NTFS Permissions

[gbaughma]

I have a shared folder that I want to set some pretty explicit permissions on....

1) I want people to be able to READ the files
2) I want people to be able to CREATE a folder
3) I want people to be able to WRITE a file in a folder
4) I do not want people to be able to CHANGE a file
5) I do not want people to be able to DELETE a file/folder

So, in other words, a "once it's written, it's written in stone" sort of situation.

I've looked over the permissions pretty thoroughly, but it's like you can't give write access without giving modify access as well....

Any thoughts?



Just my 2¢
-Cole's Law: Shredded cabbage

--Greg

http://parallel.tzo.com

 

[amunn]

Pretty sure it can't be done with Server 2003, we have the same problem and have never been able to find a way of doing it. We just create a backup every night of all files and when someone does something they shouldn't have done like move the folder or delete something we go to the backup and put it back.

 

[ITPangaeaArchitect]

that is correct, its not possible to say "set it in stone". You could, if you look, make adjustments such as "just to this folder", "just to this folder and files", etc. though, which may help you along...

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[TechyMcSe2k]

I hope I understand this question. The "Share" permissions are Full, Modify, read. These Share Permissions will only limit everyone to "the max permissions allowed for that share" now you need file level security permissions within the files and folder of that share to be modified in the Advanced tab for the group you want to restrict. With in the Edit of that group you can specify read, write, create folders only. you can deny them Delete and Change if need be, but you can lock it down pretty much. On an NTFS volume, Microsoft Windows Server 2003, like Microsoft Windows 2000 Server and Microsoft Windows NT Server before it, allow for extremely granular security.

Cliff, MCSE/MCSA/MCTS/CCNA/VCP/CCA

http://www.samtechconsulting.com

 

[1toomany]

Just a thought...

Why not apply granular special permissions?

 

[strongm]

>Why not apply granular special permissions?

Still won't fix the problem Greg is facing. Problem is that a number of the granular special permission attributes are shared (i.e one attribute means two things depending on whether you are referring to a folder or a file). Unfortunately, the shared attributes mean that certain requirements cannot be achieved.

In this case, for example, Greg needs to be able to CREATE a file. That means he needs the Create Files attribute allowed on the folder - but that attribute is also used to control whether a file can be written to (changed) or not. In other words, if you allow files to be created in a folder by setting the attribute that also means you allow files in the folder to be changed.

 

[ITPangaeaArchitect]

good explanation strongm

his explanation is exactly why what he wants cant be done.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[gbaughma]

Hmmm.... I wonder if there's a way to do a post-upload script... or maybe a nightly task... that would specifically change the filer permissions to read only...

In other words, a file is uploaded, but say at Midnight a script runs that sifts through the directory and sets specific file permissions so that the files cannot be changed or deleted, but leaves the rest of the directory alone so that new files could be uploaded.

Hmmmm...... (I need to oil my brain gears)



Just my 2¢
-Cole's Law: Shredded cabbage

--Greg

http://parallel.tzo.com

 

[ITPangaeaArchitect]

you could do such a thing with subinacls

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[gbaughma]

Yeah... I was thinking that if I could run cacls to change the permissions on a batch.... so that existing files would go read only, but the directories would still remain read/write....

I'm going to have to dig further into this one.....

Unless someone can think of a reason why it won't work at all, and I shouldn't waste my time.



Just my 2¢
-Cole's Law: Shredded cabbage

--Greg

http://parallel.tzo.com

 

[ITPangaeaArchitect]

if i rememeber right, cacls and xcacls can only be used against the folder level, whereas subinacls allows per file manipulation.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+