GEtting folder permission right on a shared folder problem?

[Kyle]

I am not even sure if this is possible. One of our depts has asked us to set up a folder on the network that pupils can save documents to forte subject only. They want staff to be able to have 'Full Control' (easy) But they want pupils to have write access but not modify(so as soon s they save the file they can no longer edit it. Also they would like that only the user who has saved the file can open that file and not any other pupils.

We have tried several settings for the NTFS security but cant seem to get ti right(don't even know if it is possible)

What would you recommend?

[GrumbleDook]

Getting an CMS / Document management solution. Sharepoint can do some of this, as can FirstClass ... perhaps Moodle ... and I am sure you could do this with Novell ... and I use to do this on Macs too (AppleShare and MacAdmin).

Doing it on Windows ... pass ... sorry

[djm968]

Yes this is possible with standard Windows 2000/2003 NTFS but you will need to modify the advanced NTFS permissions as follows.

Create a new test folder for the subject.

In the Advanced Security Settings for the test folder, make sure Allow inheritable permissions from parent is unchecked, if necessary remove the tick and when asked whether to copy or remove, choose remove.

In the security tab of the new folder

Add CREATOR OWNER (don’t worry about writes yet we will modify them using the advanced permissions)

Add the students security group (you might want to create a new one for just those students who take the subject) give this group WRITE permission

Add the staff security group or individual members and give them MODIFY permissions.

Make sure the administrators group has full control and set or remove any other permissions as necessary.

In the Advanced Security Settings for the test folder, select the CREATOR OWNER property click edit and remove the following permissions

Full Control
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Change Permissions.

Test this using a student and staff account and see if this works, I have not tested it but it should do the trick. Let me know how you get on.

[krisd32]

i set up an an ftp folder on 1 of our servers and shared it out via iis gave student write only access to this folder and gave teachers full control of it. each teacher gets the kids to drag and drop their work into this folder with name and set in the filename and then the teacher copies it to the appropriate folder of their choice. once the kid drags or pastes the file into this folder, it then disappears out of their sight.

there will be a better way to do something like this but this works for us and it was free! just takes a bit of messing with permissions.

cheers

Kris

[mrforgetful]

Just for informations sake, the only difference between having Modify and Full Control permissions is the ability to give and take ownership, so really noone but administrators need Full.

[krisd32]

thats what i meant i just couldn't think of the word at the time.

[ajbritton]

When a user creates a file, they become the owner of it and therefore have full permissions on it, regardless of any NTFS permissions set. In theory, a user could create a file, which they would then be unable to delete, but they could still modify the permissions on it because they are the owner.

[djm968]

Not quite true, if you remove Read and Change permissions they cannot do this. You can also deny take owner permissions if you wish.

[kingswood]

When a user creates a file, they become the owner of it and therefore have full permissions on it, regardless of any NTFS permissions set. In theory, a user could create a file, which they would then be unable to delete, but they could still modify the permissions on it because they are the owner.

That's how we were taught it at a recent MCSA course I attended. The user with ownership- the creator of the file/folder/object- can even assign take ownership rights to user 'b' should they wish to. This is built in to the NTFS system by default.

You can of course be "explicit" about assigning NTFS permissions- and that would be what happens when you "explicitly" deny someone take ownership or special permissions on a resource that is shared. That's a whole different ball-game though, because the key to that is in the wording- "explicit".

That's how I read it anyway :?

Paul

[djm968]

I have now tested this is a live environment and it works. Here are the ADVANCED permissions you need to set.

Student Security Group
Transverse Folders / Execute File
List Folder / Read Data
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes

Add CREATOR OWNER group but remove the following
Full Control
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions

Add Staff security group
Modify permissions

Add Administrators security group
Full Control.

Remember that shared folders in W2K3 are set to everyone read by default and you will need to set the necessary share permissions at the top level folder to allow staff and students write access.

Hope this helps.

[djm968]

Just to re-cap. These permissions will allow a student to save a file in the folder, open it and modify it but not delete it.

Students will only be able to open or modify their own files.

Staff will be able to open, modify or delete any file or folder.

Administratos are god and can do anything they like.

[ajbritton]

@djm968 - What's in your permissions to prevent the owner of a file modifying the permissions on it?

[djm968]

Tell me how your locked user would alter the permissions? Yes the will be the owner of the file but they should not have access to the security tab and they should not be able to run scripts to change the ACL's

[ajbritton]

Tell me how your locked user would alter the permissions? Yes the will be the owner of the file but they should not have access to the security tab and they should not be able to run scripts to change the ACL's

agreed, but that's not NTFS permissions preventing them from changing access rights, it's environment lockdown.

[ajbritton]

The answer is in the share permission...

Test scenario;

Server: 2003
Client: XP SP2

User Account: member of Domain Users, Students

Share Permissions: Everyone: Full Control
Folder Permissions:
Administrators: Full Control (This folder, subfolders & files)
Students: List, Traverse, Create Folder, Create File (This folder only)
Students: Read, Write, Execute (Subfolders & Files only)

OK, so I logged on to the client as a student and sure enough I was able to create a file in the test folder. I checked the permissions on the file from the server and sure enough they were Admins: Full; Students: RWX. I tried to delete the file from the client. Access denied. At the client again, went into properties of the file, Security tab and was able to add whoever I wanted with whatever access I chose (cos I'm the owner of the file). Happily deleted the file.

I then changed the share permissions from Everyone: Full Control to Everyone: Change. At this point I could create the file, could not delete it and had no access to the security controls.

I also tried setting a Deny to 'change permission', and the 'delete' options. These had no effect!