Folder permissions - How to stop users changing top level folder names but allow sub-folders to be a

Discussion in 'Windows Small Business Server' started by Alan, Mar 29, 2006.

  1. Alan

    Alan Guest

    Hi All,

    We have a shared drive where we keep client records, one folder for
    each client.

    I would like to lock down the top level (client) folder names so that
    only a domain admin (or any other group could be used) can make
    changes to existing folder names.

    However, I also need to allow any user to make changes to any file or
    folder *inside* those top level folders.

    Does anyone know how to do that?

    Thanks,

    Alan

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Mar 29, 2006
    #1
    1. Advertisements

  2. Hi Alan,

    Thanks for posting here.

    From your post, I understand that you want to configure the top level
    shared folders so that only domain admin can make changes to the existing
    folder name, and allow any other user to modify any files or subfolders
    included in the top level folders. If I am off base, please feel free to
    let me know.

    Based on my knowledge, if the top level shared folders locate NTFS (New
    Technology File System) partition, then you can use NTFS permission to
    reach this objective. By default, when the network user access shared
    folders located in the NTFS partition, NTFS permission will apply to the
    shared folders, and all of the subfolders and files will inherit NTFS
    permission from the parent folders. So if you want only domain admin to be
    able to change the top level folders, and the other users to modify any
    subfolders and files, please refer to the following steps:

    For example:
    The top level folder named "Parent", the subfolder named "sub1".

    1. Right click "Parent" folder, click properties, select security tab,
    don't allow the other users modify this folder.

    2. Right click "sub1" folder, click properties, select security tab, click
    Advanced, and clear "Allow inheritable permission from the parent to
    propagate to this object and all child object. Include these with entries
    explicitly defined here." Click "copy" or "remove" option on pop-up window.
    Click OK, and add the permission you want for other users on Security tab.

    For more information, please refer to the following knowledge base article:

    HOW TO: Control NTFS Permissions Inheritance in Windows
    http://support.microsoft.com/kb/313398/en-us

    I hope the above information helps.

    Have a nice day.

    Best Regards,

    Steven Zhu
    MCSE
    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
    updated on February 14, 2006.? Please complete a re-registration process
    by entering the secure code mmpng06 when prompted. Once you have
    entered the secure code mmpng06, you will be able to update your profile
    and access the partner newsgroups.
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ======================================================
     
    Steven Zhu [MSFT], Mar 30, 2006
    #2
    1. Advertisements

  3. Alan

    Alan Guest

    That is correct.
    Which setting (or settings) exactly do I have to change to make this
    so?

    There is no 'modify' permission to allow or deny that I can see.

    The complete list of permissions I get is as follows:

    Full Control
    Traverse Folder / Execute File
    List Folder / Read Data
    Read Attributes
    Read Extended Attributes
    Create Files / Write Data
    Create Folders / Append Data
    Write Attributes
    Write Extended Attributes
    Delete Subfolders and Files
    Delete
    Read Permissions
    Change Permissions
    Take Ownership


    Each of those can be eplicitly Allowed or Denied for any user or
    security group.
    Thanks,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Mar 30, 2006
    #3
  4. Hi Alan,

    Thanks for taking time to respond.

    You can configure the following NTFS permissions for the top level folders:

    Domain Admin security group:
    -----------------------------------
    * Full Control

    The other users:
    --------------------
    * List Folder / Read Data
    * Read Attributes
    * Read Extended Attributes
    * Read Permissions

    You can configure the following NTFS permissions for the subfolders and
    files:

    Important: First at all, please clear "Allow inheritable permission from
    the parent to propagate to this object and all child object. Include these
    with entries explicitly defined here" check box on all of subfolders and
    files included in top level folders. Please refer to the previous reply I
    provide to disable this option.

    The other users:
    --------------------
    * Full Control

    I hope the above information helps.

    Have a good time.

    Best Regards,

    Steven Zhu
    MCSE
    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
    updated on February 14, 2006.? Please complete a re-registration process
    by entering the secure code mmpng06 when prompted. Once you have
    entered the secure code mmpng06, you will be able to update your profile
    and access the partner newsgroups.
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ======================================================
     
    Steven Zhu [MSFT], Mar 30, 2006
    #4
  5. Alan

    Alan Guest

    Hi Steven,

    Thank you for your reply.

    Would that mean I would have to manually configure the permissions for
    the subfolders and files within the top level folders?

    I should have mentioned that we have about 2,500 top level folders, so
    that is not an attractive proposition for me!

    Can this be done using a batch file or similar?

    Thanks,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Mar 31, 2006
    #5
  6. Hi Alan,

    Thank you for your prompt response.

    From your reply, I understand that you want to use the batch file to
    automatically configure NTFS permission on more than 2500 folders.

    If this is the case, please post you questions in the Developer newsgroups
    since this newsgroup is primarily for break-fix situations. The issues
    include custom coding/programming, scripting, design/implementation type of
    issues would best be addressed in the Developer newsgroups. I have provided
    the link below to access Developer newsgroups. By posting here, you may get
    some pointers from others who may have had similar experience that they can
    share with you.

    http://msdn.microsoft.com/newsgroups/default.asp

    I hope this information is helpful in getting started and we invite you to
    post again with any specific break/fix issues.

    Have a nice day.

    Best Regards,

    Steven Zhu
    MCSE
    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
    updated on February 14, 2006.? Please complete a re-registration process
    by entering the secure code mmpng06 when prompted. Once you have
    entered the secure code mmpng06, you will be able to update your profile
    and access the partner newsgroups.
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ======================================================
     
    Steven Zhu [MSFT], Mar 31, 2006
    #6
  7. Alan

    jmes

    Joined:
    Feb 23, 2010
    Messages:
    1
    Likes Received:
    0
    I have a similar problem. I have a new external hard disk drive. I have been trying to set up file permissions, so that if I loose the HDD, personal data will be secure.

    I have managed to successfully allow my home computer account to access all the relevant documents. I then tested this out on my laptop, and as I wanted, I was unable to access any documents.

    However, on my laptop, I found that I can just 'take ownership' of the files. I didn't require any security checks, it just changed the owner to my laptop, and I had access to everything.

    Is there a way of stopping this from happening? I have tried changing the permissions of the group 'Everyone' and denied access to changing ownership, but this hasn't prevented the problem.
     
    jmes, Feb 23, 2010
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.