Solved

Define advanced permission for folders

Posted on 2015-01-27
7
81 Views
Last Modified: 2015-02-11
Hi folks!

My question is this:

What permissions should be given to the folder and files contained in it,

to allow users to see, run, modify and update the files in the folder, but they could not

erase files and sub-folders or move them to another location?
0
Comment
Question by:nesher13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 25

Expert Comment

by:NVIT
ID: 40572225
I think the modify right presumes the erase right, also.
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 40572232
right click to folder>Properties>Security tab>Advanced>change permissions>choose User/Group>click Edit>Deny Delete and Delete subfolders and files
use this for user(s) or group(s) you want to restrict acces
0
 

Author Comment

by:nesher13
ID: 40572240
NewVillageIT,

first of all thank you very much for the quick response

is it possible to specify in more detail?
Ideally I would like to get a picture of the screen
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40572350
modify implies delete.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40572411
I played around with this idea a while back and came to the conclusion that whilst it is definitely possible with some file types, it just wasn't practical enough for my clients as it introduced one major hurdle (which I will mention below). Either way, if you're interested to test for yourself you can follow the below steps:

- Right click on the folder in question then click on Properties
- Click on the Security tab then click Advanced
- Click Edit to allow you to make changes to the Include inheritable permissions from this object's parent box as it should be greyed out thanks to UAC
- Once you've clicked Edit, you should be able to untick the Include inheritable permissions from this object's parent box
- Click Copy when prompted
- Now highlight the user or security group containing your users that you do not want deleting files/folders then click on Edit
- Tick the following boxes in the Deny column:
- Delete subfolders and files
- Delete
Modify-without-Delete.png- Make sure the Full control, Change permissions and Take ownership boxes are all left unticked in the Allow column
- OK your way out when done

Now the problem with the above is that it will introduce one major issue - your users won't be able to edit existing Office documents (e.g. Word, Excel, PowerPoint, etc.). They will be prompted to save the document with another file name each time they modify a file. Obviously this is not ideal and annoyed the heck out of my clients who wanted to implement this sort of thing.

If you don't want users accidentally deleting a file/folder then enable auditing and then have management give them a stern warning each time files/folders go missing. They'll eventually learn.
0
 

Author Comment

by:nesher13
ID: 40572439
David Johnson,

I think that the basic permission is a combination of
special (granular) permissions and therefore I need solution with the granular permissions
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40573493
Once you provide modify rights, users would be able to move \ delete files and folder in addition to movement
Whatever you looking for, will get this functionality with some limitations
You cannot rename files and folders unless you provide delete permissions
For Example users will not be able to rename files and folders once created in shared folder, if you want to create folder \ file with custom name, you need to 1st create it on desktop and then need to copy at share location, however once files get created you can modify files contents and save again.

If you grant users modify permissions, you can restrict them to delete folder itself, this can be achieved by granting explicit deny delete permissions to authenticated users on folder advanced permissions with applies to This folder only
For that U need to add required user \ group explicitly on advanced tab
It should look like below
Deny DeleteCheck below articles for more information
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28493997.html
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question