• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 114
  • Last Modified:

Define advanced permission for folders

Hi folks!

My question is this:

What permissions should be given to the folder and files contained in it,

to allow users to see, run, modify and update the files in the folder, but they could not

erase files and sub-folders or move them to another location?
0
nesher13
Asked:
nesher13
1 Solution
 
NVITCommented:
I think the modify right presumes the erase right, also.
0
 
helpfinderIT ConsultantCommented:
right click to folder>Properties>Security tab>Advanced>change permissions>choose User/Group>click Edit>Deny Delete and Delete subfolders and files
use this for user(s) or group(s) you want to restrict acces
0
 
nesher13Author Commented:
NewVillageIT,

first of all thank you very much for the quick response

is it possible to specify in more detail?
Ideally I would like to get a picture of the screen
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
David Johnson, CD, MVPOwnerCommented:
modify implies delete.
0
 
VB ITSSpecialist ConsultantCommented:
I played around with this idea a while back and came to the conclusion that whilst it is definitely possible with some file types, it just wasn't practical enough for my clients as it introduced one major hurdle (which I will mention below). Either way, if you're interested to test for yourself you can follow the below steps:

- Right click on the folder in question then click on Properties
- Click on the Security tab then click Advanced
- Click Edit to allow you to make changes to the Include inheritable permissions from this object's parent box as it should be greyed out thanks to UAC
- Once you've clicked Edit, you should be able to untick the Include inheritable permissions from this object's parent box
- Click Copy when prompted
- Now highlight the user or security group containing your users that you do not want deleting files/folders then click on Edit
- Tick the following boxes in the Deny column:
- Delete subfolders and files
- Delete
Modify-without-Delete.png- Make sure the Full control, Change permissions and Take ownership boxes are all left unticked in the Allow column
- OK your way out when done

Now the problem with the above is that it will introduce one major issue - your users won't be able to edit existing Office documents (e.g. Word, Excel, PowerPoint, etc.). They will be prompted to save the document with another file name each time they modify a file. Obviously this is not ideal and annoyed the heck out of my clients who wanted to implement this sort of thing.

If you don't want users accidentally deleting a file/folder then enable auditing and then have management give them a stern warning each time files/folders go missing. They'll eventually learn.
0
 
nesher13Author Commented:
David Johnson,

I think that the basic permission is a combination of
special (granular) permissions and therefore I need solution with the granular permissions
0
 
MaheshArchitectCommented:
Once you provide modify rights, users would be able to move \ delete files and folder in addition to movement
Whatever you looking for, will get this functionality with some limitations
You cannot rename files and folders unless you provide delete permissions
For Example users will not be able to rename files and folders once created in shared folder, if you want to create folder \ file with custom name, you need to 1st create it on desktop and then need to copy at share location, however once files get created you can modify files contents and save again.

If you grant users modify permissions, you can restrict them to delete folder itself, this can be achieved by granting explicit deny delete permissions to authenticated users on folder advanced permissions with applies to This folder only
For that U need to add required user \ group explicitly on advanced tab
It should look like below
Deny DeleteCheck below articles for more information
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28493997.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now