Deny folders creation/deletion without altering files accesses

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi all,

I'm a bit embarassed to ask this kind of question but I don't seem to be
able to work it out myself...

One of our users manages a folder on our public drive that has very limited
access, some groups have read only access, some can write in certain folders,
some in others etc... a real nightmare ;)

The structure worked fine until we reaslised people could actually mess it
up by creating their own folders etc... so I've been asked to change the
accesses and prevent people from creating or deleting directories, however,
in the Advanced Security Settings window, when denying "Create Folder" we
also deny "Append Data", and every file we open is opened in read only mode.

Is there any way of denying creation and deletion of folders while still
allowing creation and edition of files?

Thank you.

Regards,

Sébastien de Salvador
 
How to configure file sharing in Windows XP
http://support.microsoft.com/kb/304040/en-us
Describes the file sharing features in Windows XP and how to configure
permissions for access to your files and folders.

How to set, view, change, or remove special permissions for files and
folders in Windows XP
http://support.microsoft.com/kb/308419
Describes how to configure special permissions for files and folders in
Windows XP

How to Set Security in Windows XP Professional That Is Installed in a
Workgroup
http://support.microsoft.com/kb/290403
This article describes how to set permissions in a workgroup after an
upgrade from Microsoft Windows 2000 Professional to Microsoft Windows XP
Professional.

How to set, view, change, or remove file and folder permissions in Windows
XP
http://support.microsoft.com/kb/308418
Explains how to set and modify permissions in Windows XP.

How to disable simplified sharing and set permissions on a shared folder in
Windows XP
http://support.microsoft.com/kb/307874
Describes how to turn off simple file sharing to help prevent other users on
your workgroup or network from accessing your files. Describes how to share
your folders or a drive with other users.
 
Thanks, but I've seen all thoses links before and non of them helped...

As I said the option to deny folders creation also denies appending of
files, so I need a work around :(
 
Have you tried the "Special Permissions" in Security\Advanced Options\Modify
with the check mark for Inherited permissions from the parent folder
removed?
there are 14 different permissions which you can combine with Allow and
Deny. Have you removed the inherited permissions(?)..
A work around may be with the use of an application... there used to be one
available at the Dough-Knox website, but to be honest I have not checked
lately..

Hope you solve it.
----------------------------
 
Yes the Advanced Special Permissions is what I used, but if you look in there
the option is actually called "Create Folders / Append Data", so I thought I
could deny this and have it apply to "This folder and subfolders" and then
create another entry that would allow it and only apply to "Files only", but
it didn't work :(

I'm very surprised there isn't a way to do this simple thing...
 
To stop unauthorised users getting-into a folder-tree without altering the
file permissions, create a toplevel folder with restricted permissions, and
immdiately under it, a second-level folder with full rights. Do NOT allow
this subfolder to inherit rights from its parent. Only store files in the
second-level folder or below.

This is not absolutely secure, as wily users can access the subfolder by
typing its full path (assuming they know its name, which they cannot of
course establish for themselves, someone would have to tell them) but it
stops typical users from accesing it in Explorer.

There may well be a better scheme, but if there is I don't know of it. All
other arrangments I know of result in files created within the folders having
nonstandard rights.
 
I've done it!

My first solution was the right one, but the problem was that I was trying
it on an existing structure and it's definitely the thing you want to do on a
fresh new structure, otherwise it's a nightmare...

Basically, the idea is to set the rights on the main folder and all
subfolders only, with no inheritance, but the files then do inherit right
accesses from their parent folder. That's why it's easier on a new structure
because you can just apply the changes to all child objects and the remove
the inheritance.

1. In the advanced security settings options, add a group, the permission
entry window pops up, in the apply onto drop down make sure to select this
folder only and tick the following:
- Travers Folder / Execute File
- List Folder / Read Data
- Read Attributes
- Read Extended Attributes
- and Read Permissions

Click ok

2. Back in the advanced security settings options, add the same group, the
permission entry window pops up, in the apply onto drop down make sure to
select files only and tick everything except:
- Full Control
- Change Permissions
- and Take Ownership

Click ok

This does the trick, however, if you're applying it onto an existing
structure (and that was my mistake), you have to make sure all the files DO
inherit the rights from their parents folder... which does not apply to
documents created afterwards since they do inherit by default.

Thanks alot guys, you did inspire me :D
 
The key to special permissions is to realize that a user/group can be shown
more than once for special permissions for the different possibilities in
the "apply onto" box. For example look at the special permissions for the
root folder of any default install of Windows XP pro. What I would do is on
the general security page for the folder give the group read/list/execute.
The general page generic security options are for "folders, subfolders, and
files". Then go into advanced permissions and select edit for that group for
folder, subfolders, and files and also check create files/append data. While
still in special permissions select add and then add the group again and
select everything but full control/change permissions/take ownership and
then select "files only" in the apply onto box. See if that helps or not.
Don't feel embarrassed as I have found VERY few that know how to configure
special permissions. --- Steve
 
oops, forgot something... in the 1st step, Create File / Write Data must
also be ticked for the folder permission, or people won't be able to create
new files
 
yes that's exactly it Steven, I first didn't know one group/person could be
in there twice, when I realised that I did a test, but like i said it was on
an existing structure where files did not inherit from their parent folder,
and that's what it didn't work. now with a new test on a fresh structure it's
fine! thx! :D
 
Congratulations. Pat yourself on the back. Like I said very few people
understand or can figure out special permissions. -- Steve
 
Back
Top