help with folder permissions

[patrichek]

hi all,
our company has a single domain running w2k server NTFS volume with about 30 users and pcs
we have an application that is running locally on all our company's pcs and we save files thru the application to a network share.
I've been trying to set special permissions on the share for the domain users group to deny the delete subfolder and files and delete permission, but when i do this users aren't able to save data to the share any longer. I've tried several variants including giving full control and unchecking the delete perms., modify denying delete, tried both in a subfolder within the share....
Can someone tell me what i may be overlooking?
thanks!

 

[mrmoneymatters]

First of all, are you using share and ntfs permissions or what?
List your share permissions, then ntfs permissions. What is the folder structure?

Remeber, when mixing share and ntfs permissions the most restrictive persmission is used. You don't need to use deny most of the time.

 

[patrichek]

share perms are just everyone group standard
ntfs perms
domain user modify with delete unchecked

 

[patrichek]

share perms are just everyone group standard
ntfs perms
domain user modify with delete unchecked

 

[mrmoneymatters]

Ok, let me see if this is correct. You have a folder that is shared, called xyz. xyz has standard permissions, which default is everyone full control.

Make sure domain users have change and read share permissions. Then make sure they have read, write, and modify ntfs persmissions.

 

[patrichek]

ok, they have all of that, modify also gives them delete permissions which we don't want, so when i go to assign special permission for the domain users, I uncheck the delete/subfolders and files box, users are no longer able to save or create new files in the application? any ideas?
if you need more specific info just ask.
thank you!

 

[patrichek]

Ok, maybe this is the problem:
i don't have domain users in the share permissions only the everyone group is listed in share perms.
then in ntfs perms i have domain users listed but not everyone group.
seems like i need to add domain users to the share permissions and give them read and change perms. correct?
thanks so much!

 

[mrmoneymatters]

Yes, I checked and domain users are not part of the everyone group.

 

[patrichek]

thanks i'll try that

 

[patrichek]

so do i uncheck delete in special assignments for the domain users?

 

[mrmoneymatters]

yes, if you don't want them to delete anything.

 

[patrichek]

ok, i tried what you said and it still isn't working.
i'll refresh your memory.
i have a folder being shared on the network with everyone group and domain user group. these 2 groups have read and write permissions on the share.

originally in the ntfs permissions for this folder i have domain users set to modify (everyone is not listed in these permissions-i removed this group). this allows domain users to delete files in this folder. I don't want that. So when i uncheck modify, domain users are no longer able to save or create files? even though read/write/change is granted in ntfs.
I've tried denying delete also and it has the same outcome, users are not able to save/create with deny set.
I'm pulling my hair out on this! WTF?

 

[minxca]

Hi, try set modify or full control for NTFS and then set deny delete folder/files

 

[patrichek]

hi winoto,
i've tried that in modify but not full control. In modify that works but like i said before it causes the users to lose write/change permissions too. It pops up an error that the network share is read only or the file is being used by someone else please contact your administrator to correct this.
any ideas?

 

[patrichek]

one last question, when changing ntfs and share permissions do i have to log off and then back on to test and see the changes made?

 

[sbu77]

Did anyone figure this out? I want to be able to do the following:

3-level folder tree

Level 1 & Level 2: Don't want users to be able to delete the folders (make them static)

Level 3: users can have full control

Tried every intuitive combination in Advanced rights - no luck...

 

[patrichek]

no i wasn't able to get this figured out!

did you try setting level 1 and 2 folders how you want then on level 3 set full control permissions and uncheck the "allow inheritable permission to propogate from parent folder" box in the security setting?

 

[sbu77]

This sounds very simple, but I cannot get it working the way I want.

All I want to do is prevent level 1 and level 2 folders from deletion.

Whatever is below (level 3, 4 and so on) is dynamic and I don't care about it. I cannot set permissions on the objects there since they are constantly changing.

 

[patrichek]

if you don't uncheck the box i mentioned on the lower level folders then they will inherit the permissions from the upper level, meaning they will all have the same permissions.
I hope this helps

 

[mrmoneymatters]

I think you are making this harder than it really is. If you are working with folder trees, remember that permissions are as follows.

ntfs - accumulative
share and ntfs - most restictive
share permissions - only work when connecting over the network

So, on folder 1 and 2 grant the everyone full control share permissions, and everyone or authenticated users read and write ntfs permissions. At that time they will not be able to delete folders 1, 2, or anything inside them.

Then, like patrichek said, on folder 3 uncheck inherit permissions, when it asks to copy or remove do copy. Now to make it where they can have full control on folder 3 grant the everyone group full control ntfs permission.