+ Post New Thread
Results 1 to 14 of 14
Windows Server 2008 Thread, Folder permissions for shared drives in Technical; Im sure this has been asked before but I cannot find a good enough solution anywhere. I am looking into ...
  1. #1
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    720
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40

    Folder permissions for shared drives

    Im sure this has been asked before but I cannot find a good enough solution anywhere.

    I am looking into the permissions of our shared network drives. The structure is this..

    \\server_name\Public\Staff
    \\server_name\Public\Students
    \\server_name\Public\Office

    Staff get the Staff folder mapped as T: through GPP. the security for this folder is that staff have modify permissions. This is not good enough because if a member of staff wants to delete or move a folder with the drive, they can.

    What im looking for is within the Staff folder, they can read only the list of subfolders and then they have modify within those subfolders.


    Like I say Ive searched and searched but cannot find a suitable solution. Has anyone got this set up or is there a different way?

    Thanks
    James

  2. #2
    Mako's Avatar
    Join Date
    Apr 2009
    Location
    North Yorkshire
    Posts
    441
    Thank Post
    51
    Thanked 108 Times in 82 Posts
    Rep Power
    72
    Rule of thumb: Broad shared permissions, restricted filesystem permissions.

    Change and Read for the shares should be enough (put Full Control if there is a problem).

    On your main folder (i.e Staff), go to the Security tab on the properties, then "Advanced". Uncheck the "Inherit permissions from parent" (if it's ticked, if prompted, click 'copy'), then select the group, and the "Edit" button. This should bring up specific permissions. Uncheck all the permissions and give the group;
    • List Folder/ Read Data
    • Read Attributes
    • Read Extended Attributes


    So, on your main folder this will restrict everyone to only being able to view the files and folders within that directory but not modify the files themselves. You will then need to edit the permissions on the subfolders to give them full (or not, depends what you want) control so that the restriction does not propagate down fully.

    I *think* this is right. I'm in the middle of memtesting a machine and countering sixth form pranks (it's their last day), so I can't actually test this.

    Hope this helps.

  3. Thanks to Mako from:

    Admiral208 (30th May 2012)

  4. #3
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    720
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40
    Thanks. I have already set the share permissions to full control and I have already tried what you suggested. The problem is that if I set the permissions to modify on the subfolders within the Staff folder, if one gets dragged onto the other, it still moves the contents of the folder but leaves an empty folder at the root. This is my real problem.

  5. #4
    Bezwick's Avatar
    Join Date
    Feb 2008
    Location
    Nottinghamshire
    Posts
    358
    Thank Post
    93
    Thanked 57 Times in 43 Posts
    Rep Power
    25
    For each folder root foler ie "Staff" set permissions by selecting properties > security > advanced > change permissions > edit >
    set ther permissions to read only but apply to this container only.
    Now create a sub folder and give Modify permissions. Do this for each of your folders and you can cut it down.
    There is no way of setting up a directory structure that is read only on a microsoft server easily, as the default permissions for the files are generated from the folder permissions.

  6. #5
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    720
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40
    Quote Originally Posted by Bezwick View Post
    For each folder root foler ie "Staff" set permissions by selecting properties > security > advanced > change permissions > edit >
    set ther permissions to read only but apply to this container only.
    Now create a sub folder and give Modify permissions. Do this for each of your folders and you can cut it down.
    There is no way of setting up a directory structure that is read only on a microsoft server easily, as the default permissions for the files are generated from the folder permissions.
    This is what i have already done. The subfolders with modify permissions are the problem. Once I create a second subfolder, I can drag it into the first subfolder.

  7. #6
    Bezwick's Avatar
    Join Date
    Feb 2008
    Location
    Nottinghamshire
    Posts
    358
    Thank Post
    93
    Thanked 57 Times in 43 Posts
    Rep Power
    25
    Pretty sure there is nothing you can do about that as folders are not moved just have the FAT updated to represent the new location, permissions aren not inherited when moved within the same volume. Same with all windows systems.

    Quote Originally Posted by Admiral208 View Post
    This is what i have already done. The subfolders with modify permissions are the problem. Once I create a second subfolder, I can drag it into the first subfolder.

  8. #7
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    You may also want to add Deny Change Permissions, Ownership and Delete on This folder only for each of the sub folders. That way they cant delete/change the sub folders.

  9. #8
    Mako's Avatar
    Join Date
    Apr 2009
    Location
    North Yorkshire
    Posts
    441
    Thank Post
    51
    Thanked 108 Times in 82 Posts
    Rep Power
    72
    I see what it is that you want to do.

    The way around it is to deny your users the right to Delete and Delete SubFolders and Files.

    A drag-and-drop move is akin to a delete function, as you're basically "copying" it. If you deny their right to delete, the system can create the new file but not delete it from the original location, therefore the move fails. Unfortunately this creates a whole load of problems, such as the system's inability to remove temp files. They'll soon mount up (I did a quick test, could deny move while retaining modification. Every modified file dumped temp files that it couldn't delete).

    Either live with that, or there's no way around it that I can see.

  10. #9
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    720
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40
    deny delete also means that the users cannot delete files and folders.

    The only thing I can think of so far is to create shortcuts to the folders and make the folders hidden. That way you cannot drag a shortcut onto another but its messy and I don't really like it.

  11. #10
    Mako's Avatar
    Join Date
    Apr 2009
    Location
    North Yorkshire
    Posts
    441
    Thank Post
    51
    Thanked 108 Times in 82 Posts
    Rep Power
    72
    Quote Originally Posted by Admiral208 View Post
    deny delete also means that the users cannot delete files and folders.
    That's a given.

    I was misleading in my use of "the way around it", I didn't mean to write that. Instead; "that's the way to do it, and there is no way around it that I can see."

    Apologies.

    Your idea could work, I think. Depends how many folders you have (ergo how many shortcuts you need).

    It's fairly lame that that's the way Windows works.

  12. #11

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    222
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    15
    Quote Originally Posted by Admiral208 View Post
    Im sure this has been asked before but I cannot find a good enough solution anywhere.

    I am looking into the permissions of our shared network drives. The structure is this..

    \\server_name\Public\Staff
    \\server_name\Public\Students
    \\server_name\Public\Office

    Staff get the Staff folder mapped as T: through GPP. the security for this folder is that staff have modify permissions. This is not good enough because if a member of staff wants to delete or move a folder with the drive, they can.

    What im looking for is within the Staff folder, they can read only the list of subfolders and then they have modify within those subfolders.


    Like I say Ive searched and searched but cannot find a suitable solution. Has anyone got this set up or is there a different way?

    Thanks
    James
    I've come across exactly the same issue. None of the basic NTFS folder permissions have the permissions you want for staff/students; give them Modify and it doesn't allow users to delete/move folders, and Full Control gives them this ability, but also the (dubious) right to modify NTFS permissions, which you don't want them to have.

    Oddly enough, at the Share level Modify right means something different, it allows users to delete/remove folders, which is what I want for NTFS permissions.

    The only solution I can think of is to go into the Advanced section of the NTFS folder security and permit everything at a granuler level (or almost), apart from modify folder/file permissions. But it seems a bit untidy.

    Bruce.

  13. #12
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    From what i understand what you want to do is allow users to only list & view in the Public folder, only list & view sub folders in public (staff, student & office), only list and view subfolders in staff, students & office and full or modify permissions files & folders within the sub folders of staff, student & office. Is that right? so you they cant create any files or folders in staff, students & office but they can within subfolders you have created for them?

    If that is the case then I would do what Bezwick stated:

    \\server_name\public

    Dont inherit permissions. Give ntfs permissions Read & Execute and List Folder Contents to appropriate Security Group(s).

    \\server_name\public\staff
    \\server_name\public\students
    \\server_name\public\office

    Dont inherit permissions on any of the folders. Give ntfs permissions for each folder Read & Execute and List Folder Contents for appropriate group(s) (e.g. staff for staff folder, student & staff for students folder and officestaff for office folder).

    \\server_name\public\staff\subfolder1
    \\server_name\public\staff\subfolder2
    ...

    Dont inherit permissions on any of the folders. Give ntfs permissions for each folder Modify or Full (which ever suits your needs) for appropriate group(s). Then in Advanced, add another acl with the same group(s) but select 'This folder only' and tick deny Delete, Change Permissions and Change Ownership. There should now be 2 acl policies for the same group, one that gives full permission and one special for folder only. Repeat for each sub folder.

    This set up should now allow you view only to all folders, allow modify/full in subfolders but stop user from deleting subfolders.

  14. Thanks to apeo from:

    Admiral208 (1st June 2012)

  15. #13
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    720
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40
    Quote Originally Posted by apeo View Post
    From what i understand what you want to do is allow users to only list & view in the Public folder, only list & view sub folders in public (staff, student & office), only list and view subfolders in staff, students & office and full or modify permissions files & folders within the sub folders of staff, student & office. Is that right? so you they cant create any files or folders in staff, students & office but they can within subfolders you have created for them?

    If that is the case then I would do what Bezwick stated:

    \\server_name\public

    Dont inherit permissions. Give ntfs permissions Read & Execute and List Folder Contents to appropriate Security Group(s).

    \\server_name\public\staff
    \\server_name\public\students
    \\server_name\public\office

    Dont inherit permissions on any of the folders. Give ntfs permissions for each folder Read & Execute and List Folder Contents for appropriate group(s) (e.g. staff for staff folder, student & staff for students folder and officestaff for office folder).

    \\server_name\public\staff\subfolder1
    \\server_name\public\staff\subfolder2
    ...

    Dont inherit permissions on any of the folders. Give ntfs permissions for each folder Modify or Full (which ever suits your needs) for appropriate group(s). Then in Advanced, add another acl with the same group(s) but select 'This folder only' and tick deny Delete, Change Permissions and Change Ownership. There should now be 2 acl policies for the same group, one that gives full permission and one special for folder only. Repeat for each sub folder.

    This set up should now allow you view only to all folders, allow modify/full in subfolders but stop user from deleting subfolders.
    Thanks

    This is where I am now...

    I have set up the permissions but the problem is if I 'accidently' drag and drop \\server_name\public\staff\subfolder1 over the top of \\server_name\public\staff\subfolder2 (as though I wanted to move it), all of the contents of subfolder1 move into subfolder2 but subfolder1 is duplicated and left empty in its original location.

    Any suggestions?

  16. #14
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    Ok if you want to prevent copying/moving from 1 subfolder to another subfolder, I'm not sure how you would do that.

    If you want them to be able to manipulate the subfolders then dont add the last set of permissions that prevents users from deleting the subfolders. This does however mean they can change, rename and delete the subfolders.

SHARE:
+ Post New Thread

Similar Threads

  1. Folder security for scratch drive
    By googlemad in forum Windows 7
    Replies: 0
    Last Post: 18th October 2011, 10:50 AM
  2. Replies: 36
    Last Post: 5th August 2011, 07:13 AM
  3. Best set up for new users - Home drive permissions and shares?
    By reggiep in forum Windows Server 2008
    Replies: 11
    Last Post: 5th May 2011, 03:01 PM
  4. Replies: 15
    Last Post: 12th October 2006, 09:37 PM
  5. Command line tool for share permissions
    By NetworkGeezer in forum Windows
    Replies: 8
    Last Post: 19th June 2006, 06:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •