Andy
Mon Dec 13 14:26:23 CST 2004
Sure, set permissions on the shared folder in question so the targeted users
can't delete the folder or subfolders and files; how to do this is a rather
long explanation. There are some gotchas caused by some, un-named, office
productivity suite (and some other) apps will make your tear out your hair
if you still want these users to be able to modify existing files; this is
b/c those apps actually create and delete temp files in the working folder
as a function of modifying the existing file. So, you can't do the easy
(and dangerous) thing of creating a special group and denying "delete
subfolders and files" to it. "Deny" permissions over-ride all "allow"
permissions from other groups to which the users might have membership (like
the Domain Users, Users or Creator Owner groups). If you do this, the users
will be unable to delete the temp files mentioned above despite their being
the owners of those files. This'll generate help desk calls and fill up
your disks...fast.
Instead start by creating an AD (global) group which contains only the users
you want to restrict; name it something that makes sense for the
functionality of the group. Then create another group that contains the
users who should have more elevated permissions (to modify). (If you like,
you can nest these global groups in well-named local groups on the server in
question. Then you take the following actions on these local groups instead
of the global ones.) Now, in the security tab for the folder, (uncheck the
"inherit permissions..." box if checked and choose "Copy" from the prompt)
add permissions that duplicate those currently in force for the new elevated
permissions group (likely Modify perms). Now remove the perms for the "old"
group through which users gained permissions on this folder (likely Domain
Users or Users). Add perms for the restricted perms group and make them
Read & Execute, List, Read, and Write. You can click the Advanced button,
open the advanced view of that group's perms and ensure that the "Delete
Subfolders and Files" and "Delete" boxes are unchecked. Now make sure the
targeted users don't belong to any other groups listed. Also ensure that
the Creator Owner group has "Full Control" perms on "Subfolders and Files
only" in the Advanced dialog box. Finally, check the box that says,
"Replace permission entries on all child objects..." before applying your
changes and respond "Yes" to the startling prompt. This will allow targeted
users to create new files, modify them or existing files, and delete files
of their own making; it will also prevent them from deleting files created
by other users or the folder in question.
Definitely play with these permissions on a test folder or in a
non-production environment to get a feel for it and to test outcomes before
rolling out changes to your production environment.
How do you prevent users from deleting files they own? Much tougher: I
don't have a ready solution, but there should be something you could script
and schedule to run on the server (at off hours) that periodically would
take ownership (perhaps to an admin account) of all files in that folder.
That would be a kludge at best...effectively changing the parameters of the
problem vs. fixing the problem.
Hopefully, this example emphasizes the need to name your groups sensibly, to
nest them sensibly and to document their uses wherever possible...even to
have a policy on naming groups so it stays uniform accross time. It's easy
to lose track of groups' purposes and have to hunt down membership at
inconvenient times.
Have fun!
A
"Harry" <anonymous@discussions.microsoft.com> wrote in message
news:125a01c4dead$7d267f80$a601280a@phx.gbl...
> Do you know Andy, or anyone else, how to prevent files
> deletion within the Shared Folder?
>>-----Original Message-----
>>No can do, Harry. If the user can read the file, he/she
> can save it to a
>>new location. To move it, she/he needs the modify
> cluster of rights, but it
>>sounds like you want to restrict saving the file(s)
> elsewhere, not just
>>preventing deletion in the original location (THAT you
> can do).
>>
>>A
>>"Harry" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:0f0501c4de11$bd504060$a601280a@phx.gbl...
>>> Hello all,
>>> Could you please advise me on how to restrict the
> access
>>> rights of one Domain User from moving files within a
>>> Shared Folder. The user should have sufficient rights
> to
>>> write in the files, but not to save them afterwards to
> a
>>> different! directory. The permissions granted for all
>>> Domain Users on this Shared Folder are Modify - Read &
>>> Execute - List Folder Contacts - Read - Write. Do I
> make
>>> any amendments to the security permissions of the
> user's
>>> account and if yes then which ones?
>>> Thank you in advance for your response.
>>>
>>> Regards,
>>> Harry
>>
>>
>>.
>>