NTFS: Allow users to modify files but not create any


We're using a client management software which uses MS Access databases, one database per location. Employees access that software using RDP. I do need to give them write access to the folders so they can make modifications, but I want to prevent them from creating crap files in the application's folder.

I've already seperated folder and file permissions so at least they can't create any folders but they still export reports to Excel and save them in the database folder.

Any thoughts?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
All you need to do in this situation is create "custom permissions" using the Advanced Permissions on the Files/Directories.

Just go into the NTFS Security Permissions, Advance Button, select ONLY the permissions you want to grant to the user or Group.

From there, you will have isolated the user/group to only the permissions you have assigned.

fmatteAuthor Commented:
I've looked in the advanced permissions, however Create Files(which I don't want to give) and Write data (which they need) are bundled together

NVITEnd-user supportCommented:
See my solution here ID: 40860202, which...
- Lets user edit and save existing file contents
- Will not let user rename file
- Will not allow new folder creation
- Will not allow new file creation

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

fmatteAuthor Commented:
That might work NVIT, although not practical when adding new databases or when we as admins need to add new files since security has to be done manually.

Could maybe write a powershell script that would set permissions on a scheduled task, might work.

NVITEnd-user supportCommented:
Please give an example....

Is everything in one folder? You want them to modify existing files but not create new files?

What is your folder layout?
Will the layout change over time, e.g. admin will add folders or files to it?
Also, what rights to give on each folder level?
fmatteAuthor Commented:
Here's the basic layout

E:\AppFolder containts the executables, ini files and DLLs. They need to read files only. Easily done through security policies on the folder itself
E:\AppFolder\Databases contains all the Access databases. They need to read files but also modify the databases themselves.

In both cases, I don't want the users to save any Excel or Word files in there. However the application administrators do sometimes need to create/delete files in those two folders. These guys aren't IT staff, so I can't rely on them to update NTFS security each time (not often, but maybe twice a month).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.