Avatar of aintgot1
aintgot1
 asked on

File Permissions

I'm not sure if this is the right place to ask, but here it is. I mapped a drive for students to put their classwork in. They actually put it into a folder for what ever period they are in. The teacher complains that a student/s is deleting other students work. I have experimented with the NTFS permissions, but can't figure out a solution. I would like for the students to be able to put work in that folder and not be able to delete or change it once it is in. That would prevent other students from tampering with other students work. Can this be done?

Thanks,
Mike
OS SecurityActive DirectoryMicrosoft Server OS

Avatar of undefined
Last Comment
aintgot1

8/22/2022 - Mon
Timothy McCartney

Does each student have their own username/password?
Hapexamendios

@aintgot1,

One method would be to create the folder such that they can write to it, but not read its contents. However, if the students are showing signs of temptation towards misbehaviour, that won't work.

Can I ask why you don't set up home drives for the users in Active Directory for this purpoise? This would be the simplest method by far for your needs. If that isn't possible, please post back; this is a case of "skinning cats" - there are several ways of achieving your goal, each with its own pros and cons.

Answers to these questions would help clarify the best option:

Who needs to be able to list the folder contents within the parent folder, and in each sub-folder?
Who needs to be able to write to each folder and sub-folder?

Look forward to hearing from you.

Thanks
Hapexamendios

@aintgot1,

One method would be to create the folder such that they can write to it, but not read its contents. However, if the students are showing signs of temptation towards misbehaviour, that won't work.

Can I ask why you don't set up home drives for the users in Active Directory for this purpoise? This would be the simplest method by far for your needs. If that isn't possible, please post back; this is a case of "skinning cats" - there are several ways of achieving your goal, each with its own pros and cons.

Answers to these questions would help clarify the best option:

Who needs to be able to list the folder contents within the parent folder, and in each sub-folder?
Who needs to be able to write to each folder and sub-folder?

Look forward to hearing from you.

Thanks
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Timothy McCartney

The best way to secure each students' work is for them to each have their own personal folder and set the shared permission so that only administrators and that particular student/user has permissions.

This is how most of our clients are set up with their employees' personal folders. This way each student can store their work without it being tampered.
aintgot1

ASKER
Let me explain further with more detail. I created a share on the server. I created a batch file to map the drive and put it in the startup folder. The students use a generic username and password. The students actually have their own account, and the teacher is using it right now. This just went into effect late last week. I have not changed the batch file to the All Users profile yet, so the mapped drive will not show.

I instructed the teacher to create folders for each period to put in the shared folder on the server. After each period ends, the teacher should move the folder to a different location so the students will not try to tamper with it. The next day the teacher can put it back. It is not fool proof, but it is a start.

The Home folders would work great because only the owner and who ever else I give permission to can view it. The problem is separating those specific users. I don't think the teacher would want to sift through 2200+ students to find his students. What would happen if another teacher wanted to do the same thing?

The network here is not all that good. I tried a roaming profile and it took 20 minutes for it to load. The user said forget it. Personal folders would work, but how would you go about setting permissions for each individual user? I sure there might be a way using a script, but I know nothing about scripting.
I almost forgot. The only people who need access to the folders are the students, the teacher and myself.

Thanks,
Mike
ASKER CERTIFIED SOLUTION
pwindell

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
aintgot1

ASKER
2. Generic login is just not possible to manage. They have to use their own acounts

3. Create a Folder under the Root share point for each student.  They only need Read/List permissions on the Root,...and the Read/List/Write on their own folder.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The generic login was something I wanted to get away from for the last year. I had issues importing the student accounts, which has been working now for the last month. They all have their own accounts.

The individual folders would work, but that means setting permissions on each folder. I'm sure that can be done through a script, but I know nothing about scripting. If scripting is the easiest way, then I will have to find a script to do that. Is that the easiest way?

Thanks,
Mike
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
pwindell

Forget the scripts.  Just set the permissions.  Do it when you create the Folders that you are going to have to create anyway,...it will add maybe a whopping 30 seconds to the creation process of each folder.
pwindell

You may or may not want  to turn off the security inheritence on the user's folder when you are setting the permissions.  That is up to you,...but it needs thought about.
Hapexamendios

This sounds very like an issue I solved recently, aintgot1.

This tool from Microsoft is a good start:

"How to use Xcacls.vbs to modify NTFS permissions"
http://support.microsoft.com/kb/825751

As per previous poster's comments, you have very simple permissions requirements. Therefore, look at how those are set in the MS article, and practice doing this for just one folder, getting your command-line "just so" for your needs.

It sounds like each sub-folder might need to have entries like:

You/admin - Full Control
Student - Modify
Teacher - Read

Once you've done that, I or another expert can show you how to create either a batch file or another VBScript which will just accept either one username and a foldername, or a list of usernames and folder names from a file, and pass them to the Microsoft VBScript with the right arguments, allowing it to then loop through your list of users and set it all up.

Some notes:

1. On your root folder, ensure that permissions are not being pushed down from it to sub-folders, If they are, it could wreck your work at a later point.
2. Again on the root folder, under "Security >> Advanced... >> Auditing" make sure that you have some auditing enabled, and that these auditing entries are inherited by sub-folders. This is because whilst you don't want the same permissions on each sub-folder, you do want tracking to be consistent acorss them all. Be selective about what you choose to audit or you'll fill your Security Event Log up! I'm sure there's plenty of people here who can advise on that, but better to use a separate post for that I think.

Again, hope this is useful,
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Hapexamendios

This sounds very like an issue I solved recently, aintgot1.

This tool from Microsoft is a good start:

"How to use Xcacls.vbs to modify NTFS permissions"
http://support.microsoft.com/kb/825751

As per previous poster's comments, you have very simple permissions requirements. Therefore, look at how those are set in the MS article, and practice doing this for just one folder, getting your command-line "just so" for your needs.

It sounds like each sub-folder might need to have entries like:

You/admin - Full Control
Student - Modify
Teacher - Read

Once you've done that, I or another expert can show you how to create either a batch file or another VBScript which will just accept either one username and a foldername, or a list of usernames and folder names from a file, and pass them to the Microsoft VBScript with the right arguments, allowing it to then loop through your list of users and set it all up.

Some notes:

1. On your root folder, ensure that permissions are not being pushed down from it to sub-folders, If they are, it could wreck your work at a later point.
2. Again on the root folder, under "Security >> Advanced... >> Auditing" make sure that you have some auditing enabled, and that these auditing entries are inherited by sub-folders. This is because whilst you don't want the same permissions on each sub-folder, you do want tracking to be consistent acorss them all. Be selective about what you choose to audit or you'll fill your Security Event Log up! I'm sure there's plenty of people here who can advise on that, but better to use a separate post for that I think.

Again, hope this is useful,
pwindell

To "All":

You/admin - Full Control
Student - Modify
Teacher - Read


Those would be Share Permissions, not NTFS Permissions,...NTFS is what you want.  
Modify = "write" in Share permissions,..but,...Modify = "ability to modify permissions" when dealing with NTFS File System Permissions
There is no need to create a share for each user,...just create a single Share at the Root.
Forget "mapped drive" letters,...more efficient and more dependable without them,..they are a needless extra layer that does not need to be there.  Mapped drives are the Curse of Novell that far too many people still think we need for some reason.
Hapexamendios

Accepted re your correction - although if you look at the tool, Xcacls.vbs recognises both "advanced" NTFS permissions and "GUI" permissions options - one of which is "Modify".

As such it's possible to get much more granular than my suggestion, but it was NTFS permissions I was referring to, not share-level.

For example, as you say, granting "Modify" in the DACL on the folder would allow the user to change permissions. However, that would be recorded in the security log if £success" auditing is enabled for "Change Permissions" and "Take Ownership". I figured if we can get to that stage it's possible to micromanage the permissions further if needed.

But as also said by pwindell; you might be as well doing it manually! Depends how many students, how much turnover, etc.

Thanks,
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
aintgot1

ASKER
It looks like I got some very good advice and suggestions.It looks like there is no simple way around what is already set up, I will just have to have the students create their own folders inside of the teacher's folder. With the correct permissions as suggested, that should stop students from deleting other students work.

I don't think the UNC method is going to work in my case. The students don't have access to the run command, and I wouldn't want them accessing their folders through a URL. With the mapped drive method, they have to be in that particular class in order to get the mapped drive with their work. It may not be perfect, but it should eliminate some cheating. I have told the teachers to remove the folder after each class so the students cannot remove or change once they turn in their work.

The next issue would be assigning the permissions to the student folders. Right now I estimate approx 200 students that will need to create folders. I do not want to do this manually. This is where a script would make it much easier. It would be even better if the script could create the folders and assign the permissions all in one shot, a similar process like importing the students into AD. Since I know nothing about writing scripts, I will need help.

Does this sound workable, or am I making a mountain out of a mole hill?

Thanks,
Mike
SOLUTION
Hapexamendios

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
pwindell

I don't think the UNC method is going to work in my case. The students don't have access to the run command, and I wouldn't want them accessing their folders through a URL.

What!!??  There is no "command" to run.  There is no URL.  It is a UNC Path.  It is just a shortcut on the desktop,...or just open Windows Explorer(which you aould have to do to open a "drive letter" anyway) and type the Path intot he Address Bar,...then at that point they can drag the icon from the address bar to the Desktop or something.  
aintgot1

ASKER
It is just a shortcut on the desktop,...or just open Windows Explorer(which you aould have to do to open a "drive letter" anyway) and type the Path intot he Address Bar,...then at that point they can drag the icon from the address bar to the Desktop or something.  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The "run command" I reffered to is just a bad habit. I am used to getting to the command prompt from the run dialog box if I don't have a shortcut. My mistake.

Creating the shortcut you described went completely over my head. I was not even thinking of doing it that way, just not used to it. I am going to do away with the batch file and use your method since the student can go directly to their folder. I see the teacher added additional sub folders, but that should't change much.

Thanks for the correction,
Mike

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
pwindell

A good thing to do with such a shortcut is to put it in the All Users Desktop,..or the individual User's Desktop or their My Docs (whatever applies best to the situation).  It will behave just like a Folder in any of those location and even typical Browse Dialog boxes will "browse through" the shortcut just like a folder,...so the user experience is just like having their files under a folder in those locations.
aintgot1

ASKER
Since I started using individual user accounts I have been putting shortcuts in the all users desktop. I use Ghost to push them to labs. Still trying to make things easier.

Thanks,
Mike