Solved

Submissions folder for students: Write but not change or delete

Posted on 2011-02-16
7
744 Views
Last Modified: 2012-05-11
I am looking to create folders for students to be able to save a copy of their work for review by the teacher. I would like them to be able to place a file in that folder but not delete or change that saved file. Additionally I would like to keep them out of each other's submission folders. I would also like to have a map to that folder.

Is there any way to do this? I have already created the folders in a shared folder and assigned the maps using group policy but every time I give them enough rights to be able to read and write to their folders, they can then delete and modify the files. Even if I specifically deny delete I still have the problem. When I give them only write access, it kinda works, but they can't actually navigate to the folder, see the contents, or map the drive. (They can copy a file to the folder and if they try it a second time they get a "folder exists error").

The clients are all windows xp with Group Policy Preference Client Side Extensions installed.

Any help or guidance would be appreciated.
0
Comment
Question by:bismarkbalt
  • 4
  • 3
7 Comments
 
LVL 3

Accepted Solution

by:
Richard2k4 earned 500 total points
ID: 34909604
look under the special permissions on those folders.  You can give them read/write but not append.  You can also specify that a user cannot delete.
0
 

Author Comment

by:bismarkbalt
ID: 34910139
Thank you Richard,

I can't play with it till tomorrow morning, but, as an example, for user nmosk3557, shouldn't the /deny in "icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(WDAC,WO,D) ...." block the delete?

The deny shows up when you view special permissions, but it does day "This folder only" does that mean if they create a file or folder below this that they will be able to delete?

Is there a way to automate this with icacls so that sub-directories created later will have the same "deletablity"?
0
 
LVL 3

Expert Comment

by:Richard2k4
ID: 34910245
icacls c:\users\Submissions$\nmosk3557 .....   /deny nmosk3557:(AD,WDAC,WO,D)

the AD sets Append Data/Add Subdirectory    I think the append data deny may block changes

I'll have to look it up to confirm



yes.... use /T to hit all directories and files.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:bismarkbalt
ID: 34910563
Thank you again.
Will check it tom.
Did some more reading, do I need (OI)(CI) also?
eg:
icacls c:\users\Submissions\nmosk3557 /grant:r managers:(OI)(CI)F /grant:r nmosk3557:(OI)(CI)RW /deny nmosk3557:(OI)(CI)(AD,WDAC,WO,D) /remove everyone /t >>c:\results.txt
0
 
LVL 3

Expert Comment

by:Richard2k4
ID: 34911025
I think the /T covers it, but I could be wrong.
0
 

Author Comment

by:bismarkbalt
ID: 34919806
In the end, the following worked:

icacls c:\users\Submissions\sbrom3345 /grant:r administrators:(OI)(CI)RXW /grant:r managers:(OI)(CI)RXW /grant:r sbrom3345:(OI)(CI)RXW /deny sbrom3345:(OI)(CI)(AD,WDAC,WO,D,DC) /remove everyone /t >>c:\results.txt

For some reason, i could not map the drive from group policy with RW and needed RXW before it would show.

Thank you for your help!!!!
0
 

Author Closing Comment

by:bismarkbalt
ID: 34919816
Thanks for you help and attention.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question