Eric
asked on
NTFS. allow domain users view only. allow group1 create new, not modify.
Typically if i want someone to be able to create but not delete files they did not create, i just add creator/owner. however i need all domain users to view this folder but have no ability to add files or folders.
I need a second group to NOT be able to modify non-owned files, yet create new files and folders. I will also remove delete and delete sub from this second group as they should not delete files. I expect creator owner will override this for files they own, but I can deal with that risk.
the 3rd group will have modify.
how do i do this?
I need a second group to NOT be able to modify non-owned files, yet create new files and folders. I will also remove delete and delete sub from this second group as they should not delete files. I expect creator owner will override this for files they own, but I can deal with that risk.
the 3rd group will have modify.
how do i do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You're right he shouldn't be able to create folders or files. Assuming the info isn't bad, I would check to make sure there are no users/groups on the folder's ACL besides the 4 I mentioned before and any administrative users/groups. Also make sure the ACL on the parent folder is being propagated down to all subfolders and files.
ASKER
setting delete to deny does not allow them to create folders. when you say new folder, and type a name, it fails saying it can not rename it. I guess it creates it as "new folder" instantly.
Weird, you're right it's the same way on my system. In addition to instantly creating the folder as 'New Folder', when you rename a folder Windows must delete the original and create a new one, I don't know why else it wouldn't work...
Unfortunately I don't have a workaround for that other than individually denying 'Modify' rights to all files and folders that they should be able to modify.
Unfortunately I don't have a workaround for that other than individually denying 'Modify' rights to all files and folders that they should be able to modify.
*that they shouldn't be able to modify*
ASKER
yea. maybe using a command line to create to folder or soemthing. ITs not that important. If they created it, ill just let them have there way with it.
at least they cant delete others files. and domain users cant create anything which was the main goal.
i created 2 test user and it worked perfectly. No idea what that other user was doing. guess i should have confirmed they logged off and on.
Thanks
at least they cant delete others files. and domain users cant create anything which was the main goal.
i created 2 test user and it worked perfectly. No idea what that other user was doing. guess i should have confirmed they logged off and on.
Thanks
Even the Effective Permissions say creating a folder should be possible... I wonder if we've just found a Microsoft bug?
ss1.bmp
ss1.bmp
ASKER
i confirmed.
if that user opens a command line and types
mkdir test4 it will create a folder named test4
the gui method must create, and use some delete command to rename. so effective permissions are technically correct.
if that user opens a command line and types
mkdir test4 it will create a folder named test4
the gui method must create, and use some delete command to rename. so effective permissions are technically correct.
ASKER
mayhbe i need to create some test accounts and test myself. maybe im getting bad info back.
I thought maybe creator/owner made it so anyone including domain users could create files.
But if yoru right, they need "write" to get that far.
which is what i thought initially.