Solved

Server 2008R2 - How to make top level folders "read only," but files and subfolders can be modified / deleted?

Posted on 2012-12-22
12
2,158 Views
Last Modified: 2012-12-23
Folder structure on a Windows 2008R2 server, active directory environment is as follows:

- Shared Folder
        - Subfolder 1
        - Subfolder 2
        - Subfolder 3
                - SuperSub folder A
        - Subfolder 4
                - SuperSub folder B

etc...

The goal is to setup the Subfolders 1/2/3/4 to NOT be able to be deleted by the "employee group," but for that same group to be able to delete files in the subfolders along with the files and the "superSub folders".

Essentially, I don't want the employees to be able to delete the subfolders themselves, but have full control over everything in them, including more nested "supersub folders".

Tips appreciated on setting this up?
0
Comment
Question by:mikeshaver
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 38716631
Give the "employee group" list or read only at the share level, apply to that and all subfolders and then at explicit modify at the folder that you want them to be able to manipulate the files in. This will also alow them to add additional sub folders under that folder.
0
 
LVL 40

Expert Comment

by:footech
ID: 38716651
You would define read permissions on the Shared Folder, which would apply to "This folder, subfolders, and files".  Then for each subfolder (Subfolder1, Subfolder2, etc.), you would define the additional permissions for full control and apply it to "Subfolders and files only".  In case you're not familiar with the "apply to" parameter, you will see it when you go to Advanced Security settings, click Add, specify the group, then you will see the dropdown box above all the checkboxes for permissions.
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 38717108
No love.  Doesn't seem to be working, or I'm missing something...  :(

Top Level folder is called "shared" and I've right clicked it, gone to sharing/advanced sharing/permissions, added the employee group and set the permission to "read" and left full control and change unselected.

Once the above is done, all subfolders/files and their 2nd level subfolders become non deleteable.  Seems like a good start.

Then I right click and go to the properties of a subfolder.  Go to the security tab.  Click advanced.  The employees group is there, with "full control" inherited from C:\shared (the top level folder) and apply to is "this folder, subfolder and files"

Click on "change permissions," then UNselect include inheritable permissions from this objects parent.  Click "remove" to remove inherited parent permissions from this object.

Then added Administrators group with full control to "this folder, subfolders, and files"
Then I added "employee group" with full control to "subfolders and files only" also with full control.  Did not select "apply these permissions to objects and/or containers within this container only"

At this point, the folder becomes invisible to the employee group.

I went back into the permissions for the subfolder.  Added another entry for the employee group for "this folder only" and set the permissions to "traverse folder/execute file, list folder/read data, read attributes, read extended attributes, create files/write data, create folders/append data, write attributes, write extended attributes, delete subfolders and files, read permissions, change permissions, take ownership"  Of note I purposely left out "delete" as we are on the apply to "this folder only"

The subfolder is now visible, but items can't be changed/deleted within it.  The folder itself cannot be deleted (good) but nothing inside it can be either.  I tried adding the "delete" permission back in to "this folder only" in reference to the subfolder, did not work.

The permissions appear to take the "most restrictive" (read only from the share level) and ignore the specific permissions we are assigning.

??
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 22

Expert Comment

by:yo_bee
ID: 38717282
Can you post screenshots of your Security Settings?
Note: Please annotate any personal info.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 38717305
Share permissions and NTFS permissions are different.  The share permission are what you changed at the share. These permissions need to permit all users full control.

Then using the NTFS permissions (right clicking on the actual share and going into security like you do the sub folders) and set the "employee group" to read or list.
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 38717320
Yup, here's the screens of what I've done.
Doc1.doc
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38717333
Those are shared permission you posted.
I was looking for your Security settings.
You need to click on the security tab and navigate to the Advanced settings.

Security Settings
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38717340
Sorry for the premature response. The images did not appear so I though that there were none.

Now that I see them. Is ZZZ your root shared folder as well?
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 38717348
no, the root folder is called "shared" and the ZZZ is one of the folders underneath "shared".

Its the ZZZ folder I want to stop from being deleted, yet anything "under ZZZ" should be deleteable/editable.

Make sense?
0
 
LVL 22

Accepted Solution

by:
yo_bee earned 500 total points
ID: 38717364
Try changing the Share permission for the group to also include Change.
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 38717424
Yaay!  That worked, thanks!
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38717428
Others should have been given points as well. See if you can request a points redistribution. I was not the only one that helped, more assisted.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question