Solved

NTFS Deny Delete permission issue

Posted on 2011-03-09
3
948 Views
Last Modified: 2012-08-13
I support a company that have a Windows Server 2003 domain environment w/ windows 7 client PC's. Recently the  company has asked me to disallow a specific user to delete any files in a shared folder on the server called DATA.  So I went to security on this folder and set the DENY DELETE and DENY DELETE SUBFOLDERS AND FILES for this specific user.

The user cannot delete anything which is good, but it also has caused a bad side effect of leaving behind temp office 2007 files (ex: A36432A0.tmp) whenever user modify's a word or excel doc. Why is this happening. What would be the way to not let this specific user delete files but also not leave behind these annoying temp files that are rapidly accumulating.
0
Comment
Question by:kiwi800321
3 Comments
 
LVL 3

Accepted Solution

by:
RussPitcher earned 500 total points
ID: 35088029
Hmm, curious one this. I'm guessing that it's not acceptable to stop the user writing files to this folder entirely and forcing them to copy the files elsewhere before working on them.  The only simple way I can see round this is to have a script run on a scheduled task - say once a day at midnight - to clear these files out.  Unfortunately it'll still leave temp files around during the day.

A simple batch script would do the trick:
pushd C:\SharedDocs\RestrictedFolder
Del /f /s /q *.tmp
popd

Open in new window


0
 
LVL 10

Expert Comment

by:pjasnos
ID: 35088676
If someone has modification privileges to a given file, they effectively delete it by just emptying the file or filling it with zeros, so I would stronly suggest making that directory read-only for that user.
If you want to have a solution which gets rid of temp files while still having the files writeable would be to use something alike UnionFS in Linux. There's an application called WinUnionFS which implements the re-direction of any write requests to a read-only directory to a different directory - you can modify it to instead re-direct any creations/writes to tmp files based on their names, but you obviously need a litttle programming experience in C/C++. All the heavy-lifting of kernel-mode filesystem filter drivers is handled by Dokan library, meaning that you don't need to be an experienced programmer to make this work.
http://code.google.com/p/winunionfs/

Note: You cannot use Windows 7 Libraries for this, as they are shell objects and therefore most applications would still create temp files in your directory.

Also, depending what application is it, you can perhaps try re-configuring it to store it's temp files elsewhere?
0
 
LVL 3

Expert Comment

by:Dave4125
ID: 35089463
This user is supposed to be able to edit the documents, just not delete them entirely?
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now