Solved

NTFS.  allow domain users view only.  allow group1 create new, not modify.

Posted on 2011-03-22
9
622 Views
Last Modified: 2012-05-11
Typically if i want someone to be able to create but not delete files they did not create, i just add creator/owner.  however i need all domain users to view this folder but have no ability to add files or folders.  
I need a second group to NOT be able to modify non-owned files, yet create new files and folders.  I will also remove delete and delete sub from this second group as they should not delete files.  I expect creator owner will override this for files they own, but I can deal with that risk.

the 3rd group will have modify.

how do i do this?
0
Comment
Question by:Eric
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 11

Accepted Solution

by:
TheGorby earned 500 total points
ID: 35192089
First of all, remove any entries for 'Everyone' and 'Authenticated Users' on this folder. Then setup the following permissions at the folder level:

1. i need all domain users to view this folder but have no ability to add files or folders

-Domain Users group; check the Allow box for 'Read & Execute', 'List Folder Contents', and 'Read'.

2. I need a second group to NOT be able to modify non-owned files, yet create new files and folders.  I will also remove delete and delete sub from this second group as they should not delete files.

-Group#2; check the Allow box for 'Write'. (If they should not be able to delete even their own files, then in the special permissions for Group#2 check the Deny box for 'Delete' and 'Delete Subfolders & Files')
-CREATOR_OWNER; check the allow box for 'Full Control'

3. the 3rd group will have modify

-Group#3; check the Allow box for 'Modify'.
0
 
LVL 11

Author Comment

by:Eric
ID: 35192181
hmm. I tried this.  end users told me he could still craete new folders as a "domain user"
mayhbe i need to create some test accounts and test myself. maybe im getting bad info back.

I thought maybe creator/owner made it so anyone including domain users could create files.  
But if yoru right, they need "write" to get that far.  

which is what i thought initially.
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 35192268
You're right he shouldn't be able to create folders or files. Assuming the info isn't bad, I would check to make sure there are no users/groups on the folder's ACL besides the 4 I mentioned before and any administrative users/groups. Also make sure the ACL on the parent folder is being propagated down to all subfolders and files.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Author Comment

by:Eric
ID: 35193478
setting delete to deny does not allow them to create folders. when you say new folder, and type a name, it fails saying it can not rename it. I guess it creates it as "new folder" instantly.
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 35193556
Weird, you're right it's the same way on my system. In addition to instantly creating the folder as 'New Folder', when you rename a folder Windows must delete the original and create a new one, I don't know why else it wouldn't work...

Unfortunately I don't have a workaround for that other than individually denying 'Modify' rights to all files and folders that they should be able to modify.
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 35193561
*that they shouldn't be able to modify*
0
 
LVL 11

Author Comment

by:Eric
ID: 35193571
yea.  maybe using a command line to create to folder or soemthing. ITs not that important.  If they created it, ill just let them have there way with it.
at least they cant delete others files.  and domain users cant create anything which was the main goal.

i created 2 test user and it worked perfectly.  No idea what that other user was doing. guess i should have confirmed they logged off and on.

Thanks
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 35193578
Even the Effective Permissions say creating a folder should be possible... I wonder if we've just found a Microsoft bug?
ss1.bmp
0
 
LVL 11

Author Comment

by:Eric
ID: 35193651
i confirmed.
if that user opens a command line and types
mkdir test4 it will create a folder named test4
the gui method must create, and use some delete command to rename.  so effective permissions are technically correct.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question