Users moving folders
I'm hoping to save myself some pain by calling on the collective experience of all you Edugeekers (and hopefully save me time in testing too) :D
Our users (we're infant and nursery school) keep dragging folders into other folders, which causes chaos when the kids are trying to save their work as they can't find the right place to save. Our system at the minute is that children share logins (I know, I know, but that's a battle I've been working on for 2.5 years and will keep going, but I could do with an interim solution), so the home folder is redirected to the "Pupils" share and within that, each child has a folder in their own name, with the idea that they should build up a portfolio of work during the time they are here. Unsurprisingly, folders keep disappearing, which isn't awful, but completely disrupts the flow of the lesson and takes a lot of adult time which could be better used. We used to have delete prevented, but several programs create some kind of temporary file which is deleted before the save is complete, so that was worse.
Current structure: \\server\pupils\intake x\pupil name\files
Ideas I've had:
Prevent delete on the named folder, but block inheritance and thus allow read, write & del within it. If I was to go with that, any suggestions on how to retrospectively apply this to 300 folders without manually setting each one? Any reasons not to do this?
Only allow list folder contents at the intake x and above. Does this allow them to open folders/files within from the list or would it prevent them from opening the folder or seeing anything below the restricted level?
As a final thought, we're also looking at implementing Office 365, mostly to allow teachers remote access to planning documents and provide some resilience to a failure of our single server (it wouldn't be used for any level of confidential data). If I implement that along with some kind of Sharepoint, would that also offer some protection against moving of folders - just something that I came across on Google, but haven't read the detail of yet.
Sorry for the long post...
What security permissions do you have on the \\server\pupils\ level?
For pupils OU: Read, write, delete - set to inherit all the way down.
Originally Posted by TheydonBois
Isnt that too far back then? If you have one user say PRIMARY and it has permissions at that level, it needs to be reset to be at the level of the name of the students.
For instance, my setup for kids would be E:\Users\ then folders containing all the student logins (they have seperate logins) at the Users folder level however, they have no security permissions, but if I checked E:\USERS\THEYDONBOIS then THEYDONBOIS has Modify permissions.
Your generic logon account needs to only have access at the PUPIL NAME level.
Sorry if thats not clear, if not, then I will try and explain it better later :)
Could you not set up a login per year group (that is what I did when I worked in a primary) and then set their home folder to \\server\students\yearofintake\ - that way they could only possibly drag their folder into 15 others at the most rather than any other pupils in the school?
Thanks. I'll give that a go. I tried removing delete permissions from the folders, which did stop the folders being moved - but unfortunately the files inside the folders did go :(
Originally Posted by TheydonBois
This is essentially my set-up, but we have 80 pupils in each year! So even restricted down to the year group level seems to leave plenty of scope for causing chaos. I might have to change to organising by registration group. The reason I don't already do that is because I would have to move 320 folders around every September!
Originally Posted by eddyc
Please test this on non live data first, (or replicate a smaller version of what you have):
Originally Posted by jmak
Remove the PRIMARY permissions from the folders above, then import all their names from SIMS or equivalent into an excel file, then concatenate all the text from the colums into one text that you copy into a batch file and run.
CACLS x:\pupils\intake x\Jack Sparrow /E /T /C /G PRIMARY:C
CACLS x:\pupils\intake x\Fred Blogs/E /T /C /G PRIMARY:C
CACLS x:\pupils\intake x\Bobby Ewing /E /T /C /G PRIMARY:C
CACLS x:\pupils\intake x\Fred Astire /E /T /C /G PRIMARY:C
CACLS x:\pupils\intake x\Wilma Rubble /E /T /C /G PRIMARY:C
...which will apply the PRIMARY account with write permissions to the user folders only, and not the ones above. That way the only files they should be able to move and delete into each other are ones within the students name above.
Not sure how it will all work with Home Directory as only using one account still means that Fred can go into Bettys folder and delete her work within the folder anyway, even if he cannot delete the Betty root folder.
I'll have a go at the weekend and let you know how I get on.