Avatar of justinoleary911
justinoleary911
Flag for United States of America asked on

Windows shares with no delete

what permissions would i need to set on a windows share in server 2003 to allow users to do have rights to do everything except delete items.
Active DirectoryWindows Server 2003

Avatar of undefined
Last Comment
justinoleary911

8/22/2022 - Mon
pjam

Try this Open Advanced in Security and select your users group and select Deny Delete as in jpeg attached
Deny delete
motnahp00

Restrict them using NTFS permissions.

Right-click Properties -> Security tab -> Advanced -> select your users or security group -> Change Permissions -> Edit -> select Deny Delete

NTFS and Sharing permissions are cumulative with the most restrictive combination winning. So an explicit Deny will trump the Change permissions configured for Sharing.

I hope this helps.
Brian Pierce

Be careful about using DENY - its safer simply to remove the ALLOW option for the specified group  - do not DENY Everyone/Users/Domain Users otherwise no-one will be able to delete.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
justinoleary911

ASKER
ok just to calrify these permissions, under share permissions i could set full control to the security group, then under ntfs permissions I can have everything selected for allow except the delete permissions and then they can do anything except delete. right?  i attached some screen shots showing exactly what i have set up, you can ignore the everyone group having full control im going to remove that.
ntfs-permissions.jpg
share-permissions.jpg
motnahp00

Never set full control for your security groups unless it is for the Administrator group. This allows the security group to change the permissions to whatever they like. Use Modify/Change instead.

Change for Sharing
Modify for NTFS

Other than that, you got it.
deroode

Beware however that Microsoft Office needs the delete right to edit files: When opening a document a new temporary document is created, and when saving the old document is deleted.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
justinoleary911

ASKER
ok so your saying theres no such permissions to have the ability to edit office docs and not delete.  

the really specififc permissions i need im not sure how to set up.  we have a share called bids with 4 sub folders that are not shares just subfolders of bids.  I need to prohibit specific people from opening specific sub folders.  is this possible and if so, how?
motnahp00

No true.

I just tested that on my local server by creating a word doc by right clicking and New.

Opened the new document, wrote some text and saved without an issue.
justinoleary911

ASKER
ok can you delete the document?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
motnahp00

Disregard. I forgot one deny. The other comment was correct.
justinoleary911

ASKER
ok i need some really specific share settings here.  I just had a user log into a share I set and they couldnt modify the folder name i gave them the right to modify while keeping the ntfs advanced permission of deny delete and deny delete subfolders.  And they could delete the folder still.  can anyone tell me the exact specific permissions to set for a user for share permissions and advanced NTFS permissions.   I need the user to be able to open the share and only have access to specific subfolders.  Then the subfolders they have access to, i need them to be able to create and modify documents and folders BUT not be able to delete anything.  Anyone please tell me what exact permissions to set.  thank you
ASKER CERTIFIED SOLUTION
justinoleary911

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
deroode

IMHO "not possible" is also a valid and correct answer. Even if no points are given this question could be PAQ'ed..
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
justinoleary911

ASKER
this is not possible