Folder permissions - How to stop users changing top level folder names but allow sub-folders to be a

Hi All,

We have a shared drive where we keep client records, one folder for
each client.

I would like to lock down the top level (client) folder names so that
only a domain admin (or any other group could be used) can make
changes to existing folder names.

However, I also need to allow any user to make changes to any file or
folder *inside* those top level folders.

Does anyone know how to do that?

Thanks,

Alan

--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:



This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb

 

Hi Alan,

Thanks for posting here.

From your post, I understand that you want to configure the top level
shared folders so that only domain admin can make changes to the existing
folder name, and allow any other user to modify any files or subfolders
included in the top level folders. If I am off base, please feel free to
let me know.

Based on my knowledge, if the top level shared folders locate NTFS (New
Technology File System) partition, then you can use NTFS permission to
reach this objective. By default, when the network user access shared
folders located in the NTFS partition, NTFS permission will apply to the
shared folders, and all of the subfolders and files will inherit NTFS
permission from the parent folders. So if you want only domain admin to be
able to change the top level folders, and the other users to modify any
subfolders and files, please refer to the following steps:

For example:
The top level folder named "Parent", the subfolder named "sub1".

1. Right click "Parent" folder, click properties, select security tab,
don't allow the other users modify this folder.

2. Right click "sub1" folder, click properties, select security tab, click
Advanced, and clear "Allow inheritable permission from the parent to
propagate to this object and all child object. Include these with entries
explicitly defined here." Click "copy" or "remove" option on pop-up window.
Click OK, and add the permission you want for other users on Security tab.

For more information, please refer to the following knowledge base article:

HOW TO: Control NTFS Permissions Inheritance in Windows
http://support.microsoft.com/kb/313398/en-us

I hope the above information helps.

Have a nice day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

That is correct.

Which setting (or settings) exactly do I have to change to make this
so?

There is no 'modify' permission to allow or deny that I can see.

The complete list of permissions I get is as follows:

Full Control
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
Take Ownership


Each of those can be eplicitly Allowed or Denied for any user or
security group.

Thanks,

Alan.

--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:



This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb

 

Hi Alan,

Thanks for taking time to respond.

You can configure the following NTFS permissions for the top level folders:

Domain Admin security group:
-----------------------------------
* Full Control

The other users:
--------------------
* List Folder / Read Data
* Read Attributes
* Read Extended Attributes
* Read Permissions

You can configure the following NTFS permissions for the subfolders and
files:

Important: First at all, please clear "Allow inheritable permission from
the parent to propagate to this object and all child object. Include these
with entries explicitly defined here" check box on all of subfolders and
files included in top level folders. Please refer to the previous reply I
provide to disable this option.

The other users:
--------------------
* Full Control

I hope the above information helps.

Have a good time.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

Hi Steven,

Thank you for your reply.

Would that mean I would have to manually configure the permissions for
the subfolders and files within the top level folders?

I should have mentioned that we have about 2,500 top level folders, so
that is not an attractive proposition for me!

Can this be done using a batch file or similar?

Thanks,

Alan.

--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:



This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb

 

Hi Alan,

Thank you for your prompt response.

From your reply, I understand that you want to use the batch file to
automatically configure NTFS permission on more than 2500 folders.

If this is the case, please post you questions in the Developer newsgroups
since this newsgroup is primarily for break-fix situations. The issues
include custom coding/programming, scripting, design/implementation type of
issues would best be addressed in the Developer newsgroups. I have provided
the link below to access Developer newsgroups. By posting here, you may get
some pointers from others who may have had similar experience that they can
share with you.

http://msdn.microsoft.com/newsgroups/default.asp

I hope this information is helpful in getting started and we invite you to
post again with any specific break/fix issues.

Have a nice day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

I have a similar problem. I have a new external hard disk drive. I have been trying to set up file permissions, so that if I loose the HDD, personal data will be secure.

I have managed to successfully allow my home computer account to access all the relevant documents. I then tested this out on my laptop, and as I wanted, I was unable to access any documents.

However, on my laptop, I found that I can just 'take ownership' of the files. I didn't require any security checks, it just changed the owner to my laptop, and I had access to everything.

Is there a way of stopping this from happening? I have tried changing the permissions of the group 'Everyone' and denied access to changing ownership, but this hasn't prevented the problem.