Solved

deny delete folder permissions

Posted on 2011-09-21
9
813 Views
Last Modified: 2012-05-12
I have a folder template structure that is setup for each of my branch offices.  Currently the Root of the folder they only have read permissions to, everything must be placed into a subfolder.  They have Modify rights to the subfolders.  I want to stop them from being able to delete the initial subfolders but still have the ability to create/modify items within them.

I was hoping that the 'Apply these permissions to objects and/or contains within this container only' would solve at least my root folder issue - but that doesn't appear to.

So at the root is *Branch* Data, then it has 7 subfolders.  The Branch Data folder they only have read access to, so they can't put any items into this - everything must be placed within the subfolders.  They have Modify access to the subfolders.

But as mentioned, with those permissions they can delete the initial 7 subfolders.  How can I protect these folders while still allowing them modify rights to files within them?

(yes I know that was a bit redundant)
0
Comment
Question by:americaneldercare
  • 5
  • 3
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36573779
Try Denying the Special permission to delete. Or give them the special permissions needed
0
 

Author Comment

by:americaneldercare
ID: 36574432
My apologies for not indicating this, I put special permission 'Deny Delete' to the Root (*Branch* Data) folder then used the 'Apply these permissions to objects and/or contains within this container only' and that did not work.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36575283
Are the permissions inherited from the root?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:americaneldercare
ID: 36575482
I attached a visual hoping that might help a bit as well.  The initial 'Branch Share' has Everyone: Read, Everyone: Deny Delete (apply to container only).  The 7 subfolders inherit those initial permissions, then add on "Branch - modify" (for whomever is in that particular branch).  

I was under the impression that the 'Apply to Container only' would make it so that the Branch Share and the subfolders within it would get the 'Deny: Delete' option.  And since a Deny will overwrite an allow, I thought it would prevent them from deleting the folder even though they do get 'Modify' within the folder.  That however, does not appear to be the case.

In addition (again as I understand it) if I put the same 'Apply to this container only' the Deny Delete to the subfolders it would affect the folder as well as any files within it - thus preventing the users from deleting files directly in that subfolder (subfolder1, 2, and 3 in the attachment).

 Drawing1.pdf
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36575517
When you have modify they are able to delete this is part of the permission itself there is not way around this but I thought we could pur deny delete folder and subfolder but I guess you can't
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 36579962
Not sure if this will work -- what if you add deny delete to folder and sub folders to the root directory (*Branch* Data) and apply that to the sud folders too (i.e inherit permissions) and then allow the modify right on the sub folders.
0
 

Accepted Solution

by:
americaneldercare earned 0 total points
ID: 36582309
I appear to have found the right combination of permissions.  For some reason the 'everyone' group doesn't appear to work.  But by using 'Domain Users' I was able to do DENY 'Delete' but ALLOW 'Delete subfolders and files'.

Without using the Allow they wouldn't have permission to delete subfolders/files (even though it wasn't denied).  But by using those two in combination it appears to have accomplished my need.

I have applied those permissions (individually) to each of the subfolders I don't want to be deleted.
0
 

Author Comment

by:americaneldercare
ID: 36582422
add on to that, preventing a subfolder of a subfolder from being deleted appears to be an issue.  But the initial 7 I can lock using this method.

I am still trying to figure out how to lock the other folders.

Ultimately, I am looking for a method of preventing a folder from being deleted while still allowing full access to its conents.  if anyone has a better method...
0
 

Author Closing Comment

by:americaneldercare
ID: 36895860
""
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question