Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Disable Folder Deletion in AD 2008

Posted on 2012-08-20
13
Medium Priority
?
499 Views
Last Modified: 2012-08-21
I folks! My company runs an AD 2008 network and I am trying to configure permissions on a test folder on the file server so as to disallow people from being able to delete any subfolders inside of it. I do not want to do this to the files to avoid a buildup of .tmp files when people are working, but is there a way to configure permissions on a folder to disallow subfolder deletion only leaving the rest of the permissions alone? Thanks!
0
Comment
Question by:mrosier
  • 7
  • 6
13 Comments
 
LVL 10

Expert Comment

by:George Khairallah
ID: 38313693
you can specify an advanced ACL on the parent folder, and apply it to "Sub Folder" only, and specify a "Deny" permission on the "Delete" ACL  for the users in question.

Would that do what you want?
0
 

Author Comment

by:mrosier
ID: 38313743
I will give that a try tomorrow and get back to you on the results, but that is basically what I want to happen. I want users to be able to delete files but not folders inside this directory. I am having trouble getting the permissions to work properly, so I will report back tomorrow morning Eastern Standard Time. Thanks for the reply!
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 38314232
I made a quick video for you with the ACLs necessary to accomplish this.
http://www.youtube.com/watch?v=POL6-1cdf0Q
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:mrosier
ID: 38317107
Hi Gkhairallah! I took your first post as it seemed best suited and simplest to my needs. It works out properly, BUT it is not allowing me to rename folder inside the parent folder as I need to create them. I would like to be more simply put be able to create without restraint, but just prevent folder deletion.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 38317181
I have played around with the original idea that I had suggested, and I wasn't able to create a setup that would allow just folders to not be deleted.

Also, I had a couple question regarding this:
1- Do you want users to be able to create folders under the parent folder? what about under subfolders?
2- Do you want users to be able to create/modify/delete files right under the parent folder?
3- Do you already have a specific set of folders under the parent folder to which you want to apply the read only ACLs ? and are these only going to be changing administratively (i.e: by you)

BUT it is not allowing me to rename folder inside the parent folder as I need to create them
Also, by the way ... I had assumed this, but I will clear it up. you will need a SEPARATE ACL for the admin account who will be managing the folders.
So, for instance if you apply the ACL to do read only on the folders for your "OfficeGroup", you would need to create a separate ACL within that folder for the "ITDept" with Modify Privileges.  Otherwise you'll end up locking your use out of making modifications as well :)

Make sense?
0
 

Author Comment

by:mrosier
ID: 38317223
ahhh yes that does make sense, and I was adding the administrator user account as separate from these with all permissions granted to avoid locking myself out of the car so-to-speak. To answer your questions:

1. I do want users to be able to create folder and name/modify them, I just don't want them to be able to delete them
2. as far as file creaton/mod/del in the parent folder, I don't really mind what they can do in this capacity. If they stick files there then no problem, I mainly want the folder structer not to go anywhere once it is in place short of renaming
3. I do not have subfolders already setup, and I am good with the users doing this themselves and changing their names, saving files to them, deleting files inside them, etc. I just basically have the parent folder, a set folder structer right under it that the users create, and I want to make sure those folders can't go anywhere by accident.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 38317386
ok ... well, I think doing this would be problematic because of the way the ACLs inherently work.
So for instance, if you want to give the user the privilege to rename a folder, that user will need the modify privilege, which will include the delete. (I believe internally, when you rename, you partially taking advantage of the delete ACL).

You can do what you want, provided that you do have the folder, and you set ACLs on them separately from the parent folder.

I do have an alternative for you though. Have you heard of the CREATOR/OWNER option? I'm assuming if someone created a folder, you'd be ok if they deleted it. This would actually be better for you from a management perspective, as you wouldn't have to clean up junk folders and that users may have inadvertently or on purpose created, and then weren't able to delete them.

So, if you set the permission of CREATOR/OWNER, it would be a special ACL, that would apply to the owner of the folder.
If user1 creates a folder, then they have privileges to edit delete their own files, but not the folders/files of user2.
user2, on the other hand, would have the same privileges on their files.

The rest of the permissions would be applied in a separate ACL.
So, here's an example of how I'd set it up (if that is viable for you from a business perspective)

On the parent folder, SubFolders/Files: CREATOR/OWNER: Modify
On the parent folder, Folder/SubFolders/Files: DepartmentUserSecurityGroup: Read privileges, and in the basic ACL, only select "Write", but not modify. This will give that group privileges to write anywhere, but not delete.

What this will do:
Owner can create files,  folders anywhere.
Owner can delete files, folders THAT THEY OWN anywhere.
Anyone can create files anywhere, and can only delete their own stuff. (including their own folders.

Sorry this is a bit convoluted, I'm trying to match what you're looking for as closely as possible within what's technical possible within the NTFS ACLs .
0
 

Author Comment

by:mrosier
ID: 38317453
that could be good, that way if something disappears it can only be one person's doing. How do I configure creator and owner?
0
 
LVL 10

Accepted Solution

by:
George Khairallah earned 2000 total points
ID: 38317516
Exactly.
for the Creator Owner, there is built in ACL specific for that. Just like you usually put in a user or a security group, instead, just type in CREATOR OWNER, and set the permissions to Subfolders and Files, and check the Allow checkbox in the following:
Traverse folder / execute file
List Folder / read data
Read attributes
Read extended attributes
Create files / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read Permissions

Then also add the ACL for your users on the parent folder, and in the basic ACLs, check :
Read & Excecute
List Folder Contents
Read
Write
Note that "Modify" remains unchecked.

Does this help?
0
 

Author Comment

by:mrosier
ID: 38317526
yes I understand, do I need to explicitly Deny anything?
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 38317534
Negative. Denying should be left for very special circumstances as it overrides any allow permissions. So its uses are very specific. Not in this case though.
0
 

Author Comment

by:mrosier
ID: 38317633
excellent thanks so much this has done just that! I can create things myself and then another user cannot delete it! That should meet my needs! Much appreciate your help!
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 38317643
My pleasure. Glad I could be of assistance.
Best,
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question