Folder permissions 1

[hondaman2003]

I need to restrict a folder on a shared drive on a server. I am allowed to simply create the folder, right click, properties, click the security tab and modify the permissions of this newly created folder.

I currently have everyone listed as read only and a few individuals full access. I need to prevent this 'everyone' group from opening files from this folder and all of it's subfolders but they need to be able to copy files out of it.

It works like this, they open a batch file that copies the file out of this folder and into their my documents folder. They will NEVER copy this file back, it's simply for reference only.

Once in a while, someone opens a file directly from the folder and even though they are read only, it makes it impossible to update this file until they close it. This cannot happen. I need to prevent them from opening the file from this folder. I would even accept preventing them from browsing this folder entirely as long as this batch file will continue to work.

Any thoughts?

 

[troythered]

Sounds like it would be easier to have the people in the 'everyone' group to have their My Documents folder shared to an admin account and have the server put the files on their computer, without them having control over it. Maybe a script to transfer the files every so often for updates and such.

But that would depend on the rest of your situation.

 

[hondaman2003]

There are hundreds of computers involved. In addition, these files could be updated at anytime of the day so the user needs to be able to initiate the process to recopy the file to their computer.

I will say that this is the wrong way to go about all of this. In fact these files shouldn't be used in this way anyway but this is such a large company that IT thinks they have better things to do than to handle this.

If possible I would like to just figure out how to restrict these folders in a way that will prevent users from navigating them or maybe just prevent them from opening files directly from these fodlers so they can just be copied out with a batch file.

 

[Turkbear]

A batch file will run under the user account on the PC so the permissions issue would still arise..If you can copy a file you can open it .

Maybe 2 batch files, one on the user's pc that calls one on the server and passes the file name to it - that way the server account handles the access to the file not the user's account.





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[hondaman2003]

I was thinking permissions because there are a few that I am interested in but do not know how they work.

traverse folder/execute file
list folder/read data
read
read/execute

what do all of these do? I would think that something in that list would do what I'm looking for but it doesn't seem to work.

 

[goombawaho]

Why don't you think of doing it a different way. The current way seems flawed from the start.

What about a batch file running from a login script that copies the necessary files down every time. Then you could move the folder, not tell the users where it is and the batch file would handle copying for you (sort of from a new secret location).

 

[vacunita]

List folder should prevent the folder from actually showing the files in it. Though I;'m not sure if that would stop the bat file from working.

I'm not sure those permissions work through the share though.

Alternatively you could simply remove all permissions to the folder and have the Bat file automatically connect to the folder using some other credentials. That way they won;t be able to access the folder, but the batch file should.

Have the batch Map a network drive using netuse and then copy the files, and when its done unmap it.

The credentials used by the batch file can be set to only allow access to that folder for copying, and nothing else. That way you don't expose the Server.



----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Behind the Web, Tips and Tricks for Web Development.

http://behindtheweb.blogspot.com/

 

[cdogg]

I think you skipped over Turkbear's post. A batch file running locally on each PC will use the logged in user's permissions. If you then prevent that user from being able to open/execute files in that location, then the batch file will not be able to copy files from it either.

Carl

"Nearly all men can stand adversity, but if you want to test
a man's character, give him power." - Abraham Lincoln
[tab][navy]For this site's posting policies, click [/navy]here.

 

[vacunita]

Yes, the batch file will run as the local PC's user, but if you use Net Use and provide a specific user and password, it will connect to the shared resource using those credentials which should have access.

That's why I said to use a specific user/password set that only grants access to the shared folder in question.

NET USE
[devicename | *] [\\computername\sharename[\volume] [red][password [/red]| *]]
       [red] [/USER:[domainname\]username][/red]
        [/USER:[dotted domain name\]username]
        [/USER:[username@dotted domain name]
        [/SMARTCARD]
        [/SAVECRED]
        [[/DELETE] | [/PERSISTENT:{YES | NO}]]

NET USE {devicename | *} [password | *] /HOME

NET USE [/PERSISTENT:{YES | NO}]

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Behind the Web, Tips and Tricks for Web Development.

http://behindtheweb.blogspot.com/

 

[Turkbear]

Hi,
Is that batch file on the user's PC? If so, then what would prevent them from reading it and getting the username/password needed to access the folder?





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[vacunita]

The User/password is hard coded in the batch file. That's the whole point.

You close off the folder to regular access through explorer but set up a user/password for the batch file to access it that does have correct privileges.

Sure anybody can see the user/password combo, but i'm not expecting him to hard code the Admin credentials, just a specific user that can access the folder and copy files from it. Most user's wouldn't even think of opening the batch file in an editor to read the credentials.

Also its not like they aren't allowed to see the folder, its just about preventing them from opening files directly.




----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Behind the Web, Tips and Tricks for Web Development.

http://behindtheweb.blogspot.com/

 

[goombawaho]

That's what I was thinking of (different user name/password - an admin type of user or user with elevated rights) but I didn't mention it explicitly. Thus negating the requirement that the USER have rights to a folder and be able to browse/open/etc.

 

[hondaman2003]

In all honesty, you guys are all right and have all good points. But I'm also going to be straight forward and tell you that, I'm not a part of IT. I cannot create a specific user account for this purpose. IT will also not support that solution. This all sounds really rediculous but in all honesty, if my companys' IT department was more on the ball, I wouldn't have to do any of this to begin with.

Again, please accept my thanks for all your suggests and also my compliments for some good suggestions. However, the only option I have is that I can modify the permissions of this folder or just deal with this problem. Unless anyone has any other ideas that do not go into the 'admin' realm.

 

[troythered]

<shot in the dark>
Set up an apache server on your computer that shows the files they need to see from the network share? I'm guessing you can fix it so they can't alter it that way...

If your IT guys will let you.

 

[hondaman2003]

troythered, you are a super genious, but IT will not cooperate with that either.

 

[troythered]

Well, it's time to use a little social engineering on your part!

Find the "coolest" IT guy there, probably a dude with tattoos... Mention that you brought up this issue to a couple of the other IT guys and that they couldn't figure a way to do it. Maybe suggest that hey, he seems like a tech savvy kind of guy that could figure out a simple little problem like this out! He may be swayed with an offering of free lunch or a 6-pack of his favorite beer... If they play World of Warcraft, offer them some gold! I used to play it, and I'll admit I did a few favors for a few thousand gold pieces online.

I'm curious to find out how this issue gets resolved.

 

[guitarzan]

If you can somehow present the files in a web broswer (using an HTA file, or ASP program, etc), the files would show as hyperlinks, and clicking on them would prompt the "Do you want to Open or Save the file...", either way, the file would be opened on the user's computer, not directly from the share.

 

[hawkdaddy]

Would a macro recorder work?

http://www.google.com/search?source...order+to+create+batch+file&aq=f&aqi=&aql=&oq=

 

[goombawaho]

If IT won't cooperate, have your boss go to IT boss and tell them why you need it. Don't try to do it yourself. That will make IT more cranky and not want to help MORE.