We help IT Professionals succeed at work.

Set folders to read only server - 2008R2

rookie_b
rookie_b used Ask the Experts™
on
We are migrating some data away form a 2008R2 server and would like to set some folders to read-only. It would have been easier if we could use share permissions, but in this case these are various sub-folders, as a opposed to the shared folder. So I am guessing I am looking for a script that blocks inheritance, retains the inherited permissions but changes the group granting RW access to users to  only have RO access.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
It's probably just as easy to change the existing groups to read only and keep inheritance the way it is.

If directory structure is not the usual top down and there are exceptions, next nest choice may be to create a specific set of read only groups now and assign them as appropriate.

Commented:
You could also take the easier approach of setting file attributes to read only and/or hidden and system if you want to -- after all that is to stop users fiddling with the old folders as opposed to  a security concern, i,e,

cd /d X:\somedir
attrib *.* +r /s/d

That will mark all files and folders read only from x:\somedir downwards regardless of NTFS or share permissions.  Of course a user that has suitable ntfs permissions can change the attributes back to write but often suitable for stopping  normal users and simpler than messing with complicated nested NTFS groups and structures?

Steve

Author

Commented:
Hi Steve, thank you for your response. Would that prevent users from adding new files, or does it only affect existing files?

Author

Commented:
Ok, so, I tried using attributes, but it only sets it for files in folders, rather the actual folders. I can still rename files, rename folders, delete files and create new files, so it doesn't work for me.

Commented:
Sorry, no!
EE Topic Advisor, Independant Technology Professional
Commented:
Regarding the share permissions, you should still be able to mark permissions on all related shares as Everyone/read-only? This will override any file or folder permissions.

(It's a good lesson for other readers about why it's a good idea to keep well-managed hierarchal folder structure.)

Author

Commented:
Thanks Brian, it is definitely good advice. Unfortunately, in our case these are sub-folders of the shared folders, so there are no shares that map directly to the actual sub-folders.

With regards to changing the groups to read only the same applies - the groups are inherited from the higher level shared folders,  and there are no groups that only apply to the  individual sub-folders, hence we are having to look at blocking inheritance.

Author

Commented:
In the end we decided to only use  share permission at top level folders, and if a set of subfolders absolutely had to be read-only, we'd move them to another location and share that as read-only. It is actually turned out to be  less hassle then dealing with ntfs permissions changes/ errors.