Allowing Folder creation and renaming, but deny deleting.
Posted on 2011-02-21
We have a file server (Server 2008 R2) with 100,000's of files and 1000's of folders. We have problems with these folders going missing. The cause is most likely accidental cut/paste (mouse dropping) and then someone finding folders in odd places and deleting them.
We had a full control policy, now we have changed this.
- Top Level we have the Main Share called 'Development'.
- Under this there are 4 folders, Clients A-F, Clients G-L, etc.
- Under these folders are several 100 folders (E.g BusinessX) with our clients files inside including many subfolders underneath with a range of files.
- Under 'Development' I would like no one to be able to create files/folders or delete files/folders (unless logged in as admin)
- Under Clients A-F etc folders I would like no one to be able to delete folders, they should be able to create folders however. And under the actual Client Folders (BusinessX) allowing full control.
We have a group for all employees that has been created that only serves this purpose, lets call it 'Office Employees'. I set at the top level, full control and requested that it propagate all the way down.
Then I added another Permission entry for the same group 'Office Employees' denying Create folders/files, and Delete folder permissions, I set this for 'This folder only'.
On each 'Clients A-F', G-L etc' folder, i added Deny privileges for Delete and Delete Files and Folders. This was selected for Folders and Sub-folders and also had 'only apply for this folder and folders immediately beneath' ticked.
This all works perfectly. However, when creating a folder it automatically names the folder New Folder and then when you attempt to rename it does not allow. Research suggests that under Windows permissions, Rename contains a delete which prevents this from working.
I should clarify that no user should be able to have admin privileges, even myself as I sometimes accidentally drag and drop folders as well. This should only be enabled when logged in directly to the server as Administrator (which has full control from the top).