• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 753
  • Last Modified:

Submissions folder for students: Write but not change or delete

I am looking to create folders for students to be able to save a copy of their work for review by the teacher. I would like them to be able to place a file in that folder but not delete or change that saved file. Additionally I would like to keep them out of each other's submission folders. I would also like to have a map to that folder.

Is there any way to do this? I have already created the folders in a shared folder and assigned the maps using group policy but every time I give them enough rights to be able to read and write to their folders, they can then delete and modify the files. Even if I specifically deny delete I still have the problem. When I give them only write access, it kinda works, but they can't actually navigate to the folder, see the contents, or map the drive. (They can copy a file to the folder and if they try it a second time they get a "folder exists error").

The clients are all windows xp with Group Policy Preference Client Side Extensions installed.

Any help or guidance would be appreciated.
0
bismarkbalt
Asked:
bismarkbalt
  • 4
  • 3
1 Solution
 
Richard2k4Commented:
look under the special permissions on those folders.  You can give them read/write but not append.  You can also specify that a user cannot delete.
0
 
bismarkbaltAuthor Commented:
Thank you Richard,

I can't play with it till tomorrow morning, but, as an example, for user nmosk3557, shouldn't the /deny in "icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(WDAC,WO,D) ...." block the delete?

The deny shows up when you view special permissions, but it does day "This folder only" does that mean if they create a file or folder below this that they will be able to delete?

Is there a way to automate this with icacls so that sub-directories created later will have the same "deletablity"?
0
 
Richard2k4Commented:
icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(AD,WDAC,WO,D)

the AD sets Append Data/Add Subdirectory    I think the append data deny may block changes

I'll have to look it up to confirm



yes.... use /T to hit all directories and files.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
bismarkbaltAuthor Commented:
Thank you again.
Will check it tom.
Did some more reading, do I need (OI)(CI) also?
eg:
icacls c:\users\Submissions\nmosk3557 /grant:r managers:(OI)(CI)F /grant:r nmosk3557:(OI)(CI)RW /deny nmosk3557:(OI)(CI)(AD,WDAC,WO,D) /remove everyone /t >>c:\results.txt
0
 
Richard2k4Commented:
I think the /T covers it, but I could be wrong.
0
 
bismarkbaltAuthor Commented:
In the end, the following worked:

icacls c:\users\Submissions\sbrom3345 /grant:r administrators:(OI)(CI)RXW /grant:r managers:(OI)(CI)RXW /grant:r sbrom3345:(OI)(CI)RXW /deny sbrom3345:(OI)(CI)(AD,WDAC,WO,D,DC) /remove everyone /t >>c:\results.txt

For some reason, i could not map the drive from group policy with RW and needed RXW before it would show.

Thank you for your help!!!!
0
 
bismarkbaltAuthor Commented:
Thanks for you help and attention.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now