NTFS Permissions to allow saving but prevent changing

Hello,

I've been scouring the newsgroups, forums, google results, etc and haven't
been able to find a complete solution to this issue.

Long story short, I want to set the correct NTFS Permissions to allow saving
but prevent changing/modifying any file or folder contents.

Currently we have a modify group, write group, and read only group with
those level permissions on a top level folder, right on down to all
subfolders and files.

Some members of the write group while opening a word document, inform us
they are prompted to save the file as another name after they have changed
or added content and hit the save button. That is the result we want!
Other members of the same write group are able to insert new content at the
beginning, middle, or end of the document and save the file over
itself...which is what we DON'T want to have happen. I've done this test
myself and seen it happen. I don't understand why.

The only close solution I could find was located here:
http://forums.techarena.in/operating...ms/1144083.htm

When applying the permissions as listed on the forum above, I am able to
copy/move some PDF documents without a problem to a test folder, but PDF
files such as cause an error to pop up indicating I need administrative
permissions on the folder. Then when I refresh the folder, the file is
there in its entirety. Office 2003 and 2007 documents copy or move fine
into the test folder. Zip, exe, and as mentioned above, some PDF files
cause the administrative warning.

FTP Write access permissions do exactly what we need it to, but simple
domain-local group permissions do not...always...sort of.

If anyone has any suggestions, I'll be happy to buy that person a drink of
their personal favorite spirit!

Thanks in advance!

no one have any ideas?

"Ytse.jam.er.1" <username.@hotmail.com> wrote in message
news:...
> Hello,
>
> I've been scouring the newsgroups, forums, google results, etc and haven't
> been able to find a complete solution to this issue.
>
> Long story short, I want to set the correct NTFS Permissions to allow
> saving but prevent changing/modifying any file or folder contents.
>
> Currently we have a modify group, write group, and read only group with
> those level permissions on a top level folder, right on down to all
> subfolders and files.
>
> Some members of the write group while opening a word document, inform us
> they are prompted to save the file as another name after they have changed
> or added content and hit the save button. That is the result we want!
> Other members of the same write group are able to insert new content at
> the beginning, middle, or end of the document and save the file over
> itself...which is what we DON'T want to have happen. I've done this test
> myself and seen it happen. I don't understand why.
>
> The only close solution I could find was located here:
> http://forums.techarena.in/operating...ms/1144083.htm
>
> When applying the permissions as listed on the forum above, I am able to
> copy/move some PDF documents without a problem to a test folder, but PDF
> files such as cause an error to pop up indicating I need administrative
> permissions on the folder. Then when I refresh the folder, the file is
> there in its entirety. Office 2003 and 2007 documents copy or move fine
> into the test folder. Zip, exe, and as mentioned above, some PDF files
> cause the administrative warning.
>
> FTP Write access permissions do exactly what we need it to, but simple
> domain-local group permissions do not...always...sort of.
>
> If anyone has any suggestions, I'll be happy to buy that person a drink of
> their personal favorite spirit!
>
> Thanks in advance!

As much as I would like a gin 'n' tonic, sorry.

At first I thought maybe the write access users with the ability to
overwrite (or append) must be getting it from another group membership
since the other's "behaved" as you desired. It became evident to me that
you probably know more about this than I do - so I sat here all thirsty.

"Ytse.jam.er.1" <username.@ho.tmail.com> wrote in message
news:uFI%...
> no one have any ideas?
>
> "Ytse.jam.er.1" <username.@hotmail.com> wrote in message
> news:...
>> Hello,
>>
>> I've been scouring the newsgroups, forums, google results, etc and
>> haven't been able to find a complete solution to this issue.
>>
>> Long story short, I want to set the correct NTFS Permissions to allow
>> saving but prevent changing/modifying any file or folder contents.
>>
>> Currently we have a modify group, write group, and read only group
>> with those level permissions on a top level folder, right on down to
>> all subfolders and files.
>>
>> Some members of the write group while opening a word document, inform
>> us they are prompted to save the file as another name after they have
>> changed or added content and hit the save button. That is the result
>> we want! Other members of the same write group are able to insert new
>> content at the beginning, middle, or end of the document and save the
>> file over itself...which is what we DON'T want to have happen. I've
>> done this test myself and seen it happen. I don't understand why.
>>
>> The only close solution I could find was located here:
>> http://forums.techarena.in/operating...ms/1144083.htm
>>
>> When applying the permissions as listed on the forum above, I am able
>> to copy/move some PDF documents without a problem to a test folder,
>> but PDF files such as cause an error to pop up indicating I need
>> administrative permissions on the folder. Then when I refresh the
>> folder, the file is there in its entirety. Office 2003 and 2007
>> documents copy or move fine into the test folder. Zip, exe, and as
>> mentioned above, some PDF files cause the administrative warning.
>>
>> FTP Write access permissions do exactly what we need it to, but
>> simple domain-local group permissions do not...always...sort of.
>>
>> If anyone has any suggestions, I'll be happy to buy that person a
>> drink of their personal favorite spirit!
>>
>> Thanks in advance!
>

The issue I had with moving PDFs and whatnot were because of files that came
from another computer. Included in the NTFS permissions stream, is a
feature that IDs where the file came from. If I uncheck the box to indicate
that the file is safe, it moves to the directory just fine. There is a
group policy to disable that NTFS feature, but it doesn't remove existing
files that already have it.

But I still cannot figure why some users get prompted and other do not.
They are not members of any other groups on that folder structure...so they
all have the same level of permissions. Really strange.

Maybe I use my FTP program and have them post to it through that! *sarcasm*

"FromTheRafters" <erratic @nomail.afraid.org> wrote in message
news:...
> As much as I would like a gin 'n' tonic, sorry.
>
> At first I thought maybe the write access users with the ability to
> overwrite (or append) must be getting it from another group membership
> since the other's "behaved" as you desired. It became evident to me that
> you probably know more about this than I do - so I sat here all thirsty.
>
> "Ytse.jam.er.1" <username.@ho.tmail.com> wrote in message
> news:uFI%...
>> no one have any ideas?
>>
>> "Ytse.jam.er.1" <username.@hotmail.com> wrote in message
>> news:...
>>> Hello,
>>>
>>> I've been scouring the newsgroups, forums, google results, etc and
>>> haven't been able to find a complete solution to this issue.
>>>
>>> Long story short, I want to set the correct NTFS Permissions to allow
>>> saving but prevent changing/modifying any file or folder contents.
>>>
>>> Currently we have a modify group, write group, and read only group with
>>> those level permissions on a top level folder, right on down to all
>>> subfolders and files.
>>>
>>> Some members of the write group while opening a word document, inform us
>>> they are prompted to save the file as another name after they have
>>> changed or added content and hit the save button. That is the result we
>>> want! Other members of the same write group are able to insert new
>>> content at the beginning, middle, or end of the document and save the
>>> file over itself...which is what we DON'T want to have happen. I've
>>> done this test myself and seen it happen. I don't understand why.
>>>
>>> The only close solution I could find was located here:
>>> http://forums.techarena.in/operating...ms/1144083.htm
>>>
>>> When applying the permissions as listed on the forum above, I am able to
>>> copy/move some PDF documents without a problem to a test folder, but PDF
>>> files such as cause an error to pop up indicating I need administrative
>>> permissions on the folder. Then when I refresh the folder, the file is
>>> there in its entirety. Office 2003 and 2007 documents copy or move fine
>>> into the test folder. Zip, exe, and as mentioned above, some PDF files
>>> cause the administrative warning.
>>>
>>> FTP Write access permissions do exactly what we need it to, but simple
>>> domain-local group permissions do not...always...sort of.
>>>
>>> If anyone has any suggestions, I'll be happy to buy that person a drink
>>> of their personal favorite spirit!
>>>
>>> Thanks in advance!
>>
>
>

Is this on 2008 server? NTFS now supports MIC (or WIC) which set
Integrity Levels on resources which will usurp NTFS permissions, the
(MIC Mandatory Labels) are checked and acted upon *before* any implicit
or explicit 'permissions' are checked.

"Ytse.jam.er.1" <username.@ho.tmail.com> wrote in message
news:%...
> The issue I had with moving PDFs and whatnot were because of files
> that came from another computer. Included in the NTFS permissions
> stream, is a feature that IDs where the file came from. If I uncheck
> the box to indicate that the file is safe, it moves to the directory
> just fine. There is a group policy to disable that NTFS feature, but
> it doesn't remove existing files that already have it.
>
> But I still cannot figure why some users get prompted and other do
> not. They are not members of any other groups on that folder
> structure...so they all have the same level of permissions. Really
> strange.
>
> Maybe I use my FTP program and have them post to it through that!
> *sarcasm*
>
> "FromTheRafters" <erratic @nomail.afraid.org> wrote in message
> news:...
>> As much as I would like a gin 'n' tonic, sorry.
>>
>> At first I thought maybe the write access users with the ability to
>> overwrite (or append) must be getting it from another group
>> membership since the other's "behaved" as you desired. It became
>> evident to me that you probably know more about this than I do - so I
>> sat here all thirsty.
>>
>> "Ytse.jam.er.1" <username.@ho.tmail.com> wrote in message
>> news:uFI%...
>>> no one have any ideas?
>>>
>>> "Ytse.jam.er.1" <username.@hotmail.com> wrote in message
>>> news:...
>>>> Hello,
>>>>
>>>> I've been scouring the newsgroups, forums, google results, etc and
>>>> haven't been able to find a complete solution to this issue.
>>>>
>>>> Long story short, I want to set the correct NTFS Permissions to
>>>> allow saving but prevent changing/modifying any file or folder
>>>> contents.
>>>>
>>>> Currently we have a modify group, write group, and read only group
>>>> with those level permissions on a top level folder, right on down
>>>> to all subfolders and files.
>>>>
>>>> Some members of the write group while opening a word document,
>>>> inform us they are prompted to save the file as another name after
>>>> they have changed or added content and hit the save button. That
>>>> is the result we want! Other members of the same write group are
>>>> able to insert new content at the beginning, middle, or end of the
>>>> document and save the file over itself...which is what we DON'T
>>>> want to have happen. I've done this test myself and seen it
>>>> happen. I don't understand why.
>>>>
>>>> The only close solution I could find was located here:
>>>> http://forums.techarena.in/operating...ms/1144083.htm
>>>>
>>>> When applying the permissions as listed on the forum above, I am
>>>> able to copy/move some PDF documents without a problem to a test
>>>> folder, but PDF files such as cause an error to pop up indicating I
>>>> need administrative permissions on the folder. Then when I refresh
>>>> the folder, the file is there in its entirety. Office 2003 and
>>>> 2007 documents copy or move fine into the test folder. Zip, exe,
>>>> and as mentioned above, some PDF files cause the administrative
>>>> warning.
>>>>
>>>> FTP Write access permissions do exactly what we need it to, but
>>>> simple domain-local group permissions do not...always...sort of.
>>>>
>>>> If anyone has any suggestions, I'll be happy to buy that person a
>>>> drink of their personal favorite spirit!
>>>>
>>>> Thanks in advance!
>>>
>>
>>