Windows Server 2008 Thread, Folder permissions for shared drives in Technical; Im sure this has been asked before but I cannot find a good enough solution anywhere.
I am looking into ...
30th May 2012, 02:55 PM #1
Folder permissions for shared drives
Im sure this has been asked before but I cannot find a good enough solution anywhere.
I am looking into the permissions of our shared network drives. The structure is this..
Staff get the Staff folder mapped as T: through GPP. the security for this folder is that staff have modify permissions. This is not good enough because if a member of staff wants to delete or move a folder with the drive, they can.
What im looking for is within the Staff folder, they can read only the list of subfolders and then they have modify within those subfolders.
Like I say Ive searched and searched but cannot find a suitable solution. Has anyone got this set up or is there a different way?
30th May 2012, 03:42 PM #2
Rule of thumb: Broad shared permissions, restricted filesystem permissions.
Change and Read for the shares should be enough (put Full Control if there is a problem).
On your main folder (i.e Staff), go to the Security tab on the properties, then "Advanced". Uncheck the "Inherit permissions from parent" (if it's ticked, if prompted, click 'copy'), then select the group, and the "Edit" button. This should bring up specific permissions. Uncheck all the permissions and give the group;
- List Folder/ Read Data
- Read Attributes
- Read Extended Attributes
So, on your main folder this will restrict everyone to only being able to view the files and folders within that directory but not modify the files themselves. You will then need to edit the permissions on the subfolders to give them full (or not, depends what you want) control so that the restriction does not propagate down fully.
I *think* this is right. I'm in the middle of memtesting a machine and countering sixth form pranks (it's their last day), so I can't actually test this.
Hope this helps.
Thanks to Mako from:
Admiral208 (30th May 2012)
30th May 2012, 03:50 PM #3
Thanks. I have already set the share permissions to full control and I have already tried what you suggested. The problem is that if I set the permissions to modify on the subfolders within the Staff folder, if one gets dragged onto the other, it still moves the contents of the folder but leaves an empty folder at the root. This is my real problem.
30th May 2012, 03:53 PM #4
For each folder root foler ie "Staff" set permissions by selecting properties > security > advanced > change permissions > edit >
set ther permissions to read only but apply to this container only.
Now create a sub folder and give Modify permissions. Do this for each of your folders and you can cut it down.
There is no way of setting up a directory structure that is read only on a microsoft server easily, as the default permissions for the files are generated from the folder permissions.
30th May 2012, 03:57 PM #5
This is what i have already done. The subfolders with modify permissions are the problem. Once I create a second subfolder, I can drag it into the first subfolder.
Originally Posted by Bezwick
30th May 2012, 04:17 PM #6
Pretty sure there is nothing you can do about that as folders are not moved just have the FAT updated to represent the new location, permissions aren not inherited when moved within the same volume. Same with all windows systems.
Originally Posted by Admiral208
30th May 2012, 04:18 PM #7
You may also want to add Deny Change Permissions, Ownership and Delete on This folder only for each of the sub folders. That way they cant delete/change the sub folders.
30th May 2012, 04:37 PM #8
I see what it is that you want to do.
The way around it is to deny your users the right to Delete and Delete SubFolders and Files.
A drag-and-drop move is akin to a delete function, as you're basically "copying" it. If you deny their right to delete, the system can create the new file but not delete it from the original location, therefore the move fails. Unfortunately this creates a whole load of problems, such as the system's inability to remove temp files. They'll soon mount up (I did a quick test, could deny move while retaining modification. Every modified file dumped temp files that it couldn't delete).
Either live with that, or there's no way around it that I can see.
30th May 2012, 04:49 PM #9
deny delete also means that the users cannot delete files and folders.
The only thing I can think of so far is to create shortcuts to the folders and make the folders hidden. That way you cannot drag a shortcut onto another but its messy and I don't really like it.
30th May 2012, 04:58 PM #10
That's a given.
Originally Posted by Admiral208
I was misleading in my use of "the way around it", I didn't mean to write that. Instead; "that's the way to do it, and there is no way around it that I can see."
Your idea could work, I think. Depends how many folders you have (ergo how many shortcuts you need).
It's fairly lame that that's the way Windows works.
30th May 2012, 08:38 PM #11
- Rep Power
I've come across exactly the same issue. None of the basic NTFS folder permissions have the permissions you want for staff/students; give them Modify and it doesn't allow users to delete/move folders, and Full Control gives them this ability, but also the (dubious) right to modify NTFS permissions, which you don't want them to have.
Originally Posted by Admiral208
Oddly enough, at the Share level Modify right means something different, it allows users to delete/remove folders, which is what I want for NTFS permissions.
The only solution I can think of is to go into the Advanced section of the NTFS folder security and permit everything at a granuler level (or almost), apart from modify folder/file permissions. But it seems a bit untidy.
31st May 2012, 11:24 AM #12
From what i understand what you want to do is allow users to only list & view in the Public folder, only list & view sub folders in public (staff, student & office), only list and view subfolders in staff, students & office and full or modify permissions files & folders within the sub folders of staff, student & office. Is that right? so you they cant create any files or folders in staff, students & office but they can within subfolders you have created for them?
If that is the case then I would do what Bezwick stated:
Dont inherit permissions. Give ntfs permissions Read & Execute and List Folder Contents to appropriate Security Group(s).
Dont inherit permissions on any of the folders. Give ntfs permissions for each folder Read & Execute and List Folder Contents for appropriate group(s) (e.g. staff for staff folder, student & staff for students folder and officestaff for office folder).
Dont inherit permissions on any of the folders. Give ntfs permissions for each folder Modify or Full (which ever suits your needs) for appropriate group(s). Then in Advanced, add another acl with the same group(s) but select 'This folder only' and tick deny Delete, Change Permissions and Change Ownership. There should now be 2 acl policies for the same group, one that gives full permission and one special for folder only. Repeat for each sub folder.
This set up should now allow you view only to all folders, allow modify/full in subfolders but stop user from deleting subfolders.
Thanks to apeo from:
Admiral208 (1st June 2012)
1st June 2012, 03:49 PM #13
Originally Posted by apeo
This is where I am now...
I have set up the permissions but the problem is if I 'accidently' drag and drop \\server_name\public\staff\subfolder1 over the top of \\server_name\public\staff\subfolder2 (as though I wanted to move it), all of the contents of subfolder1 move into subfolder2 but subfolder1 is duplicated and left empty in its original location.
1st June 2012, 04:02 PM #14
Ok if you want to prevent copying/moving from 1 subfolder to another subfolder, I'm not sure how you would do that.
If you want them to be able to manipulate the subfolders then dont add the last set of permissions that prevents users from deleting the subfolders. This does however mean they can change, rename and delete the subfolders.
By googlemad in forum Windows 7
Last Post: 18th October 2011, 11:50 AM
By zooroo44 in forum Scripts
Last Post: 5th August 2011, 08:13 AM
By reggiep in forum Windows Server 2008
Last Post: 5th May 2011, 04:01 PM
Last Post: 12th October 2006, 10:37 PM
By NetworkGeezer in forum Windows
Last Post: 19th June 2006, 07:32 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)