Folder access with 'no move' property?

[randymce]

I've got Windows 2000 servers hosting shared project folders. The problem is that, from time-to-time, people will inadvertantly drag a folder to the adjacent folder - moving it and all it's gigabytes. It was an odd-event at first, but its becoming common... surprising how easy it is to do. Here's the example:

f:\share\projects\A..Z
(there are 26 folders at this level, one for each letter)
f:\share\projects\A\ABCPROJECT
f:\share\projects\B\BBBPROJECT <-- actual project folders

Users -- right now -- have full access to the 'project' folders on down. What I'd like to do is set the privileges at the 'A' through 'Z' folders (all 26) in such a way that users still have full access EXCEPT they won't be able to move the A - Z folders inadvertantly. In other words, they can create and delete files & folders throughout EXCEPT they can't move A through Z.

I've spent some time on it, I've had a couple others work on it ... but we've had no success yet.

 

[markdmac]

Move is really the same as a delete/change. You will not be able to do that. Most you can really do is better train your users or give them drive mappings to the folders so they don't traverse the tree.

I hope you find this post helpful.

Regards,

Mark

 

[randymce]

1. Train users: Well, it's an accidental slip-of-the-mouse. Haven't any of you accidentally moved a folder into an adjacent folder? It just happens, it'd be like trying to train kids to not spill milk.
2. Map drives to folders: There are 26 folders. If it were 3 or 4, the mapping would probably be a good idea.

So if 'move' is the same as 'delete/change', couldn't I just somehow set the privileges at the A-Z level to not delete, then somehow set the sub-folders to be deletable. I'm grasping at straws so far, because the Windows privileges are so much different than I'm accustomed to in Netware.

 

[markdmac]

Personally no, I've never done that. But my mother is a legal secretary and she does it once a year.

Yes through the advanced screen for NTFS properties you can create an effective lockdown solution, but that totally depends on what levels you are seeing the users make this mess up.

Eisiest way to do it it to do somehting like this:

Projects folder
Set Deny Delete Change to This folder and all sub folders[/1]

A Project Folder
Uncheck Inherritance and Copy Existing Security rights.
Set allow Modify Delete Subfolders and files only


I hope you find this post helpful.

Regards,

Mark

 

[randymce]

I spent a few minutes trying it out - but wasn't successful.

At the 'projects' folder, I set the Deny 'Delete', but couldn't find 'Change', only 'Change Permissions' (in the Advanced section, where there are 13 permissions listed.)

At the 'A' folder (which is the level we want to lockdown, leaving subfolder levels beneath with full permissions), I unchecked the Inherit, copied existing rights - then, for the 'subfolders and files only', unchecked the deny delete. Couldn't find any permission called 'modify', though. As soon as I tried to delete the 'A' folder from a client, it did - so I can't double check it.

No need to respond yet Mark - I'll spend some more time on it to see if I can get further and post back (it's probably just something I missed.)

I thought I'd post again to see if anyone else had any simple solutions that could provide a quick resolution...