We help IT Professionals succeed at work.

Users accidentally deleting or moving folders on our file servers via Windows Explore drag-n-drop

We have a regular problem with network users accidentally moving or deleting folders on our file servers via Windows Explorer drag-n-drop. Finding and/or recovering the folders becomes a daily headache for users and  IT staff.

On our new file server (“FS01”), we would like to set the directory permissions using some form of “best practices”.

The share on our new file server that users will  map the H: drive to:  \\FS01\Files

Directory Structure:
Etc, etc, etc.

The folders (00001 – 0005) are our mission critical folders. Each of these folders contain additional subfolders and files.

We would like to prevent users from moving/deleting/renaming folders at the 0001 parent folder level - but - still be able to work freely (moving/deleting/renaming objects) within the child subfolders.

Any suggestions on how best to set the Share and NTFS access permissions to meet these requirements? This should prevent users accidentally moving or deleting folders on our file servers via Windows Explore drag-n-drop.

Thank you.
Watch Question

Top Expert 2012
Permissions flow like a waterfall.  The permissions flow from parent to child, until there is a change.

Determine what you want from the root level (H: Drive) and then "Break" or change the permissions when you hit the 0001 level.  This might be an administrative nightmare as if more "000" folders are added you'll need to update the permissions accordingly.

On a personal note:  File shares are an archaic technology.  I personally look for a document management solution to manage files specifically for this reason.  Users tend to not know what the latest version of a file is, there's copies of it everywhere and people are deleting/changing things all the time.  I usually look into a SharePoint (Free) solution and migrate the data from file shares to a web based interface that is easily used.  File shares should be used for large files (installs or ISO's) that don't make sense in a document management solution.
Brad BouchardInformation Systems Security Officer
Try setting the most minimal permissions possible for them to get what they need done.  Give them "list folder contents" on all the top level folders, and then give them higher permissions progressively in each sub folder.  Also, try turning on Shadow Copies so you can go backwards if you need to if someone deletes or removes/renames something that way you don't have to go perusing through your backup everytime that happens.

Distinguished Expert 2019
Also look at this: http://www.sw2go.nl/DDIntercept/index.htm - drag'n'drop interceptor.
I re-did our entire facilities a year back. Essentially I set it up like this:

Network Files (share this folder)> Departments > Department Name > Folders in department

Basically give only read rights all the way down to Department name. Disable inheritance for the security settings for the department folders to what you would like.

Make security groups for each department, give access only to those in that department.

For the folders in the departments, if there are any folders that need to be separate from the rest of the users, give only access to those users.

The main thing is there is a setting on the server in the file view settings, where you can set it to hide folders users don't have rights too. With that, and giving parent folders only read rights, you can completely eliminate people accidentally deleting the folders.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.