NTFS Permissions Question

Posted on 2013-01-08
Last Modified: 2013-01-16

I have a client that wants to have a shared folder on a Windows 2003 server with special permissions. He wants all users to be able to see the contents of this folder, and to be able to create and save documents to this folder. However, he only wants the document creator to be able to make changes to said document, and all other users to have read only access. Basically, he wants it so that only the creator of the document can make changes to that document, and everyone else can only modify documents they have created themselves.

Is this something that can be done? I have played around with the permissions and have had no luck. It seems that the only way to do this would be to modify permissions on each document and define a document owner every time a new document is created. This would be a huge hassle. If anyone has any suggestions or an answer to this question it would be greatly appreciated. Thank you!
Question by:timinoldsmar
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

ID: 38756846
What type of documents?
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 38756854
Yes, I believe you can do this, but you'll want to test lab it first.

Remove any write/modify permissions from any users groups and disable inheritance on the folder in question.

Now, all of the following will need to be done from the "advanced" section of the security settings. Add a new permission and set the group to the group(s) of users you want to have permissions to create new files. Set the inheritance to "this folder and subfolders." Give them the "create files/write data" permissions, as well as the various read permissions. This will allow the users to create new files without problem and whoever creates the file will be considered the "owner." The inheritance of "folder and subfolders" will *prevent* this group from getting write permissions to any files though.

Second, add a new permission for the user "Creator Owner." Set the inheritance to "folders, subfolders, and files." And then give that the permissions to all of the various write permissions. This will allow the owner to modify their own files as the inheritance will carry down all the way to the file level, including newly created files.

Good luck.

LVL 70

Expert Comment

ID: 38757248
What are the documents ?

Recent versions of Microsoft Office have the ability to protect documents and restrict editing - this may do what you want
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.


Author Comment

ID: 38767484
Thanks for the answers. I am going to test out cgaliher's solution because I don't know what type of documents they will be creating. It could be anything from WordPerfect to Word to Excel to OpenOffice.

Author Comment

ID: 38767719

Your solution is good, but here is the problem. Only the creators of the files can see them and modify them. I need all the users to be able to open the files, but not make any changes. With your solution, the permissions on any new files get set so that only the creator of the file can open it and edit it. Is there a way to do this where other users can also open the files but be restricted from modifying them?
LVL 58

Accepted Solution

Cliff Galiher earned 250 total points
ID: 38768462
Sure. Add a third advanced permission. The group is all the users you want to have read access. The inheritance is folders. Subfolders. And files. And the permissions are the read permissions.

Again, inheritance will kick in for newly created files and permissions are cumulative. Should mean that new files get read permissions for all users and modify permissions for just the creator owner.

Author Comment

ID: 38784222

That worked. I had to play around the permissions a little on CREATOR OWNER and was able to get the results I was pushing for when I just gave them full permission. Now when someone creates a file, they can do whatever they want to it, and other users can only read it. Your last post with the suggestion to add another advanced permission for my group with only read access is what really got things going though. I have accepted your solution. Thank you!

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question