Solved

NTFS Deny Delete permission issue

Posted on 2011-03-09
3
955 Views
Last Modified: 2012-08-13
I support a company that have a Windows Server 2003 domain environment w/ windows 7 client PC's. Recently the  company has asked me to disallow a specific user to delete any files in a shared folder on the server called DATA.  So I went to security on this folder and set the DENY DELETE and DENY DELETE SUBFOLDERS AND FILES for this specific user.

The user cannot delete anything which is good, but it also has caused a bad side effect of leaving behind temp office 2007 files (ex: A36432A0.tmp) whenever user modify's a word or excel doc. Why is this happening. What would be the way to not let this specific user delete files but also not leave behind these annoying temp files that are rapidly accumulating.
0
Comment
Question by:kiwi800321
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Accepted Solution

by:
RussPitcher earned 500 total points
ID: 35088029
Hmm, curious one this. I'm guessing that it's not acceptable to stop the user writing files to this folder entirely and forcing them to copy the files elsewhere before working on them.  The only simple way I can see round this is to have a script run on a scheduled task - say once a day at midnight - to clear these files out.  Unfortunately it'll still leave temp files around during the day.

A simple batch script would do the trick:
pushd C:\SharedDocs\RestrictedFolder
Del /f /s /q *.tmp
popd

Open in new window


0
 
LVL 10

Expert Comment

by:pjasnos
ID: 35088676
If someone has modification privileges to a given file, they effectively delete it by just emptying the file or filling it with zeros, so I would stronly suggest making that directory read-only for that user.
If you want to have a solution which gets rid of temp files while still having the files writeable would be to use something alike UnionFS in Linux. There's an application called WinUnionFS which implements the re-direction of any write requests to a read-only directory to a different directory - you can modify it to instead re-direct any creations/writes to tmp files based on their names, but you obviously need a litttle programming experience in C/C++. All the heavy-lifting of kernel-mode filesystem filter drivers is handled by Dokan library, meaning that you don't need to be an experienced programmer to make this work.
http://code.google.com/p/winunionfs/

Note: You cannot use Windows 7 Libraries for this, as they are shell objects and therefore most applications would still create temp files in your directory.

Also, depending what application is it, you can perhaps try re-configuring it to store it's temp files elsewhere?
0
 
LVL 3

Expert Comment

by:Dave4125
ID: 35089463
This user is supposed to be able to edit the documents, just not delete them entirely?
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question