Windows shares with no delete

justinoleary911
justinoleary911 used Ask the Experts™
on
what permissions would i need to set on a windows share in server 2003 to allow users to do have rights to do everything except delete items.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Try this Open Advanced in Security and select your users group and select Deny Delete as in jpeg attached
Deny delete
Restrict them using NTFS permissions.

Right-click Properties -> Security tab -> Advanced -> select your users or security group -> Change Permissions -> Edit -> select Deny Delete

NTFS and Sharing permissions are cumulative with the most restrictive combination winning. So an explicit Deny will trump the Change permissions configured for Sharing.

I hope this helps.
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
Be careful about using DENY - its safer simply to remove the ALLOW option for the specified group  - do not DENY Everyone/Users/Domain Users otherwise no-one will be able to delete.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
ok just to calrify these permissions, under share permissions i could set full control to the security group, then under ntfs permissions I can have everything selected for allow except the delete permissions and then they can do anything except delete. right?  i attached some screen shots showing exactly what i have set up, you can ignore the everyone group having full control im going to remove that.
ntfs-permissions.jpg
share-permissions.jpg
Never set full control for your security groups unless it is for the Administrator group. This allows the security group to change the permissions to whatever they like. Use Modify/Change instead.

Change for Sharing
Modify for NTFS

Other than that, you got it.
deroodeSystems Administrator

Commented:
Beware however that Microsoft Office needs the delete right to edit files: When opening a document a new temporary document is created, and when saving the old document is deleted.

Author

Commented:
ok so your saying theres no such permissions to have the ability to edit office docs and not delete.  

the really specififc permissions i need im not sure how to set up.  we have a share called bids with 4 sub folders that are not shares just subfolders of bids.  I need to prohibit specific people from opening specific sub folders.  is this possible and if so, how?
No true.

I just tested that on my local server by creating a word doc by right clicking and New.

Opened the new document, wrote some text and saved without an issue.

Author

Commented:
ok can you delete the document?
Disregard. I forgot one deny. The other comment was correct.

Author

Commented:
ok i need some really specific share settings here.  I just had a user log into a share I set and they couldnt modify the folder name i gave them the right to modify while keeping the ntfs advanced permission of deny delete and deny delete subfolders.  And they could delete the folder still.  can anyone tell me the exact specific permissions to set for a user for share permissions and advanced NTFS permissions.   I need the user to be able to open the share and only have access to specific subfolders.  Then the subfolders they have access to, i need them to be able to create and modify documents and folders BUT not be able to delete anything.  Anyone please tell me what exact permissions to set.  thank you
I've requested that this question be deleted for the following reason:

there is no way to deny advanced ntfs delete permissions while allowing renaming folders and files.  
deroodeSystems Administrator

Commented:
IMHO "not possible" is also a valid and correct answer. Even if no points are given this question could be PAQ'ed..

Author

Commented:
this is not possible

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial