none
File/Folder Delete permission issue..

    Question

  • Hi I'm running 2003 Domain environment for my institute, I have 50Pcs in my computer lab environment and I have made single shared folder where students save their office files work i.e "xlsx, docx" all office files. The problem is  other students deletes other students data in bad manners, What I want, I want to have delete deny permission on that shared folder so no one can delete any single file on that folder but when I do this my students then can not even modify/save their document files. Can you please guide me that how can I set delete deny permission so user can't delete any file and can save/modify their document file?? Any help will definitely be appreciated! I'm really stuck on this...
    Monday, April 09, 2012 5:30 PM

Answers

  • IN addition following everyone's suggestions to create a common share for all students then creating a subfolder for each student, and adjusting the permissions on the subfolders so only that specific student, Domain Administrators, and the "System" account have FC, and removing "Users" group, you may also want to look into using Access Based Enumeration, which will hide all other folders other than the student's folder that they are trying to connect to.

    Since this is Windows 2003, it's not a built-in tool, such as Windows 2008 R2 has it, however you can download it free from Microsoft. Here are the links and some information on it:

    .

    Access-based Enumeration
    http://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspx

    Microsoft Download Center: Windows Server 2003 Access-based Enumeration - Windows 2003
    GUI and a Command Line Interface to enable Access-based Enumeration.
    Overview: Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables
    this feature.
    http://www.microsoft.com/download/en/details.aspx?id=17510

    Implementing Access-Based Enumeration in Windows Server 2003 R2 (Step by Step with screenshots)
    http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Wednesday, April 11, 2012 2:42 AM

All replies

  • Hello,

    for basic questions you should use http://social.technet.microsoft.com/Forums/en/winservergen/threads as this forum is about Directory services problems.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, April 09, 2012 5:34 PM
  • Hello,

    You can proceed like that:

    • Create a shared root folder on a file server
    • For each student, create a sub-folder
    • Grant Full Control NTFS permission for the owner of the sub-folder. You can grant others read permission if you want
    • Grant Full Control Share permission on the root folder after sharing it

    More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/threads


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, April 09, 2012 6:17 PM
  • Hi,

    The problem is that in Windows, deny permissions override allow permissions.

    To accomplish your task, you would need to create Shared Root folder and sub folder for each student.

    • On Shared root folder: Assign "FUll Control" sharing permission to "Student" or "Everyone" group on Sharing tab.
    • On the student subfolder: Assign "Full Control" to each student/owner on their subfolder and "Read" permissions to the others and click on advanced button uncheck the "Inherite from parent" option.

    If above does not help, post this question here:  http://social.technet.microsoft.com/Forums/en/winservergen/threads


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, April 10, 2012 4:24 AM
  • The solution is to not deny deletes but to not allow deletes. Give Modify, Execute, List, Read and Write permissions but do not give delete permission. You need to go into the Advanced properties and edit the full permission list to set it up.
    The problem is that in Windows, deny permissions override allow permissions.
    http://www.techrepublic.com/forum/questions/101-242128/file-folder-security-deny-delete-folder-and-move-folder-to-users

    However instead of denying the permission you can create individual user folder and assign permission to respective user folder.For common folder you can assign permission to users as per requirement.You can also enable auditing for critical folder to check who deleted the same.
    http://technet.microsoft.com/hi-in/library/dd277403(en-us).aspx
    http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, April 10, 2012 4:17 PM
  • IN addition following everyone's suggestions to create a common share for all students then creating a subfolder for each student, and adjusting the permissions on the subfolders so only that specific student, Domain Administrators, and the "System" account have FC, and removing "Users" group, you may also want to look into using Access Based Enumeration, which will hide all other folders other than the student's folder that they are trying to connect to.

    Since this is Windows 2003, it's not a built-in tool, such as Windows 2008 R2 has it, however you can download it free from Microsoft. Here are the links and some information on it:

    .

    Access-based Enumeration
    http://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspx

    Microsoft Download Center: Windows Server 2003 Access-based Enumeration - Windows 2003
    GUI and a Command Line Interface to enable Access-based Enumeration.
    Overview: Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables
    this feature.
    http://www.microsoft.com/download/en/details.aspx?id=17510

    Implementing Access-Based Enumeration in Windows Server 2003 R2 (Step by Step with screenshots)
    http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Wednesday, April 11, 2012 2:42 AM