How to achieve this file and folder permissions?

This is using MS Windows 2012 AD domain. There is a file server with about 10 network file shares. For each file shares, there are 3 different groups of users. First one is users with full control. the third one being users with only "read only" permission. However, the most challenging part being the second one, users were granted with the following permissions:

   - Users cannot edit/delete/rename exiting main folder and subfolders
   - Users cannot delete existing files (or files not created by themselves), but they are allowed to edit/modify
   - Users can allowed to put in new files (they should allowed to delete as they are the creator owner?)

For the above user groups, I have created one "security group" for each file share. On the advance of each file share's security tab, select advanced > Permissions, and  added 2 permissions - files only and folder and subfolders special permissions for the given security group (in this case - admin-dept_CHANGE). Please refer to attached EE - advanced permissions.jpg.

Please see another 2 more attached jpg for the special permissions assigned to admin-dept_CHANGE, one based on files only, and another one based on folders and subfolders.

The result being,  Users cannot edit/delete/rename exiting main folder and subfolders
   - Users cannot delete existing files (or files not created by themselves), and they are also not allowed to edit/modify
   - Users can allowed to put in new files (they should allowed to delete as they are the creator owner?)

Any settings amiss? How to achieve the given objective?

thanks,
EE---Advanced-Permissions.jpg
EE---Change-filesonly-advance.jpg
EE---Change-foldersub-advance.jpg
LVL 1
MichaelBalackAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lionel MMSmall Business IT ConsultantCommented:
in the last two pictures you have "can change permissions" checked which means they can right click on any files in the folder and make changes to files/folders and allow them to add/remove permissions, which is what you don't want.
Lionel MMSmall Business IT ConsultantCommented:
However to me it seems you want permissions that requires a more robust approach by using something like the command line ICACLS which has more flexibility and power; these are some of the rights you can assign--you can either "grant" or "deny" these rights
                DE - delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
MichaelBalackAuthor Commented:
Hi Lionelmm,

Sorry for the delay. I have some updates and is going share with you, please wait for my updates in my article.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

MichaelBalackAuthor Commented:
Hi Lionelmm,

on the file share:
- select Sharing tab, and only grants the CHANGE group with: Change & Read
- select Security tab, grants the CHANGE group with: Read&Execute, list folder contents, read, and Write

and this solve the problem.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichaelBalackAuthor Commented:
By using the settings as I mentioned, the required file and folder permissions can be achieved.
Lionel MMSmall Business IT ConsultantCommented:
That does not achieve the results you wanted--giving these rights will allow users to delete files they did not create
MichaelBalackAuthor Commented:
Tested, the CHANGE user only able to modify but not delete the existing files
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.