Users accidentally deleting or moving folders on our file servers via Windows Explore drag-n-drop

Posted on 2012-08-13
Last Modified: 2012-09-17
We have a regular problem with network users accidentally moving or deleting folders on our file servers via Windows Explorer drag-n-drop. Finding and/or recovering the folders becomes a daily headache for users and  IT staff.

On our new file server (“FS01”), we would like to set the directory permissions using some form of “best practices”.

The share on our new file server that users will  map the H: drive to:  \\FS01\Files

Directory Structure:
Etc, etc, etc.

The folders (00001 – 0005) are our mission critical folders. Each of these folders contain additional subfolders and files.

We would like to prevent users from moving/deleting/renaming folders at the 0001 parent folder level - but - still be able to work freely (moving/deleting/renaming objects) within the child subfolders.

Any suggestions on how best to set the Share and NTFS access permissions to meet these requirements? This should prevent users accidentally moving or deleting folders on our file servers via Windows Explore drag-n-drop.

Thank you.
Question by:GoodEnoughThen
    LVL 13

    Assisted Solution

    Permissions flow like a waterfall.  The permissions flow from parent to child, until there is a change.

    Determine what you want from the root level (H: Drive) and then "Break" or change the permissions when you hit the 0001 level.  This might be an administrative nightmare as if more "000" folders are added you'll need to update the permissions accordingly.

    On a personal note:  File shares are an archaic technology.  I personally look for a document management solution to manage files specifically for this reason.  Users tend to not know what the latest version of a file is, there's copies of it everywhere and people are deleting/changing things all the time.  I usually look into a SharePoint (Free) solution and migrate the data from file shares to a web based interface that is easily used.  File shares should be used for large files (installs or ISO's) that don't make sense in a document management solution.
    LVL 17

    Assisted Solution

    by:Brad Bouchard
    Try setting the most minimal permissions possible for them to get what they need done.  Give them "list folder contents" on all the top level folders, and then give them higher permissions progressively in each sub folder.  Also, try turning on Shadow Copies so you can go backwards if you need to if someone deletes or removes/renames something that way you don't have to go perusing through your backup everytime that happens.
    LVL 52

    Assisted Solution

    Also look at this: - drag'n'drop interceptor.
    LVL 4

    Accepted Solution

    I re-did our entire facilities a year back. Essentially I set it up like this:

    Network Files (share this folder)> Departments > Department Name > Folders in department

    Basically give only read rights all the way down to Department name. Disable inheritance for the security settings for the department folders to what you would like.

    Make security groups for each department, give access only to those in that department.

    For the folders in the departments, if there are any folders that need to be separate from the rest of the users, give only access to those users.

    The main thing is there is a setting on the server in the file view settings, where you can set it to hide folders users don't have rights too. With that, and giving parent folders only read rights, you can completely eliminate people accidentally deleting the folders.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now