NTFS Permissions Question

Posted on 2013-01-08
Last Modified: 2013-01-16

I have a client that wants to have a shared folder on a Windows 2003 server with special permissions. He wants all users to be able to see the contents of this folder, and to be able to create and save documents to this folder. However, he only wants the document creator to be able to make changes to said document, and all other users to have read only access. Basically, he wants it so that only the creator of the document can make changes to that document, and everyone else can only modify documents they have created themselves.

Is this something that can be done? I have played around with the permissions and have had no luck. It seems that the only way to do this would be to modify permissions on each document and define a document owner every time a new document is created. This would be a huge hassle. If anyone has any suggestions or an answer to this question it would be greatly appreciated. Thank you!
Question by:timinoldsmar
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

ID: 38756846
What type of documents?
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 38756854
Yes, I believe you can do this, but you'll want to test lab it first.

Remove any write/modify permissions from any users groups and disable inheritance on the folder in question.

Now, all of the following will need to be done from the "advanced" section of the security settings. Add a new permission and set the group to the group(s) of users you want to have permissions to create new files. Set the inheritance to "this folder and subfolders." Give them the "create files/write data" permissions, as well as the various read permissions. This will allow the users to create new files without problem and whoever creates the file will be considered the "owner." The inheritance of "folder and subfolders" will *prevent* this group from getting write permissions to any files though.

Second, add a new permission for the user "Creator Owner." Set the inheritance to "folders, subfolders, and files." And then give that the permissions to all of the various write permissions. This will allow the owner to modify their own files as the inheritance will carry down all the way to the file level, including newly created files.

Good luck.

LVL 70

Expert Comment

ID: 38757248
What are the documents ?

Recent versions of Microsoft Office have the ability to protect documents and restrict editing - this may do what you want
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.


Author Comment

ID: 38767484
Thanks for the answers. I am going to test out cgaliher's solution because I don't know what type of documents they will be creating. It could be anything from WordPerfect to Word to Excel to OpenOffice.

Author Comment

ID: 38767719

Your solution is good, but here is the problem. Only the creators of the files can see them and modify them. I need all the users to be able to open the files, but not make any changes. With your solution, the permissions on any new files get set so that only the creator of the file can open it and edit it. Is there a way to do this where other users can also open the files but be restricted from modifying them?
LVL 58

Accepted Solution

Cliff Galiher earned 250 total points
ID: 38768462
Sure. Add a third advanced permission. The group is all the users you want to have read access. The inheritance is folders. Subfolders. And files. And the permissions are the read permissions.

Again, inheritance will kick in for newly created files and permissions are cumulative. Should mean that new files get read permissions for all users and modify permissions for just the creator owner.

Author Comment

ID: 38784222

That worked. I had to play around the permissions a little on CREATOR OWNER and was able to get the results I was pushing for when I just gave them full permission. Now when someone creates a file, they can do whatever they want to it, and other users can only read it. Your last post with the suggestion to add another advanced permission for my group with only read access is what really got things going though. I have accepted your solution. Thank you!

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
help Skype for Business keeps dropping 7 40
How to decline Windows updates with SCCM? 2 59
Network setup between buildings 4 61
Blocking outside IP Addresses 16 56
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question