NTFS Permissions Question

Hello,

I have a client that wants to have a shared folder on a Windows 2003 server with special permissions. He wants all users to be able to see the contents of this folder, and to be able to create and save documents to this folder. However, he only wants the document creator to be able to make changes to said document, and all other users to have read only access. Basically, he wants it so that only the creator of the document can make changes to that document, and everyone else can only modify documents they have created themselves.

Is this something that can be done? I have played around with the permissions and have had no luck. It seems that the only way to do this would be to modify permissions on each document and define a document owner every time a new document is created. This would be a huge hassle. If anyone has any suggestions or an answer to this question it would be greatly appreciated. Thank you!
LVL 1
timinoldsmarAsked:
Who is Participating?
 
Cliff GaliherCommented:
Sure. Add a third advanced permission. The group is all the users you want to have read access. The inheritance is folders. Subfolders. And files. And the permissions are the read permissions.

Again, inheritance will kick in for newly created files and permissions are cumulative. Should mean that new files get read permissions for all users and modify permissions for just the creator owner.
0
 
cbmmCommented:
What type of documents?
0
 
Cliff GaliherCommented:
Yes, I believe you can do this, but you'll want to test lab it first.

Remove any write/modify permissions from any users groups and disable inheritance on the folder in question.

Now, all of the following will need to be done from the "advanced" section of the security settings. Add a new permission and set the group to the group(s) of users you want to have permissions to create new files. Set the inheritance to "this folder and subfolders." Give them the "create files/write data" permissions, as well as the various read permissions. This will allow the users to create new files without problem and whoever creates the file will be considered the "owner." The inheritance of "folder and subfolders" will *prevent* this group from getting write permissions to any files though.

Second, add a new permission for the user "Creator Owner." Set the inheritance to "folders, subfolders, and files." And then give that the permissions to all of the various write permissions. This will allow the owner to modify their own files as the inheritance will carry down all the way to the file level, including newly created files.

Good luck.

-Cliff
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Brian PiercePhotographerCommented:
What are the documents ?

Recent versions of Microsoft Office have the ability to protect documents and restrict editing - this may do what you want

http://office.microsoft.com/en-gb/word-help/protect-word-documents-RZ001117927.aspx?section=10
0
 
timinoldsmarAuthor Commented:
Thanks for the answers. I am going to test out cgaliher's solution because I don't know what type of documents they will be creating. It could be anything from WordPerfect to Word to Excel to OpenOffice.
0
 
timinoldsmarAuthor Commented:
Cliff,

Your solution is good, but here is the problem. Only the creators of the files can see them and modify them. I need all the users to be able to open the files, but not make any changes. With your solution, the permissions on any new files get set so that only the creator of the file can open it and edit it. Is there a way to do this where other users can also open the files but be restricted from modifying them?
0
 
timinoldsmarAuthor Commented:
Cliff,

That worked. I had to play around the permissions a little on CREATOR OWNER and was able to get the results I was pushing for when I just gave them full permission. Now when someone creates a file, they can do whatever they want to it, and other users can only read it. Your last post with the suggestion to add another advanced permission for my group with only read access is what really got things going though. I have accepted your solution. Thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.