Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Lock Down Top Level Folders

Posted on 2013-01-04
11
1,576 Views
Last Modified: 2013-03-28
In my file structure I have a share/mapped network drive that contains all of my companies clients.  There are thousands of folders at this Top Level.  Problem is people drag and drop client folders into other client folders without realizing what they are doing and it goes unnoticed until somebody can't find the missing client or somebody notices an extra client inside another clients folder.

Does anybody know how to prevent accidental drag and drop or how to have a select user group be able to create new folders and delete at the client folder level and restrict all others from creating, moving, and deleting client folders.  I need others to be able to create, delete, modify files and folders inside the client folder..
0
Comment
Question by:zimbra1510
11 Comments
 
LVL 22

Expert Comment

by:yo_bee
ID: 38746160
Are you looking for something like this:

Parent Folder:  Read only
       |
            Client A folder : Read only
                    |
                          Sub-Client A: Read,Write,Create, Delete
            Client B Folder : Read Only
                    |
                          Sub-Client B: Read,Write,Create, Delete
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 38746164
This is no simple task...and the best resource for understanding this topic is here http://technet.microsoft.com/en-us/library/cc770962.aspx    Getting to where you want to be could take literally a couple of hours of experimenting.   And not typically something you can do typing back and forth in a forum setting.

I would take one folder and experiment with that...when you get it the way you want it, you can do that to the rest of the folders.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 38746368
Using just NTFS it isn't easy. This can be fairly easily accomplished if you use DFS namespace. The share that holds the DFS namespace should have NTFS set to read-only, even for Administrators. You would have a DFS link for each client/top level folder in the share. Users wouldn't be able to move the top level folders because they would actually be DFS links. This doesn't require an NTFS change on your actual folders. You would need to create the DFS links, but that can be done from command line, which means that you can script it and use a batch file to do it.

My suggestion is that you experiment using a New DFS namespace share such as \\server\dfs-share, and point \\server\dfs-share\client-a to the current path \\server\current-share\client-a . If that works out when you are ready to ho into production you can change the current real share to a different share name, such as share$ which will hide the share from clients, and then create a new share with the original share name to hold the DFS root. By doing this the UNC paths to all files and drive mapping will remain exactly the same and no links will break.

If you debt mind a little more work, make the DFS namespace domain based instead of stand-alone. This means that the UNC path will change to be \\domain.local\DCS\client-a, but it will give you the flexability of moving files to a New file server without have the paths change.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:zimbra1510
ID: 38751373
Yes Yo_bee I am looking for something exactly like that.  I have been able almost make it work but the Client A, Client B, etc folders have still been able to be dragged and dropped or even cut an pasted into other folders.  

I haven't tried the DFS namespace that kevinhsieh is referring to, but I think that sounds like the best way to go.  I will look more into namespaces.  Kevin do you have any more information you can share with me?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38751536
Are you setting Client's folder to inheriate the rights, This should not be.

To get this to work I can only see it work like the way I am listing below.
If someone finds a better method please let me know.

You will need to build a hierarchy

Client > Client A > Data
NTFS4
Client > Domain Users (RO)
       |  Client A > Domain Users (RO)
                | Data   > Domain Users (RW)

This scrutcute will prevent users from creating Items in the Client A folder.

NTFS1NTFS2NTFS3

As stated by Kevin this is a massive admin nightmare.
0
 

Author Comment

by:zimbra1510
ID: 38751650
I have tried the setup that you are picturing above, and it almost works.  If I user tries to drag and drop the contents of the folder are copied but the client folder remains because it cannot be deleted.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38751739
Is this on the Client A folder or the sub-directory of the Client A --> the Client A folder?
0
 

Author Comment

by:zimbra1510
ID: 38752102
The Client A folder and Sub directory can be copied into Client B as a subdirectory, but when Client A folder is to be deleted it errors, but the contents have already been moved.  This is not what I want.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38752212
You need to create a sub-directory in Client A, Client B and so on.
Clients and Client <Name> folders will have only read rights for domain users.

The sub-directory (for converstation purposes will be called DATA) will have Read and Write rights.
The Read-Only on the Client <Name> directory will restrict the users from adding anything to the Client <Name> folder, but can do what they need to in the DATA folder.

Does that make sense.
0
 

Author Comment

by:zimbra1510
ID: 38752349
I already have subfolders set up under each client folder.  I think what you're saying may work, but will have to experiment.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38752495
So your Root > Sub-Dir > Sub-Sub-Direct.
the first two level should be Read-Only and the third level and down should have Read-Write.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question