justinoleary911
asked on
Windows shares with no delete
what permissions would i need to set on a windows share in server 2003 to allow users to do have rights to do everything except delete items.
Try this Open Advanced in Security and select your users group and select Deny Delete as in jpeg attached
Restrict them using NTFS permissions.
Right-click Properties -> Security tab -> Advanced -> select your users or security group -> Change Permissions -> Edit -> select Deny Delete
NTFS and Sharing permissions are cumulative with the most restrictive combination winning. So an explicit Deny will trump the Change permissions configured for Sharing.
I hope this helps.
Right-click Properties -> Security tab -> Advanced -> select your users or security group -> Change Permissions -> Edit -> select Deny Delete
NTFS and Sharing permissions are cumulative with the most restrictive combination winning. So an explicit Deny will trump the Change permissions configured for Sharing.
I hope this helps.
Be careful about using DENY - its safer simply to remove the ALLOW option for the specified group - do not DENY Everyone/Users/Domain Users otherwise no-one will be able to delete.
ASKER
ok just to calrify these permissions, under share permissions i could set full control to the security group, then under ntfs permissions I can have everything selected for allow except the delete permissions and then they can do anything except delete. right? i attached some screen shots showing exactly what i have set up, you can ignore the everyone group having full control im going to remove that.
ntfs-permissions.jpg
share-permissions.jpg
ntfs-permissions.jpg
share-permissions.jpg
Never set full control for your security groups unless it is for the Administrator group. This allows the security group to change the permissions to whatever they like. Use Modify/Change instead.
Change for Sharing
Modify for NTFS
Other than that, you got it.
Change for Sharing
Modify for NTFS
Other than that, you got it.
Beware however that Microsoft Office needs the delete right to edit files: When opening a document a new temporary document is created, and when saving the old document is deleted.
ASKER
ok so your saying theres no such permissions to have the ability to edit office docs and not delete.
the really specififc permissions i need im not sure how to set up. we have a share called bids with 4 sub folders that are not shares just subfolders of bids. I need to prohibit specific people from opening specific sub folders. is this possible and if so, how?
the really specififc permissions i need im not sure how to set up. we have a share called bids with 4 sub folders that are not shares just subfolders of bids. I need to prohibit specific people from opening specific sub folders. is this possible and if so, how?
No true.
I just tested that on my local server by creating a word doc by right clicking and New.
Opened the new document, wrote some text and saved without an issue.
I just tested that on my local server by creating a word doc by right clicking and New.
Opened the new document, wrote some text and saved without an issue.
ASKER
ok can you delete the document?
Disregard. I forgot one deny. The other comment was correct.
ASKER
ok i need some really specific share settings here. I just had a user log into a share I set and they couldnt modify the folder name i gave them the right to modify while keeping the ntfs advanced permission of deny delete and deny delete subfolders. And they could delete the folder still. can anyone tell me the exact specific permissions to set for a user for share permissions and advanced NTFS permissions. I need the user to be able to open the share and only have access to specific subfolders. Then the subfolders they have access to, i need them to be able to create and modify documents and folders BUT not be able to delete anything. Anyone please tell me what exact permissions to set. thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IMHO "not possible" is also a valid and correct answer. Even if no points are given this question could be PAQ'ed..
ASKER
this is not possible