Prevent users from the same group to delete each other files and folders

I have a department folder named Marketing. The Marketing group has the following permissions on the Marketing folder:

Traverse folder/execute file
list Folder /read data
Read attributes
Read extended attributes
Create files/write data
create folders/append data
write attributes
write extended attributes
delete subfolders and files

However if user1 from Marketing group create a file or folder under Marketing folder, user2 from the same group(Marketing) will be able to delete the file or folder create by User1
how can I prevent that ?

Thank you
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Make User folders for each user, keep secure files there and then keep less important files in the Common Marketing folder. Make sure you ha good backups. No matter what you do people will delete files. My experience in any event.
0
65tdRetiredCommented:
I didn't see CREATOR OWNER permissions listed, it should be inherited.
Is it there?
0
jskfanAuthor Commented:
I have  added Creator Owner to Marketing folder with Full Control permissions, but it did not resolve the issue
users who are members of the Marketing Group can delete each other files and folders under Marketing folder
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

JohnBusiness Consultant (Owner)Commented:
I suggest you keep secure files in separate folders. Trying to do this with individual permissions is too labour intensive
0
jskfanAuthor Commented:
what do you mean by Separate folders.
We create one Folder for each Department, and users who are member of that Department (per AD group), will create their own folders and files within the Department folder.

the problem they can delete each other files and folders.


I remember back in windows 2000, if you give user Read/Write to a folder, then they can create files and subfolders but they cannot delete or modify what other users have created.

I tried Read/Write now, but user cannot even create its own file or folder.
0
MaheshArchitectCommented:
Remove delete permission assigned to group
change it to read / write / append data with scope as this folder only
Then if u already added creator owner group on acl
In that case if any user create folder under marketing folder, he will get exclusive rights on that folder as being owner and other users cannot delete that folder
u can refer below article as well
https://www.experts-exchange.com/articles/17526/Windows-File-Server-Folder-ownership-problems-and-resolution.html
1
JohnBusiness Consultant (Owner)Commented:
I meant use User folders. These are secure from each other. Only use the common folder for less important files and have backups
0
jskfanAuthor Commented:
Mahesh,

I will take a look at your suggestion later, and let you know..
the permissions I gave to the Department folder, that the group should see  are:
Traverse folder/execute file
list Folder /read data
Read attributes
Read extended attributes
Create files/write data
create folders/append data
write attributes
write extended attributes
delete subfolders and files


So member of the group cannot delete the Department folder.
They can create folders under Department folder. If I remove this permission: delete subfolders and files
then they will not be able to create folders or files. If  I do not remove it, then they can delete other folders created by users of the same group.
0
MaheshArchitectCommented:
"delete subfolders and files" right is required only if you want to move / delete file folders
without above permission, they can create file / folders underneath department folder
Have you gone through end of article I posted, I have posted best practices there and you should get idea

Ideally creator owner should be removed from root of folder and all sub folders, because it create problem for admins to manage folder permission, this happens because of "creator owner" behavior as it grant creator full control along with ownership and admins cannot manage that folder permissions if required
In this case now, on department folder everybody should have read\execute and traverse permissions with this folder only as scope
after that there should be group for each department and they should have modify rights on respective folder so that they only can operate within their folder boundary only
If you cannot do that, then right now the only way is to remove ""delete subfolders and files" rights
else everybody in the group can delete all sub folders and files which is undesirable
0
jskfanAuthor Commented:
Mahesh,

I have included Screenshots of my Configuration. Please tell me where  I am wrong and how fix it.
I have create a Share Named Volume.
Volume:  Share Permissions has only: Authenticated Users with Full Control
Volume : NTFS Permissions has: Authenticated Users with Read/Execute for this folder only. Domain Admins with Full Control for this folder , Subfolders and Files.  Inheritance Disabled.


I have Created a folder inside the Volume Share and named it "Department"
Department : NTFS permissions has : Authenticated Users with Read/Execute for this folder only. Domain Admins with Full Control for this folder, subfolders and files.  Inheritance Disabled

inside "Departments" folder , I have created folders "Marketing" , "Accounting"
In Active Directory , I have created  Security groups "Marketing" and  "Accounting" I gave each Modify to their respective folders then opened the  granular permissions on each folder and Unchecked "Delete" permissions, so that none  will be able to delete the folders I have created for them (in this case Accounting and Marketing folders).

So far so good. I can control the folders I have created for users. Now the issue is when a user member of Marketing opens up the Marketing folder they can created and delete their own  subfolders, and they can also delete folder and files of other users from the same group


Volume Share PermissionsVolumeNTFSPermissionsDepartmentsNTFSPermissionsMarketing NTFS Permissions
0
MaheshArchitectCommented:
If you assign modify rights on marketing folder to group, members will be able to delete subfolders
In that case, you need to restrict group permissions to write only and need to grant individual user modify rights on respective sub folders
However if you have so many subfolders, then it is tedious job
If per user restrictions are mandatory, then you need to deploy home drives instead.
That will ensure that folders would be accessed by respective users only
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Naveen SharmaCommented:
Security setting -> Advanced -> add your user -> in the dialog box -> allow all EXCEPT these, Full Control,
Delete SubFolders and Files, Delete, Change permissions and Take Ownership .

https://www.experts-exchange.com/questions/28998520/NTFS-Permissions.html

https://www.experts-exchange.com/questions/21735065/making-a-shared-folder-undeletable.html

Delete permissions
0
jskfanAuthor Commented:
I have worked with Share/NTFS permissions back in windows 2000 age.
When you give Write Permissions to a Group on a folder. Individual users can create files and folders, but cannot delete files and folders created by other users.

I guess Microsoft has changed things in negative way.
0
jskfanAuthor Commented:
Thank you Guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.