Solved

How can I prevent users from renaming a folder?

Posted on 2012-03-28
7
1,956 Views
Last Modified: 2012-06-27
Hi,

I am looking for a solution where I can prevent users from renaming a folder name. I don't mind if the folder gets deleted because I trust that the users know what the folder is for and won't delete it, plus I already know how to prevent it from being deleted.

The folder is hard-coded on a fax machine which sends scanned documents to this location. If it is renamed, then the scanning process will not work.

I just want to know how to control folder renaming on its own. Users should still be able to read/write/delete folders and files as normal.

I hope I have provided enough information on the problem, but feel free to ask for more on this.
0
Comment
Question by:stvmph
7 Comments
 

Author Comment

by:stvmph
ID: 37779923
I have looked at other topics but they don't give me the answer I am looking for.
0
 
LVL 21

Assisted Solution

by:motnahp00
motnahp00 earned 100 total points
ID: 37779955
If a user has read and write permissions on your top level folder, the can pretty much do what they want. Why not use a group policy to create a folder with a specified name at logon? So if the user renames the folder, it will always be recreated.

User Configuration -> Preferences -> Windows Settings -> Folders
0
 
LVL 7

Assisted Solution

by:lucifer82
lucifer82 earned 200 total points
ID: 37780036
Hi stvmph,

I have a potential solution for you as I do this practise when I setup new sites all the time.

1. Each user will have their own folder so eg.

User_Folders (root)
- User1 < this folder name should be same with username for user 1
- User 2 < this folder name should be same with username for user 2

2. You create service account that your MFD will use to scan eg. scanner

3. This scanner user has full rights to each folders, you than make sure that each user folders is only accessable by administrator, scanner and the user who needs to access they can all have full rights.

4. This is the trick part you create the "User_Folders" as hidden share with "Everyone" with full control. As for the security rights on this folder it should be:

CREATOR OWNER - FULL
SYSTEM - FULL
Scanner - Modify
Administrators - FULL
Users - Read Only

5. Once that's done first verify that you can still scan to the folder.
6. After the verification you create a mapped drive policy to map drive "S" to each user by their username.

eg. \\YOURSERVER\User_Folders$\%USERNAME%\

*YOURSERVER < this is hostname or ip address of your file server
*$ sign at the end of the share name means it's hidden share
*%USERNAME% < This automatically works out your username this is used

This way user doesn't get to browse the upper layer in order to delete this folder, instead they only have mapped drive with all of their scan items.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Assisted Solution

by:Run5k
Run5k earned 100 total points
ID: 37780043
The simple solution would be to ensure that your people are Standard users, and then modify the NTFS permissions on the folder so that only System account and the Administrators group have full control.  In contrast, Users and Authenticated users can have Read & execute, List folder contents, and Read permissions.
0
 
LVL 4

Assisted Solution

by:Praveenraj04
Praveenraj04 earned 100 total points
ID: 37780399
Hi Friend,

There is a option in NTFS Permission in Advanced Tab to Uncheck the Modify Option.

Please check the below link for more infomation:

http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html

Enable the Allow for the Following
Read & Execute
Read
Write
and Make sure MODIFY is unchecked for Allow and Deny leave it blank and you should be good.

Please check and revert to me if you have any queries.

Thanks,
P. Praveen Raj
0
 

Accepted Solution

by:
stvmph earned 0 total points
ID: 37784968
I have figured out what the problem is to this was. Let me paint a picture for you. The FTP server that the scanner can connect to is pointed at the P drive. There are already heaps of folders in P drive.

In the permissions for P drive, the "Everyone" group/user is set to Full Control. Therefore, all users are able to rename the scanner folder I was trying to prevent from being renamed.

However, I did make a subfolder within the scanner folder which I pointed the scanner to scan to directly. And through testing with a generic user account, I managed to prevent this folder from being renamed using permissions.

Now I know that if the upper level folder gets renamed, the problem still exists, but at least I know now how to prevent renaming.

Here's what I did. Let's say the directory is: P:\scanner\scans and there is a "Sales" security group.

In the scanner folder, I went to "Advanced", "Change Permissions", and unticked "Include inheritable permissions from the object's parent". I added in the IT group and the scanner user with "Full Control" access.

I then added the "Sales" group in twice. The first time I added them in was with "Traverse folder / execute file" and "List folder / read data" for "This folder only". The second time I added them in was with read/write/delete for "Subfolders and files only".

I tested with a generic account in the "Sales" group and they were unable to rename the "scans" folder and everything within the "scanner" folder. But inside the "scans" folder, they can do whatever they want.

I have found the solution even though the problem still exists, but that is not something we're willing to look at at this stage. As far as points go, all of you had various ideas that got to me my final solution but not exactly what I ended up doing.

motnahp00, you made me realise my P drive had full control set.
lucifer82, you had a near perfect solution however users already have P drive mapped so I couldn't hide it from them
Run5k, you had the right idea but I needed write permissions for the standard users as well
Praveenraj04, you were on the right track but it wasn't as simple as that.

I'm going to split the points accordingly amongst all of you.

Thanks for the help.
0
 

Author Closing Comment

by:stvmph
ID: 37800061
I didn't get the full solution from the other experts but good hints.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now