MichaelBalack
asked on
How to achieve this file and folder permissions?
This is using MS Windows 2012 AD domain. There is a file server with about 10 network file shares. For each file shares, there are 3 different groups of users. First one is users with full control. the third one being users with only "read only" permission. However, the most challenging part being the second one, users were granted with the following permissions:
- Users cannot edit/delete/rename exiting main folder and subfolders
- Users cannot delete existing files (or files not created by themselves), but they are allowed to edit/modify
- Users can allowed to put in new files (they should allowed to delete as they are the creator owner?)
For the above user groups, I have created one "security group" for each file share. On the advance of each file share's security tab, select advanced > Permissions, and added 2 permissions - files only and folder and subfolders special permissions for the given security group (in this case - admin-dept_CHANGE). Please refer to attached EE - advanced permissions.jpg.
Please see another 2 more attached jpg for the special permissions assigned to admin-dept_CHANGE, one based on files only, and another one based on folders and subfolders.
The result being, Users cannot edit/delete/rename exiting main folder and subfolders
- Users cannot delete existing files (or files not created by themselves), and they are also not allowed to edit/modify
- Users can allowed to put in new files (they should allowed to delete as they are the creator owner?)
Any settings amiss? How to achieve the given objective?
thanks,
EE---Advanced-Permissions.jpg
EE---Change-filesonly-advance.jpg
EE---Change-foldersub-advance.jpg
- Users cannot edit/delete/rename exiting main folder and subfolders
- Users cannot delete existing files (or files not created by themselves), but they are allowed to edit/modify
- Users can allowed to put in new files (they should allowed to delete as they are the creator owner?)
For the above user groups, I have created one "security group" for each file share. On the advance of each file share's security tab, select advanced > Permissions, and added 2 permissions - files only and folder and subfolders special permissions for the given security group (in this case - admin-dept_CHANGE). Please refer to attached EE - advanced permissions.jpg.
Please see another 2 more attached jpg for the special permissions assigned to admin-dept_CHANGE, one based on files only, and another one based on folders and subfolders.
The result being, Users cannot edit/delete/rename exiting main folder and subfolders
- Users cannot delete existing files (or files not created by themselves), and they are also not allowed to edit/modify
- Users can allowed to put in new files (they should allowed to delete as they are the creator owner?)
Any settings amiss? How to achieve the given objective?
thanks,
EE---Advanced-Permissions.jpg
EE---Change-filesonly-advance.jpg
EE---Change-foldersub-advance.jpg
in the last two pictures you have "can change permissions" checked which means they can right click on any files in the folder and make changes to files/folders and allow them to add/remove permissions, which is what you don't want.
However to me it seems you want permissions that requires a more robust approach by using something like the command line ICACLS which has more flexibility and power; these are some of the rights you can assign--you can either "grant" or "deny" these rights
DE - delete
RC - read control
WDAC - write DAC
WO - write owner
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
DE - delete
RC - read control
WDAC - write DAC
WO - write owner
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
ASKER
Hi Lionelmm,
Sorry for the delay. I have some updates and is going share with you, please wait for my updates in my article.
Sorry for the delay. I have some updates and is going share with you, please wait for my updates in my article.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By using the settings as I mentioned, the required file and folder permissions can be achieved.
That does not achieve the results you wanted--giving these rights will allow users to delete files they did not create
ASKER
Tested, the CHANGE user only able to modify but not delete the existing files