File/Folder Delete permission issue..
-
Monday, April 09, 2012 5:30 PMHi I'm running 2003 Domain environment for my institute, I have 50Pcs in my computer lab environment and I have made single shared folder where students save their office files work i.e "xlsx, docx" all office files. The problem is other students deletes other students data in bad manners, What I want, I want to have delete deny permission on that shared folder so no one can delete any single file on that folder but when I do this my students then can not even modify/save their document files. Can you please guide me that how can I set delete deny permission so user can't delete any file and can save/modify their document file?? Any help will definitely be appreciated! I'm really stuck on this...
All Replies
-
Monday, April 09, 2012 5:34 PM
Hello,
for basic questions you should use http://social.technet.microsoft.com/Forums/en/winservergen/threads as this forum is about Directory services problems.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Proposed As Answer by AwinishMVP, Moderator Tuesday, April 10, 2012 9:53 AM
-
Monday, April 09, 2012 6:17 PM
Hello,
You can proceed like that:
- Create a shared root folder on a file server
- For each student, create a sub-folder
- Grant Full Control NTFS permission for the owner of the sub-folder. You can grant others read permission if you want
- Grant Full Control Share permission on the root folder after sharing it
More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/threads
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Tuesday, April 10, 2012 4:24 AM
Hi,
The problem is that in Windows, deny permissions override allow permissions.
To accomplish your task, you would need to create Shared Root folder and sub folder for each student.
- On Shared root folder: Assign "FUll Control" sharing permission to "Student" or "Everyone" group on Sharing tab.
- On the student subfolder: Assign "Full Control" to each student/owner on their subfolder and "Read" permissions to the others and click on advanced button uncheck the "Inherite from parent" option.
If above does not help, post this question here: http://social.technet.microsoft.com/Forums/en/winservergen/threads
Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Tuesday, April 10, 2012 4:17 PMThe solution is to not deny deletes but to not allow deletes. Give Modify, Execute, List, Read and Write permissions but do not give delete permission. You need to go into the Advanced properties and edit the full permission list to set it up.The problem is that in Windows, deny permissions override allow permissions.
http://www.techrepublic.com/forum/questions/101-242128/file-folder-security-deny-delete-folder-and-move-folder-to-users
However instead of denying the permission you can create individual user folder and assign permission to respective user folder.For common folder you can assign permission to users as per requirement.You can also enable auditing for critical folder to check who deleted the same.
http://technet.microsoft.com/hi-in/library/dd277403(en-us).aspx
http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Wednesday, April 11, 2012 2:42 AM
IN addition following everyone's suggestions to create a common share for all students then creating a subfolder for each student, and adjusting the permissions on the subfolders so only that specific student, Domain Administrators, and the "System" account have FC, and removing "Users" group, you may also want to look into using Access Based Enumeration, which will hide all other folders other than the student's folder that they are trying to connect to.
Since this is Windows 2003, it's not a built-in tool, such as Windows 2008 R2 has it, however you can download it free from Microsoft. Here are the links and some information on it:
.
Access-based Enumeration
http://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspxMicrosoft Download Center: Windows Server 2003 Access-based Enumeration - Windows 2003
GUI and a Command Line Interface to enable Access-based Enumeration.
Overview: Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables
this feature.
http://www.microsoft.com/download/en/details.aspx?id=17510Implementing Access-Based Enumeration in Windows Server 2003 R2 (Step by Step with screenshots)
http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Edited by Ace Fekay [MCT]MVP Wednesday, April 11, 2012 2:42 AM
- Marked As Answer by Zeebaluch Sunday, April 15, 2012 4:59 PM
.png)
