot delete.
0
 

Author Comment

by:bismarkbalt
ID: 34910139
Thank you Richard,

I can't play with it till tomorrow morning, but, as an example, for user nmosk3557, shouldn't the /deny in "icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(WDAC,WO,D) ...." block the delete?

The deny shows up when you view special permissions, but it does day "This folder only" does that mean if they create a file or folder below this that they will be able to delete?

Is there a way to automate this with icacls so that sub-directories created later will have the same "deletablity"?
0
 
LVL 3

Expert Comment

by:Richard2k4
ID: 34910245
icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(AD,WDAC,WO,D)

the AD sets Append Data/Add Subdirectory    I think the append data deny may block changes

I'll have to look it up to confirm



yes.... use /T to hit all directories and files.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:bismarkbalt
ID: 34910563
Thank you again.
Will check it tom.
Did some more reading, do I need (OI)(CI) also?
eg:
icacls c:\users\Submissions\nmosk3557 /grant:r managers:(OI)(CI)F /grant:r nmosk3557:(OI)(CI)RW /deny nmosk3557:(OI)(CI)(AD,WDAC,WO,D) /remove everyone /t >>c:\results.txt
0
 
LVL 3

Expert Comment

by:Richard2k4
ID: 34911025
I think the /T covers it, but I could be wrong.
0
 

Author Comment

by:bismarkbalt
ID: 34919806
In the end, the following worked:

icacls c:\users\Submissions\sbrom3345 /grant:r administrators:(OI)(CI)RXW /grant:r managers:(OI)(CI)RXW /grant:r sbrom3345:(OI)(CI)RXW /deny sbrom3345:(OI)(CI)(AD,WDAC,WO,D,DC) /remove everyone /t >>c:\results.txt

For some reason, i could not map the drive from group policy with RW and needed RXW before it would show.

Thank you for your help!!!!
0
 

Author Closing Comment

by:bismarkbalt
ID: 34919816
Thanks for you help and attention.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question