windows folder permissions: deny delete  - allow rename

Ess Kay
Ess Kay used Ask the Experts™
on
i have a server with a shared folder on windows server 2005
(see picture)
i set delete to disallow, how do i allow people to rename folders and files without allowing them to delete files and folders


the people who use this are not tech savvy, so it must only be done by IT department, not a workaround by the user.

thanks in advance

permissions

http:#a38180491
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
IT Specialist (Server Management)
Commented:
You can not rename the file wihout Delete file Allow permission, because renaming file actually deletes file. This is limitation of OS an there is no workaround for this problem. You can use search function on EE to find this question already answered.

Author

Commented:
I understand the above method does not work. I am not asking why


QUESTION is: how to do this.
Answer: You can't. Without delete permission you can't rename either.

Sometimes the answer is "you can't do that."
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Top Expert 2016
Commented:
under the Security setting, click on Advanced, then Add to add your user(s), and in the dialog box that follows click on all the Allow buttons EXCEPT these, Full Control, Delete SubFolders and Files, Delete, Change permissions and Take Ownership.

The user(s) will be able to do most anything except Delete or Rename.

Mind you a malicious user can MODIFY a file and save the new version that is a NULL or empty file.

**Edited off-topic comments** -JARmod101

Author

Commented:
that wont be an issue.we dont have melicius users, just illitirate ones

Author

Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for esskayb2d's comment #38059802

for the following reason:

Customer is right. please answer the question, not debate it:)
Question was answered. OP doesn't like the answer of "you can't do that".
Actually, "You can't do that" is a valid answer.

**Edited text to remove off-topic comments** -JARmod101
Top Expert 2016
Commented:
no the correct answer is that it cannot be done and this is by design

According to the research, the demand actually cannot be done with NTFS File system. If a user want to rename a folder, he/she should have the "Delete" NTFS permission on the folder or file. Removing delete permission from the user or group brings a limitation that the user will not be able to rename the folder. This is because of the reason that the "rename" operation is also included within the "Delete" permission, which is by design.

http://social.technet.microsoft.com/Forums/en/winserverfiles/thread/8d8ac23d-d5b2-4b38-99c8-84283dcfdfed

Author

Commented:
I am looking for something like


1st Security - which I used in the past

it is a 3rd party application which can restrict access. I have not tested it with networks which is why I ask in this payed forum from professionals.

**Edited text to remove off-topic comments** -JARmod101

Author

Commented:
I contest your opinion JARmod101.

with the example that I have give, it CAN be done. I have used that program on individual computers years ago.
Just because the 3 people responding do not know any solution for it does not mean it does not exist.

Please allow me to close this and open a fresh question

Author

Commented:
Perhaps there is a way to delete a file only after it has been coppied
Alan HardistyCo-Owner
Top Expert 2011

Commented:
That might work for a folder, but not for a file.

The only way that would work is to submit a request to someone with permissions to be able to delete the file and get them to do it, or get someone to write a script to be able to achieve this with the relevant permissions.

Either way - your question has been answered and should be closed, awarding points to the Experts who advised you that this can't be done accordingly.

If you want to open up a new question and ask for someone to help you to devise such a script to get around the NTFS limitations of renaming a file, then that would be the appropriate action to take and then you can add the question to the correct zones.

Alan

Author

Commented:
The question was: "how do i allow people to rename folders and files without allowing them to delete files and folders"

Not how do i do this using windows native commands or functions.

This has not been answered
Alan HardistyCo-Owner
Top Expert 2011
Commented:
The answer is you can't.  You can't allow them to do this at the same time as disallowing them the delete file permission, but you can allow an administrator or someone with suitable permissions to be able to.

You might want to try asking in a scripting zone for someone to help you to write a script to make it happen, but don't hold your breath as the person executing the script will need the relevant permissions.

Not sure what else anyone can say here.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
Commented:
"what you are asking to do is not possible on a Windows System using NTFS File Permissions."

It is DEFINITELY not possible with FAT/FAT32.

So, Windows native commands or functions, or using third party utilities, IT IS NOT POSSIBLE since Windows only runs on FAT/NTFS partitions.  Even in 2012, ReFS, your system can't boot from a ReFS partition (this is not to say you can do what you want with ReFS, but rather to illustrate that only NTFS and FAT partitions are viable.

Let me put this another way...

You have several highly qualified people saying you can't do that.

I'll add that YES, I'm sure you can... throw enough money at any problem and you can get your way... problem is, to do this, you'd have to (likely) pay Microsoft BILLIONS for them to devote the resources to accommodating you.  If there's no market demand for what you're requesting, you're not going to get it without funding it yourself.

> I have used that program on individual computers years ago.
What is "THAT" program?  I submit that you are misremembering things similar to how you're misremembering the name of Windows - there was no "Windows Server 2005".  I've been in IT for nearly 20 years and have fairly extensive experience (or so most people think) and don't recall anything like this ever existing.

Author

Commented:
Maybe if i add a scenario and rephrase the question this will help.

We have Techs bring their cameras with jobsite photos to the SHOP computer(s).
(Sometimes the photos are a month old or more)

the folders on the photo server have a heirarchy which looks like this
//Photos / y / m / d / job / empl / picture.ext
IE:
2010
2011
2012
 -jan
 -feb
 -...
 -july
    --01
    --02
       ---workorder 123456
       ------employee 336
                    ---picture1.jpg
                    ---picture2.jpg
                    ---picture3.jpg

when an employee comes they should not be able to delete older photos


when they create a new folder however, it is always titled 'New Folder'
and must be renamed accordingly to the tech's name, date, etc...


How can this be done
Alan HardistyCo-Owner
Top Expert 2011

Commented:
If the employee is the one denied the Delete File / Folder permissions, then the employee is not going to be able to rename the New Folder - end of story.

If you get someone without the Deny Delete permission to Create and Rename the folder, then the employee can use the relevant folder after it has been renamed accordingly.

This will involve two people.  One with Delete File / Folder permissions and the employee without.  No other way around it if you deny employees the ability to delete files / folders.

Perhaps you can have an area where employees CAN delete files / folders and then once they have uploaded the photos, the files are copied to the area where the Employees can't delete the Files / Folders?

Author

Commented:
it has to be one person doing it. they are understaffed. there is also no onsite IT
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - then for the umpteenth time - it can't be done.

Author

Commented:
I understand that it is problematic. if it was easy i would of had it done myself by now.


this site is for solutions.

i want  a "Solution"  

 I cannot accept 'dont add security' as a solution

The issue arrises when techs delete the folders
there are up to 80 techs a day uploading pictures
for mutiple jobsites. We cannot trust each one to be loyal or smart
Alan HardistyCo-Owner
Top Expert 2011

Commented:
It isn't problematic - it is impossible.

You can't do what you want to do and that is something you need to come to terms with.

Whilst you may not accept that this is a solution, as far as Experts Exchange is concerned, that is the solution.  "It cannot be done" is and always has been a valid solution and as such, this question should be closed accordingly awarding points to the experts who advised you that it can't be done.

You can rephrase the question, ask it in a different way, whatever you wish to try and find a different answer, but the answer is always going to be the same - it isn't possible.

I have told you this, Lee has told you this, the Moderators have told you this, other Experts have told you this - the only one here not accepting this is you.

What is it going to take for you to take this on board?
Top Expert 2016

Commented:
then give each tech an individual dedicated folder to upload the pictures and YOU can run can batch job to move them into a folder that the techs do not have delete permissions. This batch job can be automated with task scheduler.

Author

Commented:
An alternative solution. Something that will enforce a sort of security.

Is there a way to restricdelete on older files
Example: files or forder created older than one day ago
Top Expert 2016

Commented:
no again you can't do that.. just do what I suggested, and give everyone that doesn't need to modify files just READ access to the photo library.

Author

Commented:
@ve3ofa
1st suggestion:  I have thought of that, but as you can see in the outlined list above, there are too many folders. techs with bad memory will forget which folders they uploaded yesterday or last week.
i have proposed this idea months ago, it does not suit the situation.


2nd suggestion:  Shop computers are all always logged into a user named SHOP
Techs have no personal access to the network. The computers stay on, they connect the camers via usb or chip readers.
Also, techs come and go like revolving doors. adding new users for techs will be a full time job in itself.




Sorry for the frustration guys, but how long has it been since someone really picked your brain?

If it was an easy task, I would not poste it. As you can see by my profile, I only ask hard stumping questions


i do think that your first suggestion is the best I seen so far. Most others here are not acting professionally. Thanks for your suggestions ve3ofa
Top Expert 2016

Commented:
Either way have them upload the pictures to a different folder and not THE PICTURE LIBRARY and have this filemover move the files as their uploaded (again using task scheduler and a bit of scripting.. make a folder on the deskop "upload photos here"

Author

Commented:
Its a good concept and would work for 'todays workorders' since they can all be dumped inone folder.

What of people who have a week worth of pics
Top Expert 2016

Commented:
how would they have them organized on their thumb drive? They could double click on the icon which would give them an explorer window and they could do as per normal and drag and drop as they are used to..  remember this is just going to a temporary staging area..  every so often the task will wake up and clean up the folder .. say every 5 minutes or you could make a simple app that has a big "done" button, you could even ask for the date / job number /location etc.. and make the directories for them..  once the "done' button is done then the files are moved into the photo library.

Author

Commented:
Ill give you an example where this seems tough

John Doe has been taking pictures 4 days
His camera has several workorders
These pics should be sent to these folders:
C:/2012/12/30/98881 MCds/john doe/
C:/2012/12/31/98881 MCds/john doe/
C:/2012/12/30/98882 hsbc/john doe/
C:/2013/01/01/98881 cvs/john doe/
C:/2013/01/01/98885 wallmart/john doe/
C:/2013/01/02/98887 bmw/john doe/

Author

Commented:
Each folder holds 14-30 pictures

also.  The people working are physical labor tech not IT people. (Plumbers, construction, drivers, electricians.. etc)
Top Expert 2016

Commented:
What is it Estimated Completion Date\ordernumber\contractname\contractor

And the tradesperson is supposed to remember which picture goes where after being in the field for a few days??  picture using camera or phone (or whatever they have onhand?) :->

Author

Commented:
Theres paperwork that says when they been to a jobsite, and all photos have timestamps on them

Author

Commented:
If the paper said they fixed homedepot on the 3rd between 7-10 and the pics have a matching time and date, thats the folder they go into

Author

Commented:
The directory is like this drive:/yr/mo/day/workorder#&location/techname/

Folders get created by the tech. Sometimes techs dont take photos because there are 20 techs working, so generating empty folders is not practical
This whole mess you're outlining is avoidable. Here's the issues I see from what you've described so far:
Every tech and contractor is doing their own thing with regard to file and folders.
Users are sharing accounts.
You need to protect already-uploaded files from deletion
The folder structure is a mess.

So, one solution isn't going to fit.
First off, stop using shared accounts. They remove all accountability. Yes, it's a PITA to create new accounts all the time. Too bad.
Second, have a process in place for the contractors and techs and follow it. People who don't get written up and let go as needed.
Third, you need to analyze the folder structure and get it into some kind of order. I'd recommend WorkOrder > YYYYMMDD only. Techname and location should be readily available through a central workorder DB anyway.
Fourth: Get SharePoint. It'll make managing this a hell of a lot easier for those on the road by requiring only an internet connection and browser. Additionally, you should be using a scripted solution to move the files around, likely outside of normal business hours.

Author

Commented:
The folder system works better than wo-->yymmdd

Because, if they need to see work done last tuesday it will be in  c:/ 2012/june/23

Author

Commented:
custom accounts will not work. There is one computer with 20 people standing around uploading pictures between jobs sometimes. There is no time to log on and logg off
I would suggest then within the parameters you've outlined, there is no solution. This is as good as it's going to get.
Top Expert 2016

Commented:
All you can do is use a custom app or script that will move the files from the 'staging' area  (as I  mentioned in #38181178) into your protected area. Other than that I see no solution

Author

Commented:
So, if no one knows, id like to close this with no answer

Author

Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for esskayb2d's comment #38197085

for the following reason:

No one can help
Multiple people have been helping with what's turned into multiple questions in a single already-answered one (to which the answer was, "You can't do that"), only to get the answer back from OP "I don't want to do that".

I recommend delete with no refund.
Top Expert 2016

Commented:
concur

Author

Commented:
Thats not a solution

Author

Commented:
I think it can be done somehow, and dont want to mark off the wrong answer.

I mean securing a network cant be done is absurd
Top Expert 2016

Commented:
According to the research, the demand actually cannot be done with NTFS File system. If a user want to rename a folder, he/she should have the "Delete" NTFS permission on the folder or file. Removing delete permission from the user or group brings a limitation that the user will not be able to rename the folder. This is because of the reason that the "rename" operation is also included within the "Delete" permission, which is by design.

It is possible if you add Owner Rights as well as the user, then that user can create and delete there own files but not others. You have to enable modify on Owner Rights.
Source
The problem is that creating users and having users logon /logoff is too much of a problem for your site. This site restriction lowers the security by a thousand fold.

Security and ease of use have always been inversely related to each other.. the more you increase one the more you decrease the other.

Author

Commented:
What would you do if you were in my case.

Folder structure has to stay since it is most descriptive and practical for the client.

Techs are not users, so they use a single user
If they ever get on the network. Though sometimes they email the pictures and an office staff user will upload it to the folder.


I like the idea of uploading to a temp folder (v3, then having it moved to the protected directory.  The problem is figuring to which folder it will be loaded
What would you do if you were in my case.

I would:

Listen to the consensus opinion that has citations that it is correct.
Listen to the considered opinions that says you need different users to allow other solutions to work.
Listen to the technical experts when they advise you're doing it wrong.


That is what I would do.

Author

Commented:
There's over 3 million pictures already there. With workorders from 2006

Changing the layout is crazy and harder to find things by date
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Solution 1 - it isn't possible.
Response 1 - I don't accept that as a solution.

Solution 2 - Change the way you do things presently.
Response 2 - That's crazy as we have over 3 million pictures.

Solution 3 - Accept that you might have got this wrong from the beginning and that you might need to start again, doing it properly this time around and then you might just have a solution that will work.
Response 3 - Okay - I'll take that on board and run with it because it might just be the only way to get this working in the specific way that I want it to?

Or am I being a little optimistic here?  But then again - what do we know?  We are only Experts!
Alan HardistyCo-Owner
Top Expert 2011

Commented:
On a slightly less sarcastic note, why don't you try to setup what has been suggested for new jobs and run with it to see if it works.  If it does, then you can implement it permanently and massage the old photos into the new structure.

If it doesn't work, then you only have to massage a few folders into your existing structure and either give up on the solution, or continue searching for a different solution, knowing that you may never find one.

Author

Commented:
I think its talks like these... where the real solutions are born

Does anyone program in assembly? I may have an idea how to fix this

Author

Commented:
hypothetical, but I suppose the name is coded into the folder, which takes up parts of the folder header

so when you rename, if it doesnt erase, it will write over data

which is why it must be erased and copied back with the new name

as below

problem with renaming folder without delete

so, with some assebly manipulation , we can change the name to something with delete disabled,
as long as the new name has less bytes than the old one
..by replacing the bytes to display the proper letters of the name
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Viewing this from the "use a temp folder and a script" viewpoint, it should be possible to translate any (temporary) folder structure containing all relevant infos, but being easier to create, into the appropriate structure already existing. For example, a temp folder could be

\Uploads
  \Worker1
    \yyyymmdd\location
  \Worker2

aso., or any variation, e.g. first location, or the date as  yyyy-Mon-dd, or whatever. The script to transfer data could be triggered by the worker or on schedule.
If you want to go that route, you should post a new question in the Scripting subtopic areas. Make sure to properly state the limitations and options (like whether PowerShell, VB Script etc. are options).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial