NTFS Permissions to allow saving but prevent changing

Discussion in 'Server Security' started by Ytse.jam.er.1, Mar 15, 2010.

  1. Hello,

    I've been scouring the newsgroups, forums, google results, etc and haven't
    been able to find a complete solution to this issue.

    Long story short, I want to set the correct NTFS Permissions to allow saving
    but prevent changing/modifying any file or folder contents.

    Currently we have a modify group, write group, and read only group with
    those level permissions on a top level folder, right on down to all
    subfolders and files.

    Some members of the write group while opening a word document, inform us
    they are prompted to save the file as another name after they have changed
    or added content and hit the save button. That is the result we want!
    Other members of the same write group are able to insert new content at the
    beginning, middle, or end of the document and save the file over
    itself...which is what we DON'T want to have happen. I've done this test
    myself and seen it happen. I don't understand why.

    The only close solution I could find was located here:

    When applying the permissions as listed on the forum above, I am able to
    copy/move some PDF documents without a problem to a test folder, but PDF
    files such as cause an error to pop up indicating I need administrative
    permissions on the folder. Then when I refresh the folder, the file is
    there in its entirety. Office 2003 and 2007 documents copy or move fine
    into the test folder. Zip, exe, and as mentioned above, some PDF files
    cause the administrative warning.

    FTP Write access permissions do exactly what we need it to, but simple
    domain-local group permissions do not...always...sort of. :)

    If anyone has any suggestions, I'll be happy to buy that person a drink of
    their personal favorite spirit!

    Thanks in advance!
    Ytse.jam.er.1, Mar 15, 2010
    1. Advertisements

  2. no one have any ideas?
    Ytse.jam.er.1, Apr 28, 2010
    1. Advertisements

  3. As much as I would like a gin 'n' tonic, sorry.

    At first I thought maybe the write access users with the ability to
    overwrite (or append) must be getting it from another group membership
    since the other's "behaved" as you desired. It became evident to me that
    you probably know more about this than I do - so I sat here all thirsty.
    FromTheRafters, Apr 29, 2010
  4. The issue I had with moving PDFs and whatnot were because of files that came
    from another computer. Included in the NTFS permissions stream, is a
    feature that IDs where the file came from. If I uncheck the box to indicate
    that the file is safe, it moves to the directory just fine. There is a
    group policy to disable that NTFS feature, but it doesn't remove existing
    files that already have it.

    But I still cannot figure why some users get prompted and other do not.
    They are not members of any other groups on that folder structure...so they
    all have the same level of permissions. Really strange.

    Maybe I use my FTP program and have them post to it through that! *sarcasm*
    Ytse.jam.er.1, Apr 29, 2010
  5. Is this on 2008 server? NTFS now supports MIC (or WIC) which set
    Integrity Levels on resources which will usurp NTFS permissions, the
    (MIC Mandatory Labels) are checked and acted upon *before* any implicit
    or explicit 'permissions' are checked.
    FromTheRafters, Apr 30, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.