NTFS Permissions

[tvanduzee]

Windows 2008 R2
I have a shared folder that employees company wide use. I have permissions setup so that not everyone can see all folders.. Works fine.

However, there is one folder structure I seem to be having problems with.. All users that can see this folder have read/write/modify access because they need to contribute autocad and solidworks drawings. Problem is that some "un-informed" users move files from place to place and to other users; they seem to have been deleted. Last time, it was 65000 files. I would like to allow the users to read/write and change the files, but I want to prevent deletion (if my understanding is correct, when a file is moved to another location, it is copied then deleted from the source). Either way, I don't want end users to move or delete.

Any idea how I can get this to work the way I need?

Thanks
Terry

 

[seepy83]

From my experience, there are a lot of files that can't be modified without a user having "delete" access to the folder. If memory is serving me correctly, this applies to Microsoft Office files (doc/docx, xls/xlsx, etc) because of the way the Office Products interact with the files when they are saving changes.

I'd love to hear if this can be done, but as far as i know, it's not a possibility.

 

[hamunaptra]

Try explicitly setting the Advanced permission "Delete" to deny for the users u wish to not allow to delete the file.
So, right click -> properties -> Security -> advanced -> change permissions -> uncheck inherit security settings -> select remove or add (dependin on ur preference either gives you clean slate or leaves the inherited ones by default)
Next, if working w/ the remove option, add your group / users -> select full control (or w/e ur preference of settings) then in the deny column check Delete. It will reflect 2 diff security policies then one labeled (special) the other labeled (delete)

From there users should be able to read / edit .. but not delete them.

 

[dawks]

From my experience, there are a lot of files that can't be modified without a user having "delete" access to the folder. If memory is serving me correctly, this applies to Microsoft Office files (doc/docx, xls/xlsx, etc) because of the way the Office Products interact with the files when they are saving changes.

I'd love to hear if this can be done, but as far as i know, it's not a possibility.

You are correct in that 'delete' is required to modify files. I always get them mixed up but there are two Delete options. One is Delete, 2nd one is Delete Subfolders and Files.

Giving a user permission for one of these will allow them to modify the files, but not delete them.

I ran into a similar problem where users would randomly delete someone else's entire shared folder. So I had to find a way to allow people to modify but not delete files.

 

[hamunaptra]

hehe, I guess thats why there are shadow volumes =P, right click, restore previous versions...rofl

 

[seepy83]

You are correct in that 'delete' is required to modify files. I always get them mixed up but there are two Delete options. One is Delete, 2nd one is Delete Subfolders and Files.

Giving a user permission for one of these will allow them to modify the files, but not delete them.

I ran into a similar problem where users would randomly delete someone else's entire shared folder. So I had to find a way to allow people to modify but not delete files.

I'm not so sure about that...
"Delete" lets you delete the object that you're setting the permission on (the root shared folder, for example).
"Delete SubFolders and Files" lets you delete any child objects. So, a user might not be able to delete the root share, but they can still accidentally delete all of the files/folders inside it.

 

[tvanduzee]

What I did, and I can change it if I need to, is to add "deny"/delete and deny "delete folders/subfolders" to the group that has read/write on that folder structure. This way the most restrictive will take place, which is to allow full control but deny deleting. I then allowed to to propogate to all sub items of that folder.
I will have to monitor it and see what happens, but like I say, I can always change it back if I need to.

 

[hamunaptra]

thats what I recommended to do =)

 

[Nothinman]

What I did, and I can change it if I need to, is to add "deny"/delete and deny "delete folders/subfolders" to the group that has read/write on that folder structure. This way the most restrictive will take place, which is to allow full control but deny deleting. I then allowed to to propogate to all sub items of that folder.
I will have to monitor it and see what happens, but like I say, I can always change it back if I need to.

If people are just copying files to it manually you may be fine, but as seepy83 says, the delete right is largely useless these days because lots of apps save files by writing the whole thing to a new temp file and once that succeeds they delete the original and rename the temp to the original name. They do that because there's no way to make a full file write/update atomic so that's the safest method to avoid data loss.