Windows Network Data Archive


Roughly a 200 user AD network. We have a number of servers that are getting low on disk space so we have introduced a new Windows 2012 r2 VM to use as an archive.

Basically the thought process is to add this archive server as a shortcut to existing data shares and advise users from all different departments that they can move older data to this location and still have access to it.

The caveat would be that this archive share is read only and only backed up once a qtr. So users should not be able to change anything in that archive folder.

Hope i have outlined what we want correctly and if anyone has any ideas on how to do this correctly that would be great.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A KarelinCommented:
You can also enable deduplication function.
kingcastleAuthor Commented:
ok any info on that?
NVITEnd-user supportCommented:
For 2012, it has deduplication built in...
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

David Johnson, CD, MVPOwnerCommented:
if you cannot write/modify, how are the users going to ADD files to the archive?
kingcastleAuthor Commented:
thats the key alright so thats what i was wondering really how to other people run an archive?
NVITEnd-user supportCommented:
> ...they can move older data to this location...this archive share is read only... So users should not be able to change anything in that archive folder.

This can be done by setting the following on the archive folder.
Add but no del 1Add but no del 2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kingcastleAuthor Commented:
And will that allow users to add data to the archive but not edit or change it once it's in there?
NVITEnd-user supportCommented:
> And will that allow users to add data to the archive but not edit or change it once it's in there?
They won't even be allowed to rename.

Try it on your workstation. Then try a test folder on the server.
kingcastleAuthor Commented:
ok sounds like what i need so i will try that and report back.
kingcastleAuthor Commented:
ok so here is what I have done so far so just checking I'm on the right path.

first I have created a root share called archive and went into the sharing tab and allowed everyone Read access.
      thinking behind that is, I want all departments to access this share but then have departmental folders below it that    only they can access.

below this I created the first department folder say accounts and I clicked the security tab on this folder. I then disabled inherited permissions and added the departmental security AD group. I then edit the permissions on that group to the ones supplied above in the pictures and finally I re ticked apply the permissions to this folder and all below.

did I do the correct thing?

NVITEnd-user supportCommented:
I'm mobile now so can't verify. Your steps sounds correct. I'm not certain at the parent folder, though. If that is a test folder, go for it. You can always clean up and try again.
kingcastleAuthor Commented:
ok I have tested and the users can copy data into the archive ok but they can open a file from the archive change it and save it back to the archive.

once a file is in the archive it should not be able to be changed.

the right on the folder at the minute are as follows:

Full Control                                                     not ticked
Traverse folder / execute file                       ticked
List folder / read data                                   ticked
Read attributes                                              ticked
Read extended attributes                            ticked
Create files / write data                                ticked
Create folders / append data                      ticked
Write attributes                                             ticked
Write extended attributes                           ticked
Delete subfolders and files                         not ticked
Delete                                                             not ticked
Read permissions                                        ticked
Change permissions                                   not ticked
Take ownership                                           not ticked
David Johnson, CD, MVPOwnerCommented:
is modify ticked or not ticked?
NVITEnd-user supportCommented:
Also, be sure to logoff then logon users.
kingcastleAuthor Commented:
modify is unticked
NVITEnd-user supportCommented:
On the parent folder (mine is named archive01), I start with a minimum of the Administrators, and System with appropriate permissions. i.e.
- NO Creator owner
- Full Control = Administrators or Domain Admins
- Full Control = System

Then, add your groups, users, and or OUs (GUOU). Here, there will be 2 entries per GUOU, each with appropriate permissions. Here, my group is named CopyToArchiveDir:

Summary1st entry2nd entry
Sorry for the piecemeal posts.
kingcastleAuthor Commented:
i must be doing something wrong. when i try to add the same group a second time it doesn't do that.
It assumes the group already exists and wont let you add twice.
kingcastleAuthor Commented:
so basically i need to be able read, write an copy to this folder but not edit or delete once the file is in there.
David Johnson, CD, MVPOwnerCommented:
then remove the group, apply, now add the group, apply again.
NVITEnd-user supportCommented:

- Pick Security, Advanced.
- Remove the checkmark at "Include inheritable permissions from this object's parent". Answer the warning dialog by picking "Add".
- Back In the list of permission entries, refer to my last post ID: 40827546.
- You'll Add the permissions twice. Each Add sets different permissions. That's how you end up with 2 entries for each group .
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.