Solved

Allowing Folder creation and renaming, but deny deleting.

Posted on 2011-02-21
7
4,701 Views
Last Modified: 2012-06-27
HI there,

We have a file server (Server 2008 R2) with 100,000's of files and 1000's of folders. We have problems with these folders going missing. The cause is most likely accidental cut/paste (mouse dropping) and then someone finding folders in odd places and deleting them.

We had a full control policy, now we have changed this.

- Top Level we have the Main Share called 'Development'.
- Under this there are 4 folders, Clients A-F, Clients G-L, etc.
- Under these folders are several 100 folders (E.g BusinessX) with our clients files inside including many subfolders underneath with a range of files.
- Under 'Development' I would like no one to be able to create files/folders or delete files/folders  (unless logged in as admin)
- Under Clients A-F etc folders I would like no one to be able to delete folders, they should be able to create folders however. And under the actual Client Folders (BusinessX) allowing full control.

We have a group for all employees that has been created that only serves this purpose, lets call it 'Office Employees'. I set at the top level, full control and requested that it propagate all the way down.
Then I added another Permission entry for the same group 'Office Employees' denying Create folders/files, and Delete folder permissions, I set this for 'This folder only'.
On each 'Clients A-F', G-L etc' folder, i added Deny privileges for Delete and Delete Files and Folders. This was selected for Folders and Sub-folders and also had 'only apply for this folder and folders immediately beneath' ticked.

This all works perfectly. However, when creating a folder it automatically names the folder New Folder and then when you attempt to rename it does not allow. Research suggests that under Windows permissions, Rename contains a delete which prevents this from working.

I should clarify that no user should be able to have admin privileges, even myself as I sometimes accidentally drag and drop folders as well. This should only be enabled when logged in directly to the server as Administrator (which has full control from the top).
0
Comment
Question by:lemonville
7 Comments
 
LVL 2

Expert Comment

by:synetron
ID: 34941013
i would not propagate any inheritance down the tree, instead i would set permissions at each level as such

development - read only

level 2 - read write

level 3 - full

using the groups you've already created, assign permissions directly at each level to the file folders themselves, this will ensure that a folder does not inherit an unwanted trait.
0
 
LVL 1

Author Comment

by:lemonville
ID: 34941027
But I do not want to keep in mind, at each level 3 there are 100's of folders, I don't want to have to et them individually.

Additionally, my main problem is inability to allow rename and deny delete of folders.
0
 
LVL 2

Expert Comment

by:synetron
ID: 34941050
Properties > security tab > Advanced > Effective Permissions tab

ensure Write attibutes & write extended attributes are selected but de-select Delete, change permissions and take ownership

that should allow renaming but deny delete.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Expert Comment

by:synetron
ID: 34941056
maybe someone else has a better, more "global" answer, or way to batch process this. hope it helps or gets you down a good path. best of luck.
0
 
LVL 1

Accepted Solution

by:
nandit earned 500 total points
ID: 34941714
From the Security tab
Go in Advance Option
Remove inheritance tick
Copy the Permission
Apply
Double click on users (read and execute).
set Values as Shown in screen shoot.
Apply.

Best Luck.
1.bmp
2.bmp
3.bmp
4.bmp
6.bmp
0
 
LVL 1

Author Closing Comment

by:lemonville
ID: 35123496
Hi there,

Unfortunately we had an earthquake on the 22nd Feb destroying out office which prevented me from completing the testing.

I'm sure it would have worked!
0
 

Expert Comment

by:Jonklsn
ID: 35244529
Hey guys, I'm faced with the same issue. I need to allowusers the ability to rename within a folder, but not delete. I fear theres no easy way o do this since a rename appears to be a delete function, but the above instructions I tried did not work. With the above permissions, users can create new files and make changes, but not rename.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario: Your operations manager has discovered an anomaly in your security system. The business will start to suffer within 15 minutes if it is a major IT incident. What should she do? We have 6 recommendations for managing major incidents (https:…
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

30 Experts available now in Live!

Get 1:1 Help Now