Jeff
Wed Jul 23 11:25:45 CDT 2003
it's really not a stupid point at all, it's a frustration that we all deal
with.
What you want is what we all want, a way to let users do things they are
supposed to do, and not do the things that are...uh...stupid.
I've many clients with this same challenge, and one solution is to make the
storage location a "submission" folder that allows users to "add" files, but
not modify them, therefore they have to create and edit them somewhere else,
then save the final version. The problem is that inevitably someone wants to
make "one more change" for a typo, and now they are locked out!
Another way is to make the files modify permission only for the owner, but
that gets chaotic. Regardless, on the point you asked about, the Deny
permission isn't really the issue anymore, it's the question of letting
people edit things one day, but not the next.
I have a couple of customers where we have looked into very sophisticated
systems to configure "backend" storage, something that pulls the archives
off after a period of idle (normally still inside the nightly backup
rotation time frame of several weeks) and the files are transferred to
permanent media like a recordable drive, but these things are pretty
expensive. It's hard to touch for under $5000.
Another way to handle it that can work, perhaps with a legal office in mind,
is that if every revision of the document represents a designated revision
you must track, you do in fact required that people have Add Files
permissions, but not Modify. Therefore, if they revise the document, the
literally have to add another revision designation and save the file with an
incremented name in the target folder. That has a great deal of practical
value, and you can have a "librarian" who is responsible for packaging the
folder off to close out a job or activity on some periodic basis, archiving
the permanent revisions, disposing of the temporary interim ones.
"Filippo Taiana" <inutile@nospam.com> wrote in message
news:3f1ea8fb_2@corp.newsgroups.com...
> Jeff, your answer is very clear.
>
> At this point my problem might sound stupid.
>
> The costumer wants every user to be able to read/execute/modify/(create
new
> document).
>
> He just doesn't want the users (excpet the Administrator) to be able to
> delete the files.
> This is because there is no trash on network drives.
>
> I know that with modify permission any user can open the document and
empty
> it instead of deleting, but not accidentally.
>
> Thanks again,
> Filippo
>
>
> "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> ha scritto nel
messaggio
> news:OqsXKyFUDHA.2180@TK2MSFTNGP10.phx.gbl...
> > Normally you prefer to user permissions that don't provide an ACL,
rather
> > than using Deny for that ACL. Therefore, to control the entire folder
tree
> > for users accessing the share, you specify the user group in the share
> > permissions, then include only read/execute, but not modify/delete. In
> this
> > way, users who are members of only this one group have the permissions
> > stated, but no more permissions than that. However, if you have members
of
> > this group who are also members of another group which is granted
greater
> > access than just read/execute, those users get the cumulative total of
all
> > permissions for all groups they belong to.
> >
> > To understand this, take a simple example on a shared folder permission.
> >
> > If you specify group Everyone: Deny Delete, then no one can delete a
file,
> > absolutely no one coming through that share.
> >
> > If you specify group Domain Users: Deny Delete, you have almost the same
> > result because any authenticated user will be a member of Domain Users.
> >
> > Now, contrast that with this approach:
> >
> > Domain Users: Read/Execute; Managers Group: Modify/Execute;
> Administrators:
> > Full Control
> >
> > In this example, someone who is a member only of Domain Users can only
> read
> > and execute. If that user is also in the custom group Manager Group,
they
> > gain the Modify ACLs, and if they are Administrators, they accumulate
the
> > full control permissions.
> >
> > if you were to modify the last example like this, you wouldn't like the
> > results, it would be back to the very first example at the top:
> >
> > Domain Users: Read/Execute and Deny Delete; Managers Group:
> Modify/Execute;
> > Administrators: Full Control
> >
> > Even though you specify each different group, every user is going to be
a
> > member of Domain Users, therefore every user will have Deny: Delete
forced
> > on them, even the Administrators.
> >
> > "Filippo Taiana" <inutile@nospam.com> wrote in message
> > news:3f1c1beb_2@corp.newsgroups.com...
> > > Thanks for the fast and detalied answer.
> > >
> > > :-)
> > >
> > > Filippo
> > >
> > > "Dave Stoecker" <david_stoecker@hotCOFFEEmail.com> ha scritto nel
> > messaggio
> > > news:#4kbHh6TDHA.2088@TK2MSFTNGP10.phx.gbl...
> > > > You are correct that the Word/Excel temp files will not be deleted.
> In
> > > > fact, I don't think the users will even be able to edit and resave
> later
> > > on
> > > > (unless with a different file name). Read this for detailed info:
> > > >
> > > > WD: How Word for Windows Uses Temporary Files
> > > >
http://support.microsoft.com/?kbid=211632
> > > >
> > > > DS
> > > >
> > > > "Filippo Taiana" <inutile@nospam.com> wrote in message
> > > > news:3f1c16c5_2@corp.newsgroups.com...
> > > > > I have a costumer with SBS2000 network with Win98 and Win2000
> clients.
> > > > >
> > > > > He want to deny files and folders delete permission inside the
> > "company"
> > > > > folders to prevent accidental deleting of important files.
> > > > > He wants to do it only on cliente computers for normal users only
> (not
> > > > > administrators).
> > > > >
> > > > > I am not sure about with permssion I have to remove and if I
should
> > > simply
> > > > > unchek "Authorize" or if I check "Deny".
> > > > >
> > > > > Another problem is that Word and Excel write temp files in the
same
> > > folder
> > > > > of the original files, and when you close the program, it will not
> be
> > > able
> > > > > to delete even the temp files.
> > > > >
> > > > > Any help would be appreciated,
> > > > >
> > > > > Thanks,
> > > > > Filippo Taiana
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> > > > >
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> > > > > -----== Over 80,000 Newsgroups - 16 Different Servers! =-----
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> > >
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> > > -----== Over 80,000 Newsgroups - 16 Different Servers! =-----
> >
> >
>
>
>
>
> -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
>
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> -----== Over 80,000 Newsgroups - 16 Different Servers! =-----