How to Set Deny Users to Move one Folder to Another but Allow them full permission on the folder they are assigned
Wednesday, January 23, 2013 8:05 PM
We have a network drive called Drive P (for example) and under Drive P are Folder A and Folder B.
1. Security Group Folder A gives full rights to Folder A (all subfolders and files). Security Folder B gives full rights to Folder B (all subfolders and files).
2. If John has memberships to both Security Folder A and Security Folder B, John can (accidentally) move the entire Folder B to Folder A. When John attempts to undo by moving back Folder B out of Folder A (putting it back to the root of Drive P) he gets access is denied. He is not allowed to move back to the root of the drive, which is perfectly OK.
3. What NEEDS TO HAPPEN is not allow John to move Folder B to Folder A in the first place and vice versa. However, WE NEED John to own everything (files and subfolders), rename, delete, add, create inside Folder A and B but not allow him to move one folder to another.
How do we set this up? We are using Windows 2008.
Thursday, January 24, 2013 11:02 AM
First, take ownership of FolderA and FolderB only, let John only owns those folder contents.
Next, re-assign permissions for groups on both folders by specifying Permission Scope: "Subfolders and Files only", click Advanced to see Scopes at the top of the dialog box. Let users only Read and Write to both folders. Play around with Permission Scopes, and you will see.
Microsoft Certified Trainer; Microsoft Security Trusted Advisor; Cisco Certified Systems Instructor; Certified Ethical Hacker.
Monday, January 28, 2013 6:08 AMModerator
As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Monday, January 28, 2013 4:17 PM
I definitely will let you know. I haven't had the chance to work on this yet but I will let you know to help other people too.
Friday, February 01, 2013 12:50 AM
Solution: Create two security groups. 1 for regular users security group. 1 for Staff Admin Security Group (not referring to Network Admin. More like a regular staff that needs elevated permission in between Network Admin and Regular user).
1. Right click Team Folder
2. Security Tab --> Advanced --> Select "Regular User Security Group-->Change Permissions --> Edit -->
3. Choose "This folder only" - Allow All Except: Full Control, Create Folder/Append Data, Change Permissions, Take Ownership.
4. Add again "Regular User Security Group" and choose Subfolders and Files only - Allow All Except: Full Control, Change Permissions, Take Ownership, Delete Subfolders and Files
5. Add "Staff Admin Security Group" and choose Folders, Subfolders and Files MODIFY permissions. This will allow a designated person to create subfolder at the root of the drive. The rest can't add or move folders at the root.
It is the "CREATE FOLDER" Permission that you don't want in order to accomplish this.